__________________________________________________________

                       The U.S. Department of Energy
                     Computer Incident Advisory Center
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

          Oracle 9iAS Multiple Buffer Overflows in the PL/SQL Module 
        [NGSSoftware Insight Security Research Advisory - NISR06022002B]

February 7, 2002 18:00 GMT                                        Number M-037
______________________________________________________________________________
PROBLEM:       There are multiple buffer overflows in the PL/SQL module for
               Oracle Application Server running on Apache web servers that
               allow the execution of arbitary code.
PLATFORM:      Oracle 9iAS running on:
               Sun SPARC Solaris 2.6
               MS Windows NT/2000 Server
               HP-UX 11.0/32-bit
DAMAGE:        An unauthenticated remote attacker may cause a
               denial-of-service or execute arbitrary code on the system with
               the privileges of the Apache process. The Apache service
               typically runs with SYSTEM privileges on Windows NT and Windows
               2000, if exploited the attacker may gain complete control of
               the system.
SOLUTION:      Apply the patch as indicated below. The patch can be downloaded
               at Metalink site (http://metalink.oracle.com).
______________________________________________________________________________
VULNERABILITY  The risk is HIGH. Exploiting these vulnerabilities may allow an
ASSESSMENT:    attacker complete control of the system.
______________________________________________________________________________
LINKS:
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/m-037.shtml
 ORIGINAL BULLETIN:  http://www.nextgenss.com/advisories/plsql.txt
 PATCHES:            http://metalink.oracle.com
______________________________________________________________________________

[***** Start NGSSoftware Insight Security Research Advisory - NISR06022002B *****]

NGSSoftware Insight Security Research Advisory

Name: 			Oracle PL/SQL Apache Module
Systems Affected: 	Oracle 9iAS
Platforms:		Sun SPARC Solaris 2.6
			MS Windows NT/2000 Server
			HP-UX 11.0/32-bit
Severity:		High Risk
Vendor URL: 		http://www.oracle.com/
Author:			David Litchfield (david@nextgenss.com)
Date:			6th February 2002
Advisory number:	#NISR06022002B
Advisory URL:		http://www.nextgenss.com/advisories/oramodplsbos.txt

Issue
*****
There are multiple buffer overflows in the PL/SQL module for Oracle
Application Server running on Apache web servers that allow the execution
of arbitary code. A non-overflow DoS also exists.

Description
***********
The web service with Oracle 9iAS is powered by Apache and provides many
application environments with which to offer services from the site. These
include SOAP, PL/SQL, XSQL and JSP. There are multiple buffer overrun
vulnerabilities in the PL/SQL Apache module that allow the execution
of arbitrary code.

Details
*******
The PL/SQL module exists to allow remote users to call procedures exported 
by a PL/SQL package stored in the database server. This module can be 
overflowed by making an overly long request to the plsql module; An overly 
long password set in the Authorization HTTP client header; An overly long 
cache directory name in the cache form; Setting an overly long password
in the adddad form;

Some of these attacks require that attacker know the name of the adminPath 
whereas others do not.

All allow the execution of arbitrary code. On Windows NT/2000 systems 
the Oracle Apache web server by default runs in the context of the local 
SYSTEM account so any code will run with full privileges.


A further problem also exists whereby a request made to the pls module with 
an HTTP client Authorization header set but with no auth type will cause 
the server to access violate. The server needs to be restarted after an 
attack.


Fix Information
***************
NGSSoftware alerted Oracle to these problems between December 2001 and 
early January 2002. Oracle has produced a patch to fix these problems 
and can be downloaded from the Metalink site (http://metalink.oracle.com)

[***** End NGSSoftware Insight Security Research Advisory - NISR06022002B *****]
_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of NGSSoftware Company for the 
information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Center, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

M-028: hplx-sendmail Vulnerability
M-029: Red Hat glibc Vulnerability
CIACTech02-001: Understanding the SSH CRC32 Exploit
M-030: Multiple Remote Windows XP/ME/98 Universal Plug and Play Vulnerabilities
M-031: Buffer Overflow in System V Derived Login
M-032: HP-UX Security Vulnerability with wu-ftpd 2.6
M-033: Snort IDS Denial of Service Vulnerability
M-034: Window File Wiping Utilities Miss Alternate Data Streams
M-035: Red Hat Linux "rsync" Vulnerability
M-036: Microsoft Windows NT/2000 Trust Domain Vulnerability