Application Security Inc. - Securing Business by Securing Enterprise Applications

home

client login

partner login

online store

search:

Username buffer overflow

February 14, 2003

To determine if you are vulnerable to this attack, download AppDetective™ from http://www.appsecinc.com/products/appdetective/oracle

Risk level: High

Threat: This buffer overflow may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database server.

Versions Affected: All Versions of Oracle

Summary:
A buffer overflow exists in the authentication mechanism of Oracle. This buffer overflow may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database server. This vulnerability occurs when a very long username is passed during authentication to the database.

Details:
During the authentication process of connecting to an Oracle database, a username and password are sent to the server. Typically client applications, particularly those from Oracle, are designed to limit the length of the username passed in for authentication. However, if a username of 1150 characters or greater is passed to the authentication mechanism, a buffer overflow occurs. This overflow occurs before authenticate occurs, so an unauthenticated attacker could use this buffer overflow to gain full control of a database.

This buffer overflow does not result in the Oracle process crashing. However the buffer overflow does result in the saved return address being overwritten on the stack.

Although most applications truncate the username, one program included in the Oracle utilities is know to allow long usernames. The loadpsp utility found in the $ORACLE_HOME/bin directory can be called as follows:

C:\oracle\bin> loadpsp -name -user XXX[1150 additional characters]/test@iasdb test

Fix:
To fix this problem, you must download and apply the appropriate patch. Patches for the Oracle database server can be downloaded from Oracle Worldwide Support Services web site, Metalink (http://metalink.oracle.com). This patch is identified by the base bug number 2620726.

The issue is fixed in the 9.2.0.3 patchset. Patches are available for 9.2.0.2, 9.0.1.4, 8.1.7.4, and 8.0.6. For a detailed grid of the platform details, view the grid at http://otn.oracle.com/deploy/security/pdf/2003alert51.pdf.