Oracle 8i TNS Listener Buffer Overflow Vulnerability (other, defective)
Oracle 8i discovers significant vulnerabilities that allow attackers to execute arbitrary code
With:
Oracle 8i TNS (Transparent network substrate) Listener is responsible for establishing and maintaining remote connections between clients and Oracle database services. A buffer overflow vulnerability was found for the Listener. An attacker who successfully exploited this vulnerability would be able to execute arbitrary code on the database server.
Worse, the buffer overflow occurs before validation, which means that there is a problem with the Listener that activates the password protection mechanism.
TNS Listener processes customer connection requests and establishes a TNS data connection between the client and the server, which is monitored by default on TCP 1521 ports. Send specific commands to the daemon to manage and monitor the Listener. such as \ "Status\", \ "ping\" \ "Services\" will return Listener configuration and connectivity. \ "Trc_file\", \ "save_config\" \ "reload\" can be used to change the configuration of Listener.
A buffer overflow occurs when the parameters of any command contain too long data, and the client sends only one TYPE-1 (NSPTCN) packet, which contains the correct NET8 header and the constructed command string containing the attacker's code. Although it is possible to limit the TNS Listener administrator commands to trusted users by activating the password authentication mechanism. However, you can still exploit this vulnerability, such as "STATUS", with commands that do not require a password to be validated. Also, by default, the validation mechanism is not activated.
Parameters such as "service\", \ "version\", \ "User\" \ "Arguments\" can be used to trigger buffer overflows.
Under WINDOWS, an attacker could execute code with \ "Localsystem\" by Leveraging SEH (strunctured Exception handling).
Under UNIX, the Listener daemon is created by the \ "oracle\" user, which means that the attacker can obtain database administrator privileges.
Affected Systems:
Oracle 8i Standard and Enterprise Editions Version 8.1.5, 8.1.6,
8.1.7 and Previous versions
Affected platforms:
Windows, Linux, Solaris, AIX, HP-UX and Tru64 Unix.
Solution:
Please download the installation patch: http://metalink.oracle.com/