The exploit involves passing a large argv[1] argument to
the oracle or oracle0 binary. Credit for discovering
the vulnerability goes to [EMAIL PROTECTED]. The error was
first discovered on a LINUX box but I have seen notes that AIX is vulnerable as
well. What is not published in North America yet, is the Oracle alert you
mention. The first security note I saw on this was published on 19
October. Yes there are people who know how to exploit
the vulnerability. The vulnerability was shown to Oracle
over a month ago, according to the comments in a proof of concept
exploit.
One
workaround is to take off the setuid bit from the Oracle
binary Is it really necessary to set this. How many
places still have users log into the database
server? Oracle has recommended putting its databases behind
firewalls for some time.
Ian
MacGregor
Stanford Linear Accelerator Center
-----Original Message-----Important: Please read the following Oracle Alert.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Thursday, October 23, 2003 6:25 AM
To: Multiple recipients of list ORACLE-L
Subject: [SPAM:#] Do not connect Oracle DB to the Internet. Oracle Alert #59
We strongly recommend that you do not connect the Oracle Database
directly to the Internet.
Got your attention? That is what is in the Alert. These alerts are beginning
to come all too often. Sounds just like Microsoft's software, yeah?
Buffer Overflow in Oracle Database Server Binaries
This is with the Oracle kernel/binary itself ie 'oracle' or 'oracleO' file
in $ORACLE_HOME/bin.
Description
A potential buffer overflow has been discovered in the "oracle" and "oracleO" (the letter O) binaries
of the Oracle Database. A knowledgeable and malicious local user can exploit this buffer overflow
to execute code on the operating system hosting the Oracle Database server.
Products Affected
· Oracle 9i Database Release 2, Version 9.2.x
· Oracle 9i Database Release 1, Version 9.0.x
Platforms Affected
All supported UNIX and Linux operating system variants.
Patch only available for Linux right now.
So who found out this vulnerability? David Litchfield? Aaron Newman?
I know it is a bit silly to ask but does anyone know how
to exploit this vulnerability? Send it to me directly if you dont want to
reply publicly
ta
tony