From advisory@rapid7.com Fri Oct 25 20:44:25 2002 From: Rapid 7 Security Advisories To: bugtraq@securityfocus.com Date: Wed, 9 Oct 2002 12:07:50 -0700 Subject: R7-0006: Oracle 8i/9i Listener SERVICE_CURLOAD Denial of Service -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Rapid 7, Inc. Security Advisory Visit http://www.rapid7.com/ to download NeXpose(tm), our advanced vulnerability scanner. Linux and Windows 2000 versions are available now! _______________________________________________________________________ Rapid 7 Advisory R7-0006 Oracle 8i/9i Listener SERVICE_CURLOAD Denial of Service Published: October 9, 2002 Revision: 1.0 http://www.rapid7.com/advisories/R7-0006.txt Oracle: Oracle Security Alert #42 http://otn.oracle.com/deploy/security/pdf/2002alert42rev1.pdf CVE: CAN-2002-1118 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1118 Bugtraq: 5678 http://online.securityfocus.com/bid/5678 1. Affected system(s): KNOWN VULNERABLE: o Oracle 9i Release 2 (9.2.x) o Oracle 9i Release 1 (9.0.x) o Oracle 8i (8.1.x) Apparently NOT VULNERABLE: o Oracle 8.0.x (but see below) 2. Summary The Oracle TNS Listener is susceptible to a denial of service attack when issued the SERVICE_CURLOAD command. 3. Vendor status and information Oracle, Inc. http://www.oracle.com Oracle was notified of this vulnerability and has made patches available. This issue is being tracked as bug #2540219 in the Oracle bug database. 4. Solution Download and apply the vendor-supplied patches. Please see Oracle Security Alert #42 for more information: http://otn.oracle.com/deploy/security/pdf/2002alert42rev1.pdf Please note that patches for some versions and platforms are not yet available. 5. Detailed analysis Connecting to the Oracle TNS listener (usually on port 1521) and issuing the command "(CONNECT_DATA=(COMMAND=SERVICE_CURLOAD))" causes the Oracle server to respond with a message indicating successful execution. However, once the caller closes the connection, the listener service stops responding. The effects of this DoS vary depending on how long the attacker keeps the original connection open. If the caller keeps the listener connection open while new connections are serviced, the listener service will be disabled and may crash with an access violation. If the caller closes the listener connection before other requests are serviced, the listener service will refuse to accept new connections. We were unable to reproduce this issue on Oracle 8.0.6. Version 8.0.6 of Oracle logs a result of 0 (success) in listener.log. However, the response to the caller contains error code 12629260, which appears to be a non-standard error code. This may also be the result of an exceptional condition, but we were unable to crash or disable the listener in our testing. 6. Contact Information Rapid 7 Security Advisories Email: advisory@rapid7.com Web: http://www.rapid7.com/ Phone: +1 (212) 558-8700 7. Disclaimer and Copyright Rapid 7, Inc. is not responsible for the misuse of the information provided in our security advisories. These advisories are a service to the professional security community. There are NO WARRANTIES with regard to this information. Any application or distribution of this information constitutes acceptance AS IS, at the user's own risk. This information is subject to change without notice. This advisory Copyright (C) 2002 Rapid 7, Inc. Permission is hereby granted to redistribute this advisory, providing that no changes are made and that the copyright notices and disclaimers remain intact. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (OpenBSD) iD8DBQE9pHLTcL76DCfug6wRAn7CAJ4u7Stu8xhHJJ0KdIxzyWomq8s+OwCgpvEJ xkPC6WztYXEmd1hekDYgLPA= =n2ee -----END PGP SIGNATURE-----