Buffer Overflow Flaw in Oracle9i Component
- By Scott Bekker
- November 13, 2002
Security researcher David Litchfield found a high risk problem in the form of a buffer overflow vulnerability occurring in a software component that ships with the Oracle 9i database on all platforms.
Oracle has a patch available at its Oracle Metalink site (metalink.oracle.com) under issue number 2581911.
The affected component is called Oracle iSQL*Plus. It is a Web-based application allowing users to query the database. Installed with the Oracle 9i database server, iSQL*Plus runs on Apache.
The buffer overrun occurs at the default log-in screen. By supplying an overly long user ID parameter, a user can overrun a buffer and potentially run arbitrary code in the context of the Web server. On Windows systems that security context is as a System user.
Compromising the Web server can give attackers a platform to launch attacks against the database server, according to a bulletin from Litchfield's company, Next Generation Security Software, Ltd.
Scott Bekker is editor in chief of Redmond Channel Partner magazine.