oracle bug

[prodadmin]

How serious is the below bug?????

*************************************************************


GSSoftware Insight Security Research Advisory
>
> Name: Oracle Database Link Buffer Overflow
> Systems Affected: All platforms; Oracle9i Database Release 2 and 1, 8i all
> releases, 8 all releases, 7.3.x
> Severity: High Risk
> Vendor URL: http://www.oracle.com
> Author: David Litchfield (david@ngssoftware.com)
> Date: 29th April 2003
> Advisory number: #NISR29042003
>
> Description
> ***********
> Oracle is the leader in the database market with a 54% market share lead
> under ERP (Enterprise Resource Planning). The database server is vulnerable
> to a remotely exploitable buffer overflow vulnerability. The problem exists
> with database links; functionality that allows the querying of one Oracle
> database server from another.
>
> Details
> *******
> A classic stack based buffer overflow vulnerability exists in the Oracle
> database server that can be set up for exploitation by providing an overly
> long parameter for a connect string with the 'CREATE DATABASE LINK' query:
>
> CREATE DATABASE LINK ngss
> CONNECT TO hr
> IDENTIFIED BY hr
> USING 'longstring'
>
> By default, the 'CREATE DATABASE LINK' privilege is assigned to the CONNECT
> role and as most Oracle accounts are assigned membership of this role even
> low privileged accounts such as SCOTT and ADAMS can create database links.
> By creating a specially crafted database link and then by selecting from the
> link:
>
> select * from table@ngss
>
> the overflow can be triggered, overwriting the saved return address on the
> stack. This allows an attacker to gain control of the Oracle process' path
> of execution and permits the execution of arbitrary, user supplied code. Any
> code supplied would run in the security context of the account running the
> Oracle database server. On unix based systems this is typically the 'oracle'
> user and on Windows the local SYSTEM user. In the former this allows for a
> full compromise of the data and in the latter a full compromise of the data
> and the operating system.
>
> This is a high risk vulnerability and as such should be patched as soon as
> possible, after a suitable period of testing.
>
> Fix Information
> ***************
> NGSSoftware alerted Oracle to this vulnerability on 30th September 2002.
> Oracle has reviewed the code and created a patch which is available from:
>
> http://otn.oracle.com/deploy/securit...003alert54.pdf
>
> NGSSoftware advise Oracle database customers to review and install the patch
> as a matter of urgency.
>
> A check for this issue already exists in NGSSQuirreL for Oracle, a
> comprehensive automated vulnerability assessment tool for Oracle Database
> Servers of which more information is available from the NGSSite
>
> http://www.ngssoftware.com/software/...fororacle.html
>
> It is further recommend that Oracle DBAs have their network/firewall
> administrators ensure that the database server is protected from Internet
> sourced traffic.
>
>
> Further Information
> *******************
> For further information about the scope and effects of buffer overflows,
> please see
>
> http://www.ngssoftware.com/papers/no...bo-windows.pdf
> http://www.ngssoftware.com/papers/ntbufferoverflow.html
> http://www.ngssoftware.com/papers/bu...rflowpaper.rtf
> http://www.ngssoftware.com/papers/unicodebo.pdf
>
> About NGSSoftware
> *****************
> NGSSoftware design, research and develop intelligent, advanced application
> security assessment scanners. Based in the United Kingdom, NGSSoftware have
> offices in the South of London and the East Coast of Scotland. NGSSoftware's
> sister company NGSConsulting, offers best of breed security consulting
> services, specialising in application, host and network security
> assessments.
>
> http://www.ngssoftware.com/
> http://www.ngsconsulting.com/
>
> Telephone +44 208 401 0070
> Fax +44 208 401 0076
>
> enquiries@ngssoftware.com

[badrinathn]

Why do one need to have such a 'Long String' for the connect string?

Badrinath

[DaPi]

Beware http://otn.oracle.com/deploy/securi...2003alert54.pdf gave the wrong patch number for 8.1.7 under Windows - it's changed now, but 2899111 is for 8.1.7.4.9 which is missing a file in the NT version - so in fact I think you need 2904997 for 8.1.7.4.10

Don't you love this !

[BJE_DBA]

Unless you connect the Oracle Database directly to the Internet (e.g., no intervening application server or firewall), a remote exploit via the Internet is, in our opinion, unlikely