COMMAND

	Oracle bfilename function buffer overflow vulnerability

SYSTEMS AFFECTED

	All platforms; Oracle9i Database Release 2, 9i  Release  1,  8i,  8.1.7,
	8.0.6

PROBLEM

	Thanks  to  David  Litchfield  [david@ngssoftware.com]  of   NGSSoftware
	Insight Security Research, advisory [#NISR16022003e] :
	
	Oracle's database server contains fuctions for use within  queries.  The
	bfilename() function returns a BFILE locator to a  binary  large  object
	stored in the database.
	
	 Details
	 *******
	
	The bfilename() function suffers  from  a  remotely  exploitable  buffer
	overrun when an overly long  DIRECTORY  parameter  is  supplied.  Before
	this issue can be exploited an attacker must be able to log  on  to  the
	database  server  with  a  valid  user  ID  and  password,  but  as  the
	bfilename() function can be executed by PUBLIC by default  any  user  of
	the system can gain control. Any arbitrary code supplied by an  attacker
	would execute with the same privileges as the user running the  service;
	this account is typically "Oracle" on  linux/unix  based  platforms  and
	Local System on Windows based operating systems such as  NT/2000/XP.  As
	such this allows for a complete compromise of the  data  stored  in  the
	database and possibly a complete compromise of the operating system.

SOLUTION

	 Fix Information
	 ***************
	
	NGSSoftware alerted Oracle  to  this  vulnerability  on  30th  September
	2002. Oracle has developed a patch which is available from
	
	http://otn.oracle.com/deploy/security/pdf/2003alert50.pdf
	
	A check for these issues has been added to  NGSSQuirreL  for  Oracle,  a
	comprehensive  automated  vulnerability  assessment  tool   for   Oracle
	Database Servers  of  which  more  information  is  available  from  the
	NGSSite
	
	http://www.ngssoftware.com/software/squirrelfororacle.html
	
	
	 Further Information
	 *******************
	
	For further information about the scope and effects of buffer overflows,
	please see
	
	http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf
	http://www.ngssoftware.com/papers/ntbufferoverflow.html
	http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf
	http://www.ngssoftware.com/papers/unicodebo.pdf
	
	 About NGSSoftware
	 *****************
	
	NGSSoftware design, research and develop intelligent, advanced application
	security assessment scanners. Based in the United Kingdom, NGSSoftware have
	offices in the South of London and the East Coast of Scotland. NGSSoftware's
	sister company NGSConsulting, offers best of breed security consulting
	services, specialising in application, host and network security
	assessments.
	
	http://www.ngssoftware.com/
	http://www.ngsconsulting.com/
	
	Telephone +44 208 401 0070
	Fax +44 208 401 0076
	
	enquiries@ngssoftware.com