CVE-2003-1208
CVSS10.0
发布时间 :2004-12-03 00:00:00
修订时间 :2008-09-05 16:36:19
NMCO    

[原文]Multiple buffer overflows in Oracle 9i 9 before 9.2.0.3 allow local users to execute arbitrary code by (1) setting the TIME_ZONE session parameter to a long value, or providing long parameters to the (2) NUMTOYMINTERVAL, (3) NUMTODSINTERVAL or (4) FROM_TZ functions.


[CNNVD]Oracle数据库Parameter/Statement缓冲区溢出漏洞(CNNVD-200412-010)

        
        Oracle是一款大型数据库软件。
        Oracle在处理部分参数和函数时缺少充分缓冲区边界检查,远程攻击者可以利用这个漏洞进行缓冲区溢出攻击,可能以数据库进程权限执行任意指令。
        Oralce存在多个缓冲区溢出,具体如下:
        1、TIME_ZONE参数指定默认时区置换,TIME_ZONE仅是一个会话参数,而不是一个初始化参数,一个类似的合法请求为:
        ALTER SESSION SET TIME_ZONE = '-5:00';
        TIME_ZONE参数由于缺少充分缓冲区边界检查,提交包含超长字符串的请求可导致触发缓冲区溢出,如:
        ALTER SESSION SET TIME_ZONE = ''; SELECT
        CURRENT_TIMESTAMP, LOCALTIMESTAMP FROM DUAL;
        默认情况下,任意用户可以提交此请求。上面的攻击必须使用SCOTT / TIGER帐户。
        2、NUMTOYMINTERVAL是用于转换N为一个INTERVAL YEAR TO MONTH,n可以为数字或数字表达式,char_expr可以为CHAR, VARCHAR2, NCHAR, or NVARCHAR2数据类型,类似合法请求为:
        SELECT last_name, hire_date, salary, SUM(salary)
         OVER (ORDER BY hire_date
         RANGE NUMTOYMINTERVAL(1,'year') PRECEDING) AS t_sal
         FROM employees;
        n = 1
        char_expr = year
        NUMTOYMINTERVAL函数由于对参数缺少充分缓冲区边界检查,提交包含超长字符串的请求可导致触发缓冲区溢出,如:
        SELECT last_name, hire_date, salary, SUM(salary)
         OVER (ORDER BY hire_date
         RANGE NUMTOYMINTERVAL(1,'') PRECEDING) AS t_sal
         FROM employees;
        默认情况下,任意用户可以提交此请求。上面的攻击必须使用SCOTT / TIGER帐户。
        3、NUMTODSINTERVAL是用于转换n为INTERVAL DAY TO SECOND的函数,n可以为数字或数字表达式,char_expr可以为CHAR, VARCHAR2, NCHAR, or NVARCHAR2数据类型,类似合法请求为:
        SELECT manager_id, last_name, hire_date,
         COUNT(*) OVER (PARTITION BY manager_id ORDER BY hire_date
         RANGE NUMTODSINTERVAL(100, 'day') PRECEDING) AS t_count
         FROM employees;
        n = 100
        char_expr = day
        NUMTODSINTERVAL函数由于对参数缺少充分边界缓冲区检查,提交包含超长字符串的请求可导致触发缓冲区溢出,如:
        SELECT empno, ename, hiredate, COUNT(*) OVER (PARTITION BY empno ORDER BY
        hiredate RANGE NUMTODSINTERVAL(100, '') PRECEDING) AS
        t_count FROM emp;
        默认情况下,任意用户可以提交此请求。上面的攻击必须使用SCOTT / TIGER帐户。
        4、FROM_TZ函数用于转换时间戳,类似请求如下:
        SELECT FROM_TZ(TIMESTAMP '2003-09-8 08:00:00', '12:00') FROM DUAL;
        此语法返回如下值:
        which would return the values
        FROM_TZ函数对TZD参数缺少充分边界缓冲区检查,提交包含超长字符串的请求可导致触发缓冲区溢出,如:
        SELECT FROM_TZ(TIMESTAMP '2000-03-28 08:00:00','long string here') FROM
        DUAL;
        默认情况下,任意用户可以提交此请求。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:oracle:oracle9i:standard_9.2.0.1
cpe:/a:oracle:oracle9i:standard_9.2.0.2
cpe:/a:oracle:oracle9i:enterprise_9.2.0.2
cpe:/a:oracle:oracle9i:standard_9.0.1
cpe:/a:oracle:oracle9i:standard_9.0.1.2
cpe:/a:oracle:oracle9i:enterprise_9.2.0
cpe:/a:oracle:oracle9i:personal_9.2
cpe:/a:oracle:oracle9i:standard_9.0
cpe:/a:oracle:oracle9i:standard_9.0.2
cpe:/a:oracle:oracle9i:standard_9.2
cpe:/a:oracle:oracle9i:standard_9.0.1.4
cpe:/a:oracle:oracle9i:personal_9.2.0.1
cpe:/a:oracle:oracle9i:enterprise_9.2.0.1
cpe:/a:oracle:oracle9i:personal_9.0.1
cpe:/a:oracle:oracle9i:enterprise_9.0.1
cpe:/a:oracle:oracle9i:standard_9.0.1.3
cpe:/a:oracle:oracle9i:personal_9.2.0.2

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1208
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-1208
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200412-010
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/846582
(VENDOR_ADVISORY)  CERT-VN  VU#846582
http://www.kb.cert.org/vuls/id/819126
(VENDOR_ADVISORY)  CERT-VN  VU#819126
http://www.kb.cert.org/vuls/id/399806
(VENDOR_ADVISORY)  CERT-VN  VU#399806
http://www.kb.cert.org/vuls/id/240174
(VENDOR_ADVISORY)  CERT-VN  VU#240174
http://xforce.iss.net/xforce/xfdb/15060
(VENDOR_ADVISORY)  XF  oracle-multiple-function-bo(15060)
http://www.securityfocus.com/bid/9587
(VENDOR_ADVISORY)  BID  9587
http://www.osvdb.org/3840
(VENDOR_ADVISORY)  OSVDB  3840
http://www.osvdb.org/3839
(VENDOR_ADVISORY)  OSVDB  3839
http://www.osvdb.org/3838
(VENDOR_ADVISORY)  OSVDB  3838
http://www.osvdb.org/3837
(VENDOR_ADVISORY)  OSVDB  3837
http://www.nextgenss.com/advisories/ora_numtoyminterval.txt
(PATCH)  MISC  http://www.nextgenss.com/advisories/ora_numtoyminterval.txt
http://www.nextgenss.com/advisories/ora_numtodsinterval.txt
(PATCH)  MISC  http://www.nextgenss.com/advisories/ora_numtodsinterval.txt
http://www.nextgenss.com/advisories/ora_from_tz.txt
(PATCH)  MISC  http://www.nextgenss.com/advisories/ora_from_tz.txt
http://www.ciac.org/ciac/bulletins/o-093.shtml
(VENDOR_ADVISORY)  CIAC  O-093
http://secunia.com/advisories/10805
(PATCH)  SECUNIA  10805
http://www.nextgenss.com/advisories/ora_time_zone.txt
(UNKNOWN)  MISC  http://www.nextgenss.com/advisories/ora_time_zone.txt
http://archives.neohapsis.com/archives/vulnwatch/2004-q1/0030.html
(VENDOR_ADVISORY)  BUGTRAQ  20040205 Oracle Database 9ir2 Interval Conversion Functions Buffer Overflow

- 漏洞信息

Oracle数据库Parameter/Statement缓冲区溢出漏洞
危急 边界条件错误
2004-12-03 00:00:00 2006-05-01 00:00:00
远程  
        
        Oracle是一款大型数据库软件。
        Oracle在处理部分参数和函数时缺少充分缓冲区边界检查,远程攻击者可以利用这个漏洞进行缓冲区溢出攻击,可能以数据库进程权限执行任意指令。
        Oralce存在多个缓冲区溢出,具体如下:
        1、TIME_ZONE参数指定默认时区置换,TIME_ZONE仅是一个会话参数,而不是一个初始化参数,一个类似的合法请求为:
        ALTER SESSION SET TIME_ZONE = '-5:00';
        TIME_ZONE参数由于缺少充分缓冲区边界检查,提交包含超长字符串的请求可导致触发缓冲区溢出,如:
        ALTER SESSION SET TIME_ZONE = ''; SELECT
        CURRENT_TIMESTAMP, LOCALTIMESTAMP FROM DUAL;
        默认情况下,任意用户可以提交此请求。上面的攻击必须使用SCOTT / TIGER帐户。
        2、NUMTOYMINTERVAL是用于转换N为一个INTERVAL YEAR TO MONTH,n可以为数字或数字表达式,char_expr可以为CHAR, VARCHAR2, NCHAR, or NVARCHAR2数据类型,类似合法请求为:
        SELECT last_name, hire_date, salary, SUM(salary)
         OVER (ORDER BY hire_date
         RANGE NUMTOYMINTERVAL(1,'year') PRECEDING) AS t_sal
         FROM employees;
        n = 1
        char_expr = year
        NUMTOYMINTERVAL函数由于对参数缺少充分缓冲区边界检查,提交包含超长字符串的请求可导致触发缓冲区溢出,如:
        SELECT last_name, hire_date, salary, SUM(salary)
         OVER (ORDER BY hire_date
         RANGE NUMTOYMINTERVAL(1,'') PRECEDING) AS t_sal
         FROM employees;
        默认情况下,任意用户可以提交此请求。上面的攻击必须使用SCOTT / TIGER帐户。
        3、NUMTODSINTERVAL是用于转换n为INTERVAL DAY TO SECOND的函数,n可以为数字或数字表达式,char_expr可以为CHAR, VARCHAR2, NCHAR, or NVARCHAR2数据类型,类似合法请求为:
        SELECT manager_id, last_name, hire_date,
         COUNT(*) OVER (PARTITION BY manager_id ORDER BY hire_date
         RANGE NUMTODSINTERVAL(100, 'day') PRECEDING) AS t_count
         FROM employees;
        n = 100
        char_expr = day
        NUMTODSINTERVAL函数由于对参数缺少充分边界缓冲区检查,提交包含超长字符串的请求可导致触发缓冲区溢出,如:
        SELECT empno, ename, hiredate, COUNT(*) OVER (PARTITION BY empno ORDER BY
        hiredate RANGE NUMTODSINTERVAL(100, '') PRECEDING) AS
        t_count FROM emp;
        默认情况下,任意用户可以提交此请求。上面的攻击必须使用SCOTT / TIGER帐户。
        4、FROM_TZ函数用于转换时间戳,类似请求如下:
        SELECT FROM_TZ(TIMESTAMP '2003-09-8 08:00:00', '12:00') FROM DUAL;
        此语法返回如下值:
        which would return the values
        FROM_TZ函数对TZD参数缺少充分边界缓冲区检查,提交包含超长字符串的请求可导致触发缓冲区溢出,如:
        SELECT FROM_TZ(TIMESTAMP '2000-03-28 08:00:00','long string here') FROM
        DUAL;
        默认情况下,任意用户可以提交此请求。
        

- 公告与补丁

        厂商补丁:
        Oracle
        ------
        Oracle 9i Database Release 2, version 9.2.0.3已经修正此漏洞,要更多Oracle安全补丁信息,请访问Oracle Metalink site:
        
        http://metalink.oracle.com

- 漏洞信息

3837
Oracle Database NUMTOYMINTERVAL Function Local Overflow
Input Manipulation
Loss of Integrity
Vendor Verified

- 漏洞描述

A remote overflow exists in Oracle 9i. The NUMTOYMINTERVAL function fails to validate the "char_expr" string resulting in a buffer overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of confidentiality, integrity, and/or availability.

- 时间线

2004-02-06 2003-12-12
Unknow Unknow

- 解决方案

Upgrade to version 9.2.0.3 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站