Users login

Create an account »


Users login

Home » Hacking News » NISR06022002B: Multiple Buffer Overflows in Oracle 9iAS

NISR06022002B: Multiple Buffer Overflows in Oracle 9iAS

by Nikola Strahija on February 6th, 2002 The web service with Oracle 9iAS is powered by Apache and provides many application environments with which to offer services from the site. These include SOAP, PL/SQL, XSQL and JSP. There are multiple buffer overrun vulnerabilities in the PL/SQL Apache module that allow the execution of arbitrary code.

The PL/SQL module exists to allow remote users to call procedures exported by a PL/SQL package
stored in the database server. This module can be overflowed by making an overly
long request to the plsql module; An overly long password set in the Authorization HTTP client
header; An overly long cache directory name in the cache form; Setting an overly long password
in the adddad form;

Some of these attacks require that attacker know the name of the adminPath whereas others do not.

All allow the execution of arbitrary code. On Windows NT/2000 systems the Oracle Apache web server
by default runs in the context of the local SYSTEM account so any code will run with full privileges.

A further problem also exists whereby a request made to the pls module with an HTTP client Authorization
header set but with no auth type will cause the server to access violate. The server needs to be restarted
after an attack.

Fix Information
NGSSoftware alerted Oracle to these problems between December 2001 and early January 2002. Oracle
has produced a patch to fix these problems and can be downloaded from the Metalink site

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »