Oracle8i Database Found to Have Holes

By eweek  |  Posted 2001-07-02

Two vulnerabilities have been discovered that could wreak havoc on the most widely used database software on the Internet, Oracle8i, according to security experts.

The first and most serious hole would allow hackers to overflow the buffer of 8is Transparent Network Substrate (TNS) Listener, which is responsible for establishing connections between a client and remote Oracle services. Researchers from the Computer Vulnerability Emergency Response Team (COVERT) Labs at PGP Security, a subsidiary of Network Associates, identified the problem last week.

While the TNS Listener takes many requests, theyre usually short ones, such as a ping or status report. However, if a large message is sent to the Oracle8i database, the buffer can overflow and the embedded code can actually be executed on the server. This code could provide control to a malicious attacker.

"This could potentially lead to them being able to view or modify data in the database," said Jim Magdych, senior research manager at PGP.

Oracle owns 33.8 percent of the overall database market, according to a recent Gartner Dataquest report. More than half of those customers run Oracle8i, according to Jon Rubin, senior research analyst at Dataquest.

"Statistically the most-used Web databases are Oracle and [Microsoft] SQL Server," Rubin says.

PGP ranks the TNS Listener vulnerability as a "high" risk. Analysts there found a medium-risk denial-of-service vulnerability in Oracle8i as well, called the SQLNet Header Vulnerability.

It can be exploited by sending malformed packets to the Oracle8i database, requesting a connection. The packets trigger a memory error, resulting in a termination of service. Because this happens before the packets contents are authenticated or verified, the source of the bad packets can be difficult to detect.

Neither of these vulnerabilities is "exceedingly difficult to take advantage of," Magdych said. "Like with all vulnerabilities, its only a matter of time before someone releases an [application] to take advantage of it."

The vulnerabilities are accessible in both the Standard and Enterprise versions of Oracle8i running in Windows NT/2000, as well as most popular flavors of Unix. A fix is available at

Oracle representatives would not comment on these specific problems, except to say theyve posted a patch and notified their customer base. "In all cases, Oracle takes a proactive approach in notifying our customers of potential bugs and provides free patches as simultaneously as possible," a representative said. "Its then the customers responsibility to have a security policy in place to immediately fix the problem."

Rocket Fuel