COMMAND

	Oracle TNS Listener buffer overflow

SYSTEMS AFFECTED

	Windows and VM running all versions of Oracle 9i Database

PROBLEM

	In     NGSSoftware     Insight      Security      Research      Advisory
	[http://www.ngssoftware.com/]:
	

	The Oracle Net Listener contains a remotely exploitable  buffer  overrun
	vulnerability that can allow an attacker to gain complete control  of  a
	machine running the Oracle 9i Database.
	

	The Listener \'listens\' on TCP port 1521 for client request to use  the
	database. On receiving  a  request  the  client  is  passed  off  to  an
	instance of the database. The request, packaged in a  valid  TNS  packet
	is of the form
	

	

	(DESCRIPTION=(ADDRESS=

	(PROTOCOL=TCP)(HOST=x.x.x.x)

	(PORT=1521))(CONNECT_DATA=

	(SERVICE_NAME=myorcl.ngssoftware.com)

	(CID=

	(PROGRAM=X:\\\\ORACLE\\\\iSuites\\\\BIN\\\\SQLPLUSW.EXE)

	(HOST=foo)(USER=bar))))

	

	

	By supplying an overly long  SERVICE_NAME  parameter,  when  forming  an
	error message to be written to the log file, a saved return  address  on
	the stack  is  overwritten  thus  gaining  control  over  the  processes
	execution. Any code supplied by the attacker will run,  by  default,  in
	the context of the Local SYSTEM account  on  Windows  platforms  and  as
	such is a high risk vulnerability. Because the  overflow  occurs  before
	the error message is  actually  written  to  the  log  file  it  may  be
	difficult to detect if an attack has occured. Customers are  advised  to
	patch this as soon as is possible.

SOLUTION

	Oracle have now released patches which are available from  the  Metalink
	site. The patch number is 2367681.