CVE-2003-0222
CVSS9.0
发布时间 :2003-05-12 00:00:00
修订时间 :2016-10-17 22:30:55
NMCOS    

[原文]Stack-based buffer overflow in Oracle Net Services for Oracle Database Server 9i release 2 and earlier allows attackers to execute arbitrary code via a "CREATE DATABASE LINK" query containing a connect string with a long USING parameter.


[CNNVD]Oracle数据库连接远程缓冲区溢出漏洞(CNNVD-200305-035)

        
        Oracle是一款企业级数据库服务程序,占有54%市场份额。
        Oracle的数据库连接功能对参数缺少正确的边界缓冲区检查,远程攻击者可以利用这个漏洞进行典型缓冲区溢出攻击,可能以Oralce进程权限在系统上执行任意指令。
        Oracle提供数据库连接功能,允许从其他数据库服务器查询当前数据库。提供超长的参数给'CREATE DATABASE LINK'查询的连接字符串(默认情况下,'CREATE DATABASE LINK'权限只分配给连接用途,多数情况下大多数帐户拥有此权限,权限可比SCOTT和ADAMS还低。):
        CREATE DATABASE LINK ngss
        CONNECT TO hr
        IDENTIFIED BY hr
        USING 'longstring'
        通过建立特殊的数据库连接然后执行如下命令:
        select * from table@ngss
        就可以触发缓冲区溢出,覆盖堆栈返回地址。精心构建提交数据可以导致以Oralce进程权限在系统上执行任意指令。
        不过厂商认为,除非Oracle数据库直接连接到Internet,否则远程攻击不太可能。
        

- CVSS (基础分值)

CVSS分值: 9 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CWE (弱点类目)

CWE-119 [内存缓冲区边界内操作的限制不恰当]

- CPE (受影响的平台与产品)

cpe:/a:oracle:database_server:7.3.3Oracle Database Server 7.3.3
cpe:/a:oracle:database_server:7.3.4Oracle Database Server 7.3.4
cpe:/a:oracle:oracle8i:8.0.6.3
cpe:/a:oracle:oracle9i:9.2.0.1
cpe:/a:oracle:oracle9i:9.2.0.2
cpe:/a:oracle:oracle9i:9.0.2
cpe:/a:oracle:oracle9i:9.0.1
cpe:/a:oracle:database_server:8.0.5Oracle Database Server 8.0.5
cpe:/a:oracle:database_server:8.1.7Oracle Database Server 8.1.7
cpe:/a:oracle:oracle9i:9.0
cpe:/a:oracle:oracle8i:8.0x
cpe:/a:oracle:database_server:8.0.6Oracle Database Server 8.0.6
cpe:/a:oracle:database_server:8.1.5Oracle Database Server 8.1.5
cpe:/a:oracle:database_server:8.0.4Oracle Database Server 8.0.4
cpe:/a:oracle:database_server:8.1.6Oracle Database Server 8.1.6
cpe:/a:oracle:oracle8i:8.0.6
cpe:/a:oracle:oracle8i:8.1.5
cpe:/a:oracle:oracle8i:8.1.7.1
cpe:/a:oracle:database_server:9.2.2Oracle Database Server 9.2.2
cpe:/a:oracle:oracle8i:8.1.6
cpe:/a:oracle:oracle8i:8.1.7.4
cpe:/a:oracle:oracle9i:9.0.1.4
cpe:/a:oracle:database_server:9.2.1Oracle Database Server 9.2.1
cpe:/a:oracle:oracle8i:8.1x
cpe:/a:oracle:oracle9i:9.0.1.2
cpe:/a:oracle:oracle9i:9.0.1.3
cpe:/a:oracle:database_server:8.0.1Oracle Database Server 8.0.1
cpe:/a:oracle:database_server:8.0.5.1Oracle Database Server 8.0.5.1
cpe:/a:oracle:database_server:8.0.2Oracle Database Server 8.0.2
cpe:/a:oracle:oracle8i:8.1.7
cpe:/a:oracle:database_server:8.0.3Oracle Database Server 8.0.3

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0222
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0222
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200305-035
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=105162831008176&w=2
(UNKNOWN)  BUGTRAQ  20030429 Oracle Database Server Buffer Overflow Vulnerability (#NISR29042003)
http://marc.info/?l=ntbugtraq&m=105163376015735&w=2
(UNKNOWN)  NTBUGTRAQ  20030429 Oracle Database Server Buffer Overflow Vulnerability (#NISR29042003)
http://otn.oracle.com/deploy/security/pdf/2003alert54.pdf
(VENDOR_ADVISORY)  CONFIRM  http://otn.oracle.com/deploy/security/pdf/2003alert54.pdf
http://www.ciac.org/ciac/bulletins/n-085.shtml
(UNKNOWN)  CIAC  N-085
http://www.securityfocus.com/bid/7453
(VENDOR_ADVISORY)  BID  7453
http://xforce.iss.net/xforce/xfdb/11885
(UNKNOWN)  XF  oracle-database-link-bo(11885)

- 漏洞信息

Oracle数据库连接远程缓冲区溢出漏洞
高危 边界条件错误
2003-05-12 00:00:00 2005-10-20 00:00:00
远程  
        
        Oracle是一款企业级数据库服务程序,占有54%市场份额。
        Oracle的数据库连接功能对参数缺少正确的边界缓冲区检查,远程攻击者可以利用这个漏洞进行典型缓冲区溢出攻击,可能以Oralce进程权限在系统上执行任意指令。
        Oracle提供数据库连接功能,允许从其他数据库服务器查询当前数据库。提供超长的参数给'CREATE DATABASE LINK'查询的连接字符串(默认情况下,'CREATE DATABASE LINK'权限只分配给连接用途,多数情况下大多数帐户拥有此权限,权限可比SCOTT和ADAMS还低。):
        CREATE DATABASE LINK ngss
        CONNECT TO hr
        IDENTIFIED BY hr
        USING 'longstring'
        通过建立特殊的数据库连接然后执行如下命令:
        select * from table@ngss
        就可以触发缓冲区溢出,覆盖堆栈返回地址。精心构建提交数据可以导致以Oralce进程权限在系统上执行任意指令。
        不过厂商认为,除非Oracle数据库直接连接到Internet,否则远程攻击不太可能。
        

- 公告与补丁

        厂商补丁:
        Oracle
        ------
        Oracle已经为此发布了一个安全公告(OracleSA#54)以及相应补丁:
        OracleSA#54:Buffer Overflow in Oracle Net Services for Oracle Database Server
        链接:
        http://otn.oracle.com/deploy/security/pdf/2003alert54.pdf

        补丁下载:
        补丁号如下:
        操作平台 9.2.0.2 9.0.1.4 8.1.7.4 8.0.6.3
        Sun Solaris (32-bit) 2749511 2760944 2784635 2760879
        Sun Solaris (64-bit) 2749511 2760944 2784635 N/A
        IBM AIX 4.3.3 and 5L (32-bit) N/A N/A 2784635 2760879
        IBM AIX 4.3.3 (64-bit) 2749511 2760944 2784635 2760879
        IBM AIX Based 5L(64-bit) 2749511 N/A N/A N/A
        MS Windows NT/2000/XP 2761332 ECD: 2376472 2845564
         May 2003
        HP-UX (32-bit) N/A N/A 2784635 2760879
        HP-UX (64-bit) 2749511 2760944 2784635 2760879
        HP Tru64 2749511 2760944 2784635 2760879
        LINUX 2749511 2760944 2784635 N/A
        LINUX 390 2749511 N/A N/A N/A
        LINUX IA64 N/A N/A N/A N/A
        INTEL SOLARIS N/A N/A N/A N/A
        DATA GENERAL N/A N/A N/A N/A
        UNIXWARE N/A N/A 2784635 N/A
        IBM NUMA-Q N/A N/A 2784635 ECD:
         MAY 2003
        SGI-IRIX-64 N/A N/A N/A N/A
        Siemens-64 N/A N/A N/A N/A
        Novell N/A N/A N/A N/A
        OpenVMS N/A 2760944 2784635 N/A
        IBM OS/390 (MVS) 2749511 2760944 N/A N/A
        NEC N/A N/A N/A N/A
        HP IA64 N/A N/A N/A N/A
        Fujitsu UXP/DS N/A N/A N/A 2760879
        Hitachi RISC Unix N/A N/A N/A 2760879
        客户可以登录站点,提交相关补丁号下载补丁进行修补:
        
        http://metalink.oracle.com

- 漏洞信息

7736
Oracle Net Services CREATE DATABASE LINK Query Overflow
Input Manipulation
Loss of Integrity
Vendor Verified

- 漏洞描述

- 时间线

2003-04-25 Unknow
Unknow Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Oracle Net Services Link Buffer Overflow Vulnerability
Boundary Condition Error 7453
Yes No
2003-04-29 12:00:00 2009-07-11 09:07:00
Discovery of this vulnerability credited to "NGSSoftware Insight Security Research" <nisr@nextgenss.com>.

- 受影响的程序版本

Oracle Oracle9i Standard Edition 9.2 .2
Oracle Oracle9i Standard Edition 9.2 .2
Oracle Oracle9i Standard Edition 9.2 .1
Oracle Oracle9i Standard Edition 9.2 .1
Oracle Oracle9i Standard Edition 9.2 .0.2
Oracle Oracle9i Standard Edition 9.2 .0.1
Oracle Oracle9i Standard Edition 9.0.2
Oracle Oracle9i Standard Edition 9.0.1 .4
Oracle Oracle9i Standard Edition 9.0.1 .3
Oracle Oracle9i Standard Edition 9.0.1 .2
Oracle Oracle9i Standard Edition 9.0.1
Oracle Oracle9i Standard Edition 9.0
Oracle Oracle8i Standard Edition 8.1.7 .4
Oracle Oracle8i Standard Edition 8.1.7 .1
Oracle Oracle8i Standard Edition 8.1.7
Oracle Oracle8i Standard Edition 8.1.6
Oracle Oracle8i Standard Edition 8.1.5
Oracle Oracle8i Standard Edition 8.1 x
Oracle Oracle8i Standard Edition 8.0.6 .3
Oracle Oracle8i Standard Edition 8.0.6
Oracle Oracle8i Standard Edition 8.0 x
Oracle Oracle8 8.1.7
- Microsoft Windows 2000 Professional
Oracle Oracle8 8.1.6
Oracle Oracle8 8.1.5
+ HP HP-UX 11.11
+ HP HP-UX 11.0
+ RedHat Linux 6.2 i386
+ RedHat Linux 6.1 i386
Oracle Oracle8 8.0.6
Oracle Oracle8 8.0.5 .1
Oracle Oracle8 8.0.5
- SGI IRIX 6.5.4
Oracle Oracle8 8.0.4
Oracle Oracle8 8.0.3
Oracle Oracle8 8.0.2
Oracle Oracle8 8.0.1
- HP HP-UX 11.0
- Microsoft Windows NT 4.0
- Sun Solaris 8_sparc
Oracle Oracle7 7.3.4
- RedHat Linux 6.1 i386
- RedHat Linux 6.0
- RedHat Linux 5.2 i386
- RedHat Linux 5.1
- RedHat Linux 5.0
- Sun Solaris 2.5.1 _x86
- Sun Solaris 2.5.1
+ Sun Solaris 2.6_x86
- Sun Solaris 2.6
- Sun Solaris 2.5_x86
- Sun Solaris 2.5
- Sun Solaris 2.4_x86
- Sun Solaris 2.4
Oracle Oracle7 7.3.3
OpenLink Software OpenLink 8.0.6
OpenLink Software OpenLink 8.0.5
OpenLink Software OpenLink 8.0.4
Oracle Oracle9i Standard Edition 9.2 .0.2
Oracle Oracle9i Standard Edition 9.0.1 .4
Oracle Oracle8i Standard Edition 8.1.7 .4
Oracle Oracle8i Standard Edition 8.0.6 .3

- 不受影响的程序版本

Oracle Oracle9i Standard Edition 9.2 .0.2
Oracle Oracle9i Standard Edition 9.0.1 .4
Oracle Oracle8i Standard Edition 8.1.7 .4
Oracle Oracle8i Standard Edition 8.0.6 .3

- 漏洞讨论

A buffer overflow vulnerability has been reported for Oracle Database Server. The vulnerability exists due to insufficient boundary checks performed on the CREATE DATABASE LINK query.

Successful exploitation will result in the corruption of sensitive stack memory to execute attacker-supplied code with the privileges of the database server.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com &lt;mailto:vuldb@securityfocus.com&gt;.

- 解决方案

Oracle has released patches. Please see the referenced advisory for further details. Users should also check Metalink on a regular basis to determine if patches are available for their platform.


Oracle Oracle8i Standard Edition 8.0.6 .3

Oracle Oracle8i Standard Edition 8.1.7 .4

Oracle Oracle9i Standard Edition 9.0.1 .4

Oracle Oracle9i Standard Edition 9.2 .0.2

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站