SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#496340

Oracle command-line program buffer overflow in argument handling

Overview

A buffer overflow in some command-line utilities supplied with the Oracle Database Server could allow a local user to gain the privileges of the oracle system user.

I. Description

The Oracle 9i Database Server package includes the oracle and oracleO command-line client programs to connect to systems running the database server. These commands are the same underlying program, but take different actions based on which one is invoked (argv[0]). A buffer overflow flaw has been discovered in the way these programs process their first argument (argv[1]). An overly long string supplied in this argument may allow an attacker to run code of their own chosing in the context of the oracle system user.

This vulnerability is reported to affect the Oracle 9i product on all UNIX and Linux system platforms that Oracle supports. It was originally reported that this vulnerability affected the Oracle 8i product, but Oracle has since reported that this product is not vulnerable.

The CERT/CC is aware of publicly available exploit scripts for this vulnerability.

II. Impact

An attacker with local access to the system on which the Oracle system is installed may be able to execute arbitrary code with the privileges of the oracle user and the dba group. This allows the attacker to take any action that the database administrator is authorized to take. Attackers may be able to gain additional system privileges, depending on how the system is configured.

III. Solution

Apply a patch from the vendor


In response to this issue, Oracle has released Oracle Security Alert #59 that includes information about patches. Please see the vendors section of this document for more details.
Workarounds

Sites may wish to consider removing the execute permissions for users not in the dba group from the oracle and oracleO programs as follows:

    # cd $ORACLE_HOME/bin
    # chmod o-x oracle oracleO

Some side effects of this workaround are discussed in Oracle Security Alert #59, which addresses this vulnerability.

Systems Affected
VendorStatusDate NotifiedDate Updated
Oracle CorporationVulnerable3-Nov-2003

References


http://otn.oracle.com/deploy/security/pdf/2003Alert59.pdf
http://www.secunia.com/advisories/10043/
http://securitytracker.com/alerts/2003/Oct/1007956.html
http://xforce.iss.net/xforce/xfdb/13451

Credit

Thanks to Oracle Security Advisory for reporting this vulnerability.

This document was written by Chad R Dougherty.

Other Information

Date Public:2003-10-20
Date First Published:2003-11-05
Date Last Updated:2003-11-05
CERT Advisory: 
CVE-ID(s):CAN-2003-0894
NVD-ID(s):CAN-2003-0894
US-CERT Technical Alerts: 
Metric:16.03
Document Revision:20

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2003 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader