90940 2003-02-17 17:16 /83 rader/ NGSSoftware Insight Security Research <nisr@nextgenss.com>
Importerad: 2003-02-17 17:16 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <3521>
Ärende: Oracle TO_TIMESTAMP_TZ Remote System Buffer Overrun (#NISR16022003b)
------------------------------------------------------------
NGSSoftware Insight Security Research Advisory
Name: Oracle TO_TIMESTAMP_TZ Remote System Buffer Overrun
Systems Affected: All platforms; Oracle9i Database Release 2, 9i Release 1,
8i, 8.1.7, 8.0.6
Severity: High Risk
Category: Remote System Buffer Overrun
Vendor URL: http://www.oracle.com
Author: Mark Litchfield (mark@ngssoftware.com)
Date: 16th February 2003
Advisory number: #NISR16022003b
Description *********** Oracle's database server contains fuctions
for use within queries. The TO_TIMESTAMP_TZ function exists to
convert a string into a timestamp with a time zone datatype. This
function contains an exploitable buffer overflow vulnerability.
Details ******* There is a remotely exploitable buffer overflow
vulnerability in the TO_TIMESTAMP_TZ function. A normal statement
would look like the following, converting a character string string
to a value of timestamp with time zone:
SELECT TO_TIMESTAMP_TZ('2003-02-016 12:00:00 -8:00','YYYY-MM-DD
HH:MI:SS TZH:TZM') FROM DUAL;
By supplying a long character string for the second parameter an
attacker can overwirte a saved return address on the stack of Oracle
process. Before this issue can be exploited an attacker must be able
to log on to the database server with a valid user ID and password,
but as the TO_TIMESTAMP_TZ() function can be executed by PUBLIC by
default any user of the system can gain control. Any arbitrary code
supplied by an attacker would execute with the same privileges as the
user running the service; this account is typically "Oracle" on
linux/unix based platforms and Local System on Windows based
operating systems such as NT/2000/XP. As such this allows for a
complete compromise of the data stored in the database and possibly a
complete compromise of the operating system.
Fix Information *************** NGSSoftware alerted Oracle to this
vulnerability on 30th September 2002 and Oracle has produced a patch
which is available from
http://otn.oracle.com/deploy/security/pdf/2003alert50.pdf
A check for these issues has been added to NGSSQuirreL for Oracle, a
comprehensive automated vulnerability assessment tool for Oracle
Database Servers of which more information is available from the
NGSSite
http://www.ngssoftware.com/software/squirrelfororacle.html
Further Information ******************* For further information about
the scope and effects of buffer overflows, please see
http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf
http://www.ngssoftware.com/papers/ntbufferoverflow.html
http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf
http://www.ngssoftware.com/papers/unicodebo.pdf
About NGSSoftware ***************** NGSSoftware design, research and
develop intelligent, advanced application security assessment
scanners. Based in the United Kingdom, NGSSoftware have offices in
the South of London and the East Coast of Scotland. NGSSoftware's
sister company NGSConsulting, offers best of breed security
consulting services, specialising in application, host and network
security assessments.
http://www.ngssoftware.com/
http://www.ngsconsulting.com/
Telephone +44 208 401 0070
Fax +44 208 401 0076
enquiries@ngssoftware.com
(90940) /NGSSoftware Insight Security Research <nisr@nextgenss.com>/(Ombruten)
90941 2003-02-17 17:22 /143 rader/ NGSSoftware Insight Security Research <nisr@nextgenss.com>
Importerad: 2003-02-17 17:22 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <3522>
Ärende: Oracle9i Application Server Format String Vulnerability (#NISR16022003d)
------------------------------------------------------------
NGSSoftware Insight Security Research Advisory
Name: Oracle9i Application Server Format String Vulnerability
Systems Affected: All platforms; Oracle9i Application Server Release 9.0.2
Severity: Critical Risk
Category: Format String Vulnerability
Vendor URL: http://www.oracle.com
Author: David Litchfield (david@ngssoftware) and Mark Litchfield
(mark@ngssoftware.com)
Date: 16th February 2003
Advisory number: #NISR16022003d
Description *********** Oracle's 9i Application Server offers a
highly functional web server designed to seamlessly integrate with an
Oracle backend database server. Based on Apache the server offers
many environments for web based applications such as Java/JSP,
PL/SQL, Perl and FastCGI. With their latest release of the
Application Server, 9.0.2, Oracle has added support for WebDAV, Web
Distributed Authoring and Versioning, that turns the Web into a file
sharing system.
Details ******* DAV is turned on by default. Whilst this is bad in
and of itself, as attackers can anonymously upload files to the
server, an attacker can exploit a format string bug in the one of the
logging functions. If an attacker uses the COPY method and supplies a
destination URI that uses a different scheme or port then a 502 Bad
Gateway response is returned. This is logged and in doing so the
format string can be exploited. Although the Apache mod dav module is
not vulnerable itself the vulnerable code is there - it is just not
ever executed. Oracle has modified the moddav module and changed it
so bad gateway responses are logged - and thus they are
vulnerable. Looking at the moddav source
From mod_dav.c revision 1.157
..
..
lookup = dav_lookup_uri(dest, r);
if (lookup.rnew == NULL)
{
if (lookup.err.status == HTTP_BAD_REQUEST)
{
ap_log_rerror(APLOG_MARK, APLOG_ERR | APLOG_NOERRNO,
r,lookup.err.desc);
return HTTP_BAD_REQUEST;
}
return dav_error_response(r, lookup.err.status, lookup.err.desc);
}
..
..
This code calls the dav_lookup_uri() function in dav_util.c. From
dav_util.c revision 1.84
..
dav_lookup_result dav_lookup_uri(const char *uri, request_rec * r)
{
..
..
if (strcasecmp(comp.scheme, scheme) != 0 || comp.port != port)
{
result.err.status = HTTP_BAD_GATEWAY;
result.err.desc = ap_psprintf(r->pool,
"Destination URI refers to different "
"scheme or port (%s://hostname:%d)\n"
"(want: %s://hostname:%d)",
comp.scheme ? comp.scheme : scheme,
comp.port ? comp.port : port,
scheme, port);
return result;
..
..
}
When dav_lookup_uri() returns to mod_dav.c the format strings occurs
..
lookup = dav_lookup_uri(dest, r);
if (lookup.rnew == NULL)
{
if (lookup.err.status == HTTP_BAD_REQUEST)
{
// THIS IS THE FIRST FORMAT STRING VULNERABILITY
ap_log_rerror(APLOG_MARK, APLOG_ERR | APLOG_NOERRNO,
r,lookup.err.desc);
..
..
}
Of course the code should have read
ap_log_rerror(APLOG_MARK, APLOG_ERR | APLOG_NOERRNO,
r,"%s",lookup.err.desc);
to not be vulnerable.
By crafting a specially formed format string and sending to the
server an attacker can overwrite arbitrary address with arbitrary
values which can allow an attacker to gain control of the web
server. To do this they could overwrite a saved return address on the
stack, an exception handler or pointer to a function with an address
that points to a buffer that contains the arbitrary code to execute.
Fix Information *************** NGSSoftware alerted Oracle to this
vulnerability on 24th September 2002. Oracle has developed a patch
which is available from
http://otn.oracle.com/deploy/security/pdf/2003alert52.pdf
A check for these issues has been added to OraScan, a comprehensive
automated vulnerability assessment tool for Oracle Application
Servers of which more information is available from the NGSSite
http://www.nextgenss.com/software/orascan.html
About NGSSoftware ***************** NGSSoftware design, research and
develop intelligent, advanced application security assessment
scanners. Based in the United Kingdom, NGSSoftware have offices in
the South of London and the East Coast of Scotland. NGSSoftware's
sister company NGSConsulting, offers best of breed security
consulting services, specialising in application, host and network
security assessments.
http://www.ngssoftware.com/
http://www.ngsconsulting.com/
Telephone +44 208 401 0070
Fax +44 208 401 0076
enquiries@ngssoftware.com
(90941) /NGSSoftware Insight Security Research <nisr@nextgenss.com>/(Ombruten)
90943 2003-02-17 17:28 /83 rader/ NGSSoftware Insight Security Research <nisr@nextgenss.com>
Importerad: 2003-02-17 17:28 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <3523>
Ärende: Oracle TZ_OFFSET Remote System Buffer Overrun (#NISR16022003c)
------------------------------------------------------------
NGSSoftware Insight Security Research Advisory
Name: Oracle TZ_OFFSET Remote System Buffer Overrun
Systems Affected: All platforms; Oracle9i Database Release 2, 9i Release 1,
8i, 8.1.7, 8.0.6
Severity: High Risk
Category: Remote System Buffer Overrun
Vendor URL: http://www.oracle.com
Author: Mark Litchfield (mark@ngssoftware.com)
Date: 16th February 2003
Advisory number: #NISR16022003c
Description *********** Oracle's database server contains fuctions
for use within queries. The TZ_OFFSET function returns the time zone
offset corresponding to the value entered based on the date the
statement was executed. For example:
SELECT TZ_OFFSET('US/Eastern') FROM DUAL;
would return the time zone offset value of -04:00. The TZ_OFFSET()
function contains a remotely exploitable buffer overflow
vulnerability.
Details ******* There exists a remotely exploitable buffer overflow
vulnerability in the TZ_OFFSET function. By supplying a long
character string for the time zone name an attacker can overwrite a
saved return address on the stack of Oracle process. Before this
issue can be exploited an attacker must be able to log on to the
database server with a valid user ID and password, but as the
TO_TIMESTAMP_TZ() function can be executed by PUBLIC by default any
user of the system can gain control. Any arbitrary code supplied by
an attacker would execute with the same privileges as the user
running the service; this account is typically "Oracle" on linux/unix
based platforms and Local System on Windows based operating systems
such as NT/2000/XP. As such this allows for a complete compromise of
the data stored in the database and possibly a complete compromise of
the operating system.
Fix Information *************** NGSSoftware alerted Oracle to this
vulnerability on 30th September 2002. Oracle has developed a patch
which is available from
http://otn.oracle.com/deploy/security/pdf/2003alert50.pdf
A check for these issues has been added to NGSSQuirreL for Oracle, a
comprehensive automated vulnerability assessment tool for Oracle
Database Servers of which more information is available from the
NGSSite
http://www.ngssoftware.com/software/squirrelfororacle.html
Further Information ******************* For further information about
the scope and effects of buffer overflows, please see
http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf
http://www.ngssoftware.com/papers/ntbufferoverflow.html
http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf
http://www.ngssoftware.com/papers/unicodebo.pdf
About NGSSoftware ***************** NGSSoftware design, research and
develop intelligent, advanced application security assessment
scanners. Based in the United Kingdom, NGSSoftware have offices in
the South of London and the East Coast of Scotland. NGSSoftware's
sister company NGSConsulting, offers best of breed security
consulting services, specialising in application, host and network
security assessments.
http://www.ngssoftware.com/
http://www.ngsconsulting.com/
Telephone +44 208 401 0070
Fax +44 208 401 0076
enquiries@ngssoftware.com
(90943) /NGSSoftware Insight Security Research <nisr@nextgenss.com>/(Ombruten)
90947 2003-02-17 18:43 /76 rader/ NGSSoftware Insight Security Research <nisr@nextgenss.com>
Importerad: 2003-02-17 18:43 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern mottagare: vulnwatch@vulnwatch.org
Extern mottagare: ntbugtraq@listserv.ntbugtraq.com
Mottagare: Bugtraq (import) <3527>
Ärende: Oracle bfilename function buffer overflow vulnerability (#NISR16022003e)
------------------------------------------------------------
NGSSoftware Insight Security Research Advisory
Name: ORACLE bfilename function buffer overflow vulnerability
Systems Affected: All platforms; Oracle9i Database Release 2, 9i Release 1,
8i, 8.1.7, 8.0.6
Severity: High Risk
Category: Remote System Buffer Overrun
Vendor URL: http://www.oracle.com
Author: David Litchfield (david@ngssoftware.com)
Date: 16th February 2003
Advisory number: #NISR16022003e
Description *********** Oracle's database server contains fuctions
for use within queries. The bfilename() function returns a BFILE
locator to a binary large object stored in the database.
Details ******* The bfilename() function suffers from a remotely
exploitable buffer overrun when an overly long DIRECTORY parameter is
supplied. Before this issue can be exploited an attacker must be able
to log on to the database server with a valid user ID and password,
but as the bfilename() function can be executed by PUBLIC by default
any user of the system can gain control. Any arbitrary code supplied
by an attacker would execute with the same privileges as the user
running the service; this account is typically "Oracle" on linux/unix
based platforms and Local System on Windows based operating systems
such as NT/2000/XP. As such this allows for a complete compromise of
the data stored in the database and possibly a complete compromise of
the operating system.
Fix Information *************** NGSSoftware alerted Oracle to this
vulnerability on 30th September 2002. Oracle has developed a patch
which is available from
http://otn.oracle.com/deploy/security/pdf/2003alert50.pdf
A check for these issues has been added to NGSSQuirreL for Oracle, a
comprehensive automated vulnerability assessment tool for Oracle
Database Servers of which more information is available from the
NGSSite
http://www.ngssoftware.com/software/squirrelfororacle.html
Further Information ******************* For further information about
the scope and effects of buffer overflows, please see
http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf
http://www.ngssoftware.com/papers/ntbufferoverflow.html
http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf
http://www.ngssoftware.com/papers/unicodebo.pdf
About NGSSoftware ***************** NGSSoftware design, research and
develop intelligent, advanced application security assessment
scanners. Based in the United Kingdom, NGSSoftware have offices in
the South of London and the East Coast of Scotland. NGSSoftware's
sister company NGSConsulting, offers best of breed security
consulting services, specialising in application, host and network
security assessments.
http://www.ngssoftware.com/
http://www.ngsconsulting.com/
Telephone +44 208 401 0070
Fax +44 208 401 0076
enquiries@ngssoftware.com
(90947) /NGSSoftware Insight Security Research <nisr@nextgenss.com>/(Ombruten)