Oracle PL/SQL Apache Module

February 6th, 2002

NGSSoftware Insight Security Research Advisory

Name:             Oracle PL/SQL Apache Module

Systems Affected:     Oracle 9iAS

Platforms:        Sun SPARC Solaris 2.6

MS Windows NT/2000 Server

HP-UX 11.0/32-bit

Severity:        High Risk

Vendor URL:         http://www.oracle.com/

Author:            David Litchfield (david@nextgenss.com)

Date:            6th February 2002

Advisory number:    #NISR06022002B

Advisory URL:        http://www.nextgenss.com/advisories/oramodplsbos.txt

Issue

*****

There are multiple buffer overflows in the PL/SQL module for Oracle Application Server

running on Apache web servers that allow the execution  of arbitary code. A non-overflow

DoS also exists.

Description

***********

The web service with Oracle 9iAS is powered by Apache and provides many application environments

with which to offer services from the site. These include SOAP, PL/SQL, XSQL and JSP. There are

multiple buffer overrun vulnerabilities in the PL/SQL Apache module that allow the execution

of arbitrary code.

Details

*******

The PL/SQL module exists to allow remote users to call procedures exported by a PL/SQL package

stored in the database server. This module can be overflowed by making an overly

long request to the plsql module; An overly long password set in the Authorization HTTP client

header; An overly long cache directory name in the cache form; Setting an overly long password

in the adddad form;

Some of these attacks require that attacker know the name of the adminPath whereas others do not.

All allow the execution of arbitrary code. On Windows NT/2000 systems the Oracle Apache web server

by default runs in the context of the local SYSTEM account so any code will run with full privileges.

A further problem also exists whereby a request made to the pls module with an HTTP client Authorization

header set but with no auth type will cause the server to access violate. The server needs to be restarted

after an attack.

Fix Information

***************

NGSSoftware alerted Oracle to these problems between December 2001 and early January 2002. Oracle

has produced a patch to fix these problems and can be downloaded from the Metalink site

(http://metalink.oracle.com)

Section Navigation


SC Awards 2008


SC Magazine Awards 2008

NGSSoftware wins 'Best Security Company'.

Technology Fast 50/500


Deloitte Technology Fast50

 

NGSSoftware ranked 12th in the 2007 Deloitte Technology Fast 50.


Deloitte Technoology Fast 500 EMEA

 

NGSSoftware ranked 47th in the 2007 Deloitte Technology Fast 500 EMEA.

Latest Vacancies

Experienced CLAS consultant

NGSSoftware are seeking an experienced CLAS consultant capable of writing Security Targets and Evaluation Work Plans for CTAS.

Please send us your CV or resume.

NGS Offices

NGS have offices located in London & St Andrews (UK) and Sydney (Australia).

NGS Consulting

Why do companies around the world – and around the corner – turn to NGS?

Discover what we could do for your business »

NGS Security Training

Find out why we have provided training to some of the world's most security conscious organisations.

Learn from the best!

Speaking Events

We regularly present and speak at international security conferences throughout the world.

OWASP AppSec Europe 2008

AusCERT 2008

ITWeb Security Summit

Customer Testimonials

Read what some of our satisfied customers are saying about us.

NGS Publications

Web Application Hacker's Handbook

Oracle Hacker's Handbook

Database Hacker's Handbook

The Shellcoder's Handbook

SQL Server Security

Configuring IPCop Firewalls


CHECK