Oracle9i NUMTOYMINTERVAL Overflow

2004-02-06T04:10:09
ID OSVDB:3837
Type osvdb
Reporter OSVDB
Modified 2004-02-06T04:10:09

Description

Vulnerability Description

A remote overflow exists in Oracle 9i. The NUMTOYMINTERVAL function fails to validate the "char_expr" string resulting in a buffer overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of confidentiality, integrity, and/or availability.

Solution Description

Upgrade to version 9.2.0.3 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

A remote overflow exists in Oracle 9i. The NUMTOYMINTERVAL function fails to validate the "char_expr" string resulting in a buffer overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of confidentiality, integrity, and/or availability.

Manual Testing Notes

SELECT last_name, hire_date, salary, SUM(salary) OVER (ORDER BY hire_date RANGE NUMTOYMINTERVAL(1,'<long string here>') PRECEDING) AS t_sal FROM employees;

In a default installation, any user can execute this request. The above attack was executed using the SCOTT / TIGER account.

References:

Vendor URL: http://www.oracle.com/ Secunia Advisory ID:10805 Related OSVDB ID: 3839 Related OSVDB ID: 3838 Related OSVDB ID: 3840 Other Advisory URL: http://www.nextgenss.com/advisories/ora_numtoyminterval.txt ISS X-Force ID: 15060 CVE-2003-1208