lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
From: advisory at (Rapid 7 Security Advisories)
Subject: R7-0006: Oracle 8i/9i Listener SERVICE_CURLOAD Denial of Service

Hash: SHA1

                     Rapid 7, Inc. Security Advisory

        Visit to download NeXpose(tm), our
         advanced vulnerability scanner. Linux and Windows 2000
                       versions are available now!

Rapid 7 Advisory R7-0006
Oracle 8i/9i Listener SERVICE_CURLOAD Denial of Service

   Published:  October 9, 2002
   Revision:   1.0

   Oracle:     Oracle Security Alert #42

   CVE:        CAN-2002-1118

   Bugtraq:    5678

1. Affected system(s):

    o Oracle 9i Release 2 (9.2.x)
    o Oracle 9i Release 1 (9.0.x)
    o Oracle 8i (8.1.x)

   Apparently NOT VULNERABLE:
    o Oracle 8.0.x (but see below)

2. Summary

   The Oracle TNS Listener is susceptible to a denial of service attack
   when issued the SERVICE_CURLOAD command.

3. Vendor status and information

   Oracle, Inc.

      Oracle was notified of this vulnerability and has made patches
      available.  This issue is being tracked as bug #2540219 in
      the Oracle bug database.

4. Solution

   Download and apply the vendor-supplied patches.  Please see Oracle
   Security Alert #42 for more information:

   Please note that patches for some versions and platforms are not
   yet available.

5. Detailed analysis

   Connecting to the Oracle TNS listener (usually on port 1521) and
   issuing the command "(CONNECT_DATA=(COMMAND=SERVICE_CURLOAD))"
   causes the Oracle server to respond with a message indicating
   successful execution.  However, once the caller closes the
   connection, the listener service stops responding.  The effects
   of this DoS vary depending on how long the attacker keeps the
   original connection open.  If the caller keeps the listener
   connection open while new connections are serviced, the listener
   service will be disabled and may crash with an access violation.
   If the caller closes the listener connection before other requests
   are serviced, the listener service will refuse to accept new

   We were unable to reproduce this issue on Oracle 8.0.6.  Version
   8.0.6 of Oracle logs a result of 0 (success) in listener.log.
   However, the response to the caller contains error code 12629260,
   which appears to be a non-standard error code.  This may also be
   the result of an exceptional condition, but we were unable to crash
   or disable the listener in our testing.

6. Contact Information

   Rapid 7 Security Advisories
   Phone:   +1 (212) 558-8700

7. Disclaimer and Copyright

   Rapid 7, Inc. is not responsible for the misuse of the information
   provided in our security advisories. These advisories are a service
   to the professional security community.  There are NO WARRANTIES
   with regard to this information. Any application or distribution of
   this information constitutes acceptance AS IS, at the user's own
   risk.  This information is subject to change without notice.

   This advisory Copyright (C) 2002 Rapid 7, Inc.  Permission is
   hereby granted to redistribute this advisory, providing that no
   changes are made and that the copyright notices and disclaimers
   remain intact.

Version: GnuPG v1.0.7 (OpenBSD)


Powered by blists - more mailing lists