|
Multiple Buffer Overflow Vulnerabilities in XML Database (XDB) functionality of Oracle 9i Release 2
August 20, 2003
To determine if you should apply this patch, download AppDetective™ for Oracle
from http://www.appsecinc.com/products/appdetective/oracle
Risk level: High
Threat: These vulnerabilities may allow an attacker to cause denial of service (DoS) and/or possibly compromise the server.
Versions Affected: Oracle 9i 9.2.0.1, 9.2.0.2, 9.2.0.3
Summary:
A number of buffer overflows exist in the HTTP and FTP Service of the XML
Database (XDB) component of Oracle 9i Database Release 2. It is possible to
remotely gain control of the server and/or cause a Denial of Service.
Details:
Oracle XML Database (XDB) is a set of built-in high-performance storage and
retrieval technologies developed especially for XML. The following
vulnerabilities exist in the Oracle XDB.
XDB HTTP Service Overly Long String buffer overflow:
The Oracle XDB can be accessed via its HTTP service. The service runs on
port 8080 and is enabled by default. Users need to be authenticated in order
to use this service.The usernames and passwords sent over the network are
Base64 encoded. There exists a buffer overflow vulnerability with the way
username and passwords are handled by this service. A malicious hacker can
cause the stack based buffer to overflow by supplying it with an overly long
username or password during the process of authentication. This can lead to
full remote system compromise and / or Denial of Service (DoS).
XDB FTP Service Overly Long String buffer overflow:
The Oracle XDB can be accessed via its FTP service. The service runs on
port 2100 and is enabled by default. A malicious hacker can cause the stack
based buffer to overflow by supplying it with an overly long username or
password during the process of authentication.
XDB FTP Service TEST command buffer overflow:
Along with other FTP commands, this service supports the TEST command.
There exists a buffer overflow vulnerability with the way parameters are
handled by this command. A malicious hacker can cause the buffer to overflow
by supplying it with an overly long parameter. This allows the hacker to run
arbitrary commands under the privileges of the XDB FTP service.
XDB FTP Service UNLOCK command buffer:
There also exists a buffer overflow vulnerability with the way parameters
are handled by UNLOCK command. A malicious hacker can cause the buffer to
overflow by supplying it with an overly long parameter. This allows the
hacker to run arbitrary commands under the privileges of the XDB FTP
service.
XDB Authenticated User buffer overflow:
There exists a buffer overflow in the Oracle XDB. This vulnerability can only
be exploited by an authenticated user of the database. This would allow a non-privileged
user to gain full-control of the database.
Fix:
Versions of Oracle 9i that are vulnerable are the following: 9.2.0.1,
9.2.0.2 and 9.2.0.3.
The vulnerability is fixed in Oracle 9i version 9.2.0.4. The patchset
should be obtained from http://metalink.oracle.com/metalink/plsql/ml2_gui.startup. Search for the patchset number 3095277.
A patch can also be downloaded from the same link. Search for the patch
number 3058991. The patch should be applied on top of Oracle 9i version
9.2.0.3
If the Oracle 9i 9.2.0.4 patchset 3095277or patch 3058991 is unavailable for
your platform, the Oracle XDB HTTP and FTP service could be disabled by
removing the "(SERVICE=[sid-name]XDB)" substring on the "dispatchers" line
in the INIT.ORA file, where [sid-name] is the SID of the database. Doing
this does not completely secure your servers but just reduces the risk of
exposure.
|
