ora-isqlplus.txt

`NGSSoftware Insight Security Research Advisory  
  
Name: Oracle iSQL*Plus buffer overflow  
Systems: Oracle Database 9i R1,2 on all operating systems  
Severity: High Risk  
Vendor URL: http://www.oracle.com/  
Author: David Litchfield ([email protected])  
Advisory URL: http://www.ngssoftware.com/advisories/ora-isqlplus.txt  
Date: 4th November 2002  
Advisory number: #NISR04112002  
  
  
Description  
***********  
Oracle iSQL*Plus is a web based application that allows users to query the  
database. It is installed with Oracle 9 database server and runs on top of  
apache. The iSQL*Plus module is vulnerable to a classic buffer overflow  
vulnerability.  
  
  
Details  
*******  
The iSQL*Plus web application requires users to log in. After accessing the  
default url, "/isqlplus" a user is presented with a log in screen. By  
sending the web server an overly long user ID parameter, an internal buffer  
is overflow on the stack and the saved return address is overwritten. This  
can allow an attacker to run arbitrary code in the security context of the  
web server. On most systems this will be the "oracle" user and on Windows  
the "SYSTEM" user. Once the web server has been compromised attackers may  
then use it as a staging platform to launch attacks against the database  
server itself.  
  
Fix Information  
***************  
NGSSoftware alerted Oracle to this problem on the 18th of October and  
Oracle, last week, issued an alert. The Oracle bug number assigned to this  
issue is 2581911. Patches can be downloaded from the Oracle Metalink site  
http://metalink.oracle.com/.  
  
  
  
`