• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Oracle 8i TNS Listener Buffer Overflow Vulnerability

Severity: CRITICAL

Description:

Oracle 8i ships with a component called TNS Listener. TNS Listener is used to arbitrate communication between remote database clients/applications and the database server.

There exists a remotely exploitable buffer overflow in TNS Listener. The vulnerability exists in the handling of certain administrative commands which can be sent to the listener by clients.

A number of these commands can be issued to the listener before authentication. Some of these commands are:

"USER", "VERSION", and "SERVICES"

When the listener recieves one of these commands argumented with a string of excessive length (several thousand bytes), an unbounded memory copy causes a stack overflow.

Because a function stack frame gets overwritten with this client-supplied data, an attacker can force the execution of arbitrary code. This would be accomplished by replacing the return address of the affected function with a value pointing to the attacker-supplied instructions (or 'shellcode').

On Windows 2000/NT4 systems, TNS Listener runs with 'LocalSystem' privileges. These are equivelent to administrative and any attacker to exploit this vulnerability on such a system would gain control over it.

On Unix systems, Oracle processes such as the listener run as their own userid. Exploitation of this vulnerability on these systems would provide an attacker with local access to the victim host. It is significantly easier for attackers to compromise the entire system with local access.

Note: Versions 8.1.5, 8.1.6, and 8.1.7 are confirmed as being vulnerable. Previous versions are likely vulnerable as well.

Affected Products:

• Oracle Oracle8i Standard Edition 8.1.5
• Oracle Oracle8i Standard Edition 8.1.6
• Oracle Oracle8i Standard Edition 8.1.7

References:

• CORE Security: OracleDB TNS commands overflow exploit
• Oracle: Buffer Overflow in the Oracle8i Listener
• Oracle: Oracle Support Metalink
• Oracle: Oracle Support Page

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.