Oracle cmctl Buffer Overflow Vulnerability

Bugtraq ID:	1968
Class:	Boundary Condition Error
CVE:
Remote:	No
Local:	Yes
Published:	Nov 20 2000 12:00AM
Updated:	Nov 20 2000 12:00AM
Credit:	This vulnerability was first announced in a Plazasite Security Advisory on November 20, 2000.
Vulnerable:	Oracle Oracle8i Standard Edition 8.1.6 Oracle Oracle8i Standard Edition 8.1.5 Oracle Oracle8 8.0.5 - SGI IRIX 6.5.4 Oracle Oracle8 8.0.4 Oracle Oracle8 8.0.3
Not Vulnerable:

Oracle cmctl Buffer Overflow Vulnerability

cmctl is the Connection Control Manager, part of the Oracle 8i installation. A vulnerability exists that can allow elevation of privileges.

The problem occurs in the way cmctl handles the user-supplied command line arguments. The string representing argv[1] (the first user-supplied commandline argument) is copied into a buffer of predefined length without being checked to ensure that its length does not exceed the size of the destination buffer. As a result, the excessive data that is written to the buffer will write past its boundaries and overwrite other values on the stack (such as the return address).

This can lead to the user executing supplied shellcode with the effective privileges of cmctl, egid dba and euid oracle.

Oracle cmctl Buffer Overflow Vulnerability

Exploit available:

• /data/vulnerabilities/exploits/cmctl_start.c

Oracle cmctl Buffer Overflow Vulnerability


Oracle Oracle8i Standard Edition 8.1.5

• Oracle Metalink Patches for cmctl
  http://metalink.oracle.com

Oracle Oracle8i Standard Edition 8.1.6

• Oracle Metalink Patches for cmctl
  http://metalink.oracle.com

Oracle cmctl Buffer Overflow Vulnerability

References:

• Oracle Support Page (Oracle)