Buffer Overrun Vulnerability in Oracle iSQL

Reported November 4, 2002, by NGSSoftware.

 

VERSIONS AFFECTED

 

  • Oracle Database 9i, releases 1 and 2 on all OSs

 

 

DESCRIPTION

 

A vulnerability exists in Oracle’s iSQL*Plus Web-based application that lets an attacker compromise the vulnerable system and obtain SYSTEM-level access. This vulnerability stems from a buffer overflow condition in the iSQL application. By sending an overly long user ID parameter to the Web server, an attacker can overflow the internal buffer on the stack and overwrite the saved return address. The attacker can then run arbitrary code in the Web server's security context. For more details about this vulnerability, see the discoverer’s Web site.

 

VENDOR RESPONSE

 

The vendor, Oracle, has released Security Alert #46 to address this vulnerability and recommends that affected users apply the appropriate patch mentioned in Oracle's alert.

 

CREDIT          

Discovered by David Litchfield of NGSSoftware

TAGS: Security
Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish