Oracle 9i Database, Ap Server bust six ways to Sunday

[InfoSec News <isn () c4i org>]

http://www.theregister.co.uk/content/53/29360.html

By John Leyden
Posted: 17/02/2003 

Oracle admins are in for a busy time with the publication of no less
than six vulnerabilities over the last week.

Four of the vulnerabilities are buffer overflow flaws affecting
various components of Oracle9i Database Server. Then there's two flaws
affecting Oracle9i Application Server, which pose denial of service
risks... or worse.

Some are potentially very nasty indeed. Oracle describes them as
critical and that's not the half of it...

The buffer overflows in Database server involve: the ORACLE.EXE
binary, the TO_TIMESTAMP_TZ function, the TZ_OFFSET function and
DIRECTORY parameter of Oracle9i Database Server.

These are explained in greater depth in the BugTraq advisories linked
to above and the security section of Oracle's Web site.

The web site also gives more refers to two Oracle9i Application Server
vulnerabilities (involving DAV_PUBLIC Directory and the mod_oradav
Module)

All vulnerabilities were posted to BugTraq, and patched published by
Oracle, last weekend. Over the weekend security researchers have been
digesting these reports, and coming up with some potentially
unsettling conclusions.

David Litchfield, of NGSSoftware, the security firm that has carved
something of a niche for itself in unearthed Oracle flaws (and did the
lion's share of the work this time too), tells us the majority of the
Oracle9i Database Server require an attacker to have a valid user name
and password.

So the greatest risk here comes from a buffer overflow glitch within
the Database Server's authentication process, which a post from
NGSSoftware to BugTraq today explains in much greater depth. Various
flavours of Database Server (8i, 8.1.7, 8.0.6) as well as Oracle9i are
potentially vulnerable to this attack, according to NGSSoftware.

Combine that with an Oracle9i Application Server Format String
Vulnerability, and we have a way an attacker might gain control of Ap
Server and get around what firewall rules might otherwise guard
against attack against (potentially vulnerable) Database Servers.

Oracle describes this as only a denial of service risk but the issue,
albeit it tricky to exploit, seems to go deeper than this would
suggest.

Litchfield, in masterly understatement, says these various
vulnerabilities "need attention".

Once again: Oracle's patches can be obtained via links on its Web site
here [1].

[1] http://otn.oracle.com/deploy/security/alerts.htm



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.