CVE-2003-0096
CVSS9.0
发布时间 :2003-03-03 00:00:00
修订时间 :2016-10-17 22:29:27
NMCO    

[原文]Multiple buffer overflows in Oracle 9i Database release 2, Release 1, 8i, 8.1.7, and 8.0.6 allow remote attackers to execute arbitrary code via (1) a long conversion string argument to the TO_TIMESTAMP_TZ function, (2) a long time zone argument to the TZ_OFFSET function, or (3) a long DIRECTORY parameter to the BFILENAME function.


[CNNVD]Oracle数据库服务器BFILENAME函数远程缓冲区溢出漏洞(CNNVD-200303-016)

        
        Oracle Database是一款商业性质大型数据库系统。
        Oracle数据库中的BFILENAME函数在处理DIRECTORY参数时缺少正确的缓冲区边界检查,远程攻击者可以利用这个漏洞对数据库进行缓冲区溢出攻击,可能以Oracle进程权限在系统上执行任意指令。
        bfilename() 函数返回一个二进制大对象的指针。bfilename()在当用户提供超长DIRECOTRY参数时会发生缓冲区溢出,不过要利用这个漏洞,攻击者必须先登录到数据库服务器上,需要有合法的用户ID和密码,由于bfilename()函数默认设置为PUBLIC可执行,因此任意用户提交精心构建的DIRECTORY参数可以导致以Oracle进程的权限上执行任意指令,在Windows系统上可以获得Local System权限。
        

- CVSS (基础分值)

CVSS分值: 9 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CWE (弱点类目)

CWE-119 [内存缓冲区边界内操作的限制不恰当]

- CPE (受影响的平台与产品)

cpe:/a:oracle:oracle8i:8.1.7.1
cpe:/a:oracle:oracle9i:9.0.2
cpe:/a:oracle:database_server:9.2.2Oracle Database Server 9.2.2
cpe:/a:oracle:oracle9i:9.0.1
cpe:/a:oracle:oracle9i:9.0.1.2
cpe:/a:oracle:oracle9i:9.0.1.3
cpe:/a:oracle:oracle9i:9.0
cpe:/a:oracle:database_server:8.0.6Oracle Database Server 8.0.6
cpe:/a:oracle:database_server:9.2.1Oracle Database Server 9.2.1
cpe:/a:oracle:oracle8i:8.1.7

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0096
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0096
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200303-016
(官方数据源) CNNVD

- 其它链接及资源

http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0073.html
(UNKNOWN)  VULNWATCH  20030217 Oracle unauthenticated remote system compromise (#NISR16022003a)
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0075.html
(UNKNOWN)  VULNWATCH  20030217 Oracle TZ_OFFSET Remote System Buffer Overrun (#NISR16022003c)
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0083.html
(UNKNOWN)  VULNWATCH  20030217 Oracle bfilename function buffer overflow vulnerability (#NISR16022003e)
http://marc.info/?l=bugtraq&m=104549743326864&w=2
(UNKNOWN)  BUGTRAQ  20030217 Oracle TO_TIMESTAMP_TZ Remote System Buffer Overrun (#NISR16022003b)
http://marc.info/?l=bugtraq&m=104549782327321&w=2
(UNKNOWN)  BUGTRAQ  20030217 Oracle TZ_OFFSET Remote System Buffer Overrun (#NISR16022003c)
http://marc.info/?l=bugtraq&m=104550346303295&w=2
(UNKNOWN)  BUGTRAQ  20030217 Oracle bfilename function buffer overflow vulnerability (#NISR16022003e)
http://otn.oracle.com/deploy/security/pdf/2003alert48.pdf
(UNKNOWN)  CONFIRM  http://otn.oracle.com/deploy/security/pdf/2003alert48.pdf
http://otn.oracle.com/deploy/security/pdf/2003alert49.pdf
(UNKNOWN)  CONFIRM  http://otn.oracle.com/deploy/security/pdf/2003alert49.pdf
http://otn.oracle.com/deploy/security/pdf/2003alert50.pdf
(UNKNOWN)  CONFIRM  http://otn.oracle.com/deploy/security/pdf/2003alert50.pdf
http://www.cert.org/advisories/CA-2003-05.html
(UNKNOWN)  CERT  CA-2003-05
http://www.ciac.org/ciac/bulletins/n-046.shtml
(UNKNOWN)  CIAC  N-046
http://www.iss.net/security_center/static/11325.php
(UNKNOWN)  XF  oracle-bfilename-directory-bo(11325)
http://www.iss.net/security_center/static/11326.php
(UNKNOWN)  XF  oracle-tzoffset-bo(11326)
http://www.iss.net/security_center/static/11327.php
(VENDOR_ADVISORY)  XF  oracle-totimestamptz-bo(11327)
http://www.kb.cert.org/vuls/id/663786
(UNKNOWN)  CERT-VN  VU#663786
http://www.kb.cert.org/vuls/id/743954
(UNKNOWN)  CERT-VN  VU#743954
http://www.kb.cert.org/vuls/id/840666
(VENDOR_ADVISORY)  CERT-VN  VU#840666
http://www.nextgenss.com/advisories/ora-bfilebo.txt
(UNKNOWN)  MISC  http://www.nextgenss.com/advisories/ora-bfilebo.txt
http://www.nextgenss.com/advisories/ora-tmstmpbo.txt
(UNKNOWN)  MISC  http://www.nextgenss.com/advisories/ora-tmstmpbo.txt
http://www.nextgenss.com/advisories/ora-tzofstbo.txt
(UNKNOWN)  MISC  http://www.nextgenss.com/advisories/ora-tzofstbo.txt
http://www.securityfocus.com/bid/6847
(UNKNOWN)  BID  6847
http://www.securityfocus.com/bid/6848
(UNKNOWN)  BID  6848
http://www.securityfocus.com/bid/6850
(UNKNOWN)  BID  6850

- 漏洞信息

Oracle数据库服务器BFILENAME函数远程缓冲区溢出漏洞
高危 未知
2003-03-03 00:00:00 2005-10-20 00:00:00
远程  
        
        Oracle Database是一款商业性质大型数据库系统。
        Oracle数据库中的BFILENAME函数在处理DIRECTORY参数时缺少正确的缓冲区边界检查,远程攻击者可以利用这个漏洞对数据库进行缓冲区溢出攻击,可能以Oracle进程权限在系统上执行任意指令。
        bfilename() 函数返回一个二进制大对象的指针。bfilename()在当用户提供超长DIRECOTRY参数时会发生缓冲区溢出,不过要利用这个漏洞,攻击者必须先登录到数据库服务器上,需要有合法的用户ID和密码,由于bfilename()函数默认设置为PUBLIC可执行,因此任意用户提交精心构建的DIRECTORY参数可以导致以Oracle进程的权限上执行任意指令,在Windows系统上可以获得Local System权限。
        

- 公告与补丁

        厂商补丁:
        Oracle
        ------
        目前厂商已经发布了升级补丁以修复这个安全问题,管理员可以从如下地址输入Bug Number 2642117下载补丁:
        
        http://metalink.oracle.com

- 漏洞信息

6320
Oracle TO_TIMESTAMP_TZ Function Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Unknown Vendor Verified

- 漏洞描述

A remote overflow exists in Oracle Database Server. The TO_TIMESTAMP_TZ function fails to perform proper bounds checking resulting in a buffer overflow. By providing an overly long argument to the TO_TIMESTAMP_TZ function, an attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2003-02-16 Unknow
Unknow Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Oracle has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站