TUCoPS :: Oracle :: orac4950.htm

Oracle PL/SQL Apache Module BO and directory traversal.
21th Dec 2001 [SBWID-4950]
COMMAND

	Oracle PL/SQL Apache Module BO and directory traversal.

SYSTEMS AFFECTED

	 Oracle 9iAS

	 Platforms:  Sun SPARC Solaris 2.6

	             MS Windows NT/2000 Server

	             HP-UX 11.0/32-bit

	

PROBLEM

	In NGSSoftware Insight Security Research Advisory #NISR20122001 :
	

	The web service with Oracle 9iAS is powered by Apache and provides  many
	application environmentswith which to  offer  services  from  the  site.
	These include SOAP, PL/SQL, XSQL and JSP. Two security issues exists  in
	the PL/SQL Apache module - one a buffer overrun  vulnerability  and  the
	second a  directory  traversal  issue.  The  directory  traversal  issue
	affects only Windows NT/2000.
	

	

	The PL/SQL module exists  to  allow  remote  users  to  call  procedures
	exported by a PL/SQL package stored in the database server. As  part  of
	the functionality offered  by  the  PL/SQL  module  it  is  possible  to
	remotely administer  the  Database  Access  Descriptors  and  from  here
	access help pages.
	

	Normally, access to the /admin_/ pages is  restricted  -  a  UserID  and
	password are required but not for  the  help  pages  however.  A  buffer
	overrun vulnerability exists in the module  whereby  a  request  for  an
	overly long help page will cause  the  overflow  overwriting  the  saved
	return address on the stack. By overwriting this  saved  return  address
	with an address that contains a \"call esp\" or \"jmp esp\"  instruction
	a potential attack would land into  the  user-supplied  buffer  and  any
	computer code in the buffer would be executed.
	

	On Windows 2000/NT  the  apache  process  is  running  is  the  security
	context of the SYSTEM account by default so any code executed  would  do
	so without inhibition and an attacker could gain complete  control  over
	this system remotely.
	

	The second issue relates to a double URL decoding  problem  that  allows
	attackers to make a special  request  for  a  \"help\"  file  and  break
	outside of the web root.

SOLUTION

	Patch available at :
	

	http://metalink.oracle.com

	

	

	Further  to  applying  the  patch  it  is  suggested  that  the  default
	\"/admin_\" path be changed to something  else.  To  do  this  edit  the
	wdbsvr.app  file  located  in  the  $ORACLE_HOME$\\Apache\\modplsql\\cfg
	directory. Edit the \"adminPath\" entry.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH