As promised, a security researcher on Wednesday revealed several security vulnerabilities in Oracle Corp.s 9i database software, some of which enable an attacker to run arbitrary code on the affected machine or access the database server without a password.
Patches or workarounds are available for all of the vulnerabilities.
The advisories come at a particularly inopportune time for Oracle, as the Redwood Shores, Calif., company is in the midst of a huge marketing push that touts 9i as “Unbreakable.”
The most severe vulnerabilities are a series of buffer overflows in the Apache Web server module in the 9i Application Server. The problems lie in the PL/SQL (procedural language/structured query language) module in Apache, which enables remote users to call procedures exported by a PL/SQL package stored in the database server, according to the advisory published by David Litchfield, co-founder of Next Generation Security Software Ltd., a U.K.-based security company.
Litchfield has hinted previously that he had found several problems in 9i, but he had been holding off on releasing the details until Oracle issued patches or workarounds.
An attacker can cause a buffer overflow of this module in several ways: sending an overly long request to the PL/SQL module; a long password set in the Authorization HTTP client header; an overly long cache directory name in the cache form; or setting an overly long password in the adddad form.
These flaws affect a version of the 9i AS running on Sun Microsystems Inc.s SPARC Solaris 2.6; Microsoft Corp.s Windows NT and 2000; and Hewlett-Packard Co.s HP-UX 11.0/32-bit, according to Litchfields advisory.
Another flaw, which affects Oracle 9i and 8i databases on all platforms, also involves the PL/SQL package and enables an attacker to call any function in any library on the vulnerable system. Litchfield said he has discovered a way to bypass the password and user ID functions that would normally be required to log into an Oracle database.
An attacker could masquerade as an Oracle process and execute any function in any DLL on the system without being required to authenticate himself. This can be done remotely, Litchfield says, over a TCP connection.
The final vulnerability affects 9i AS and enables an attacker to view the source code of Java Server Pages downloaded from OracleJSP servers. The problem is that translated Java files contain the pages source code in clear text, which can often contain information such as the database user ID and password.
Oracle responded to a request for comment on the vulnerabilities with a prepared statement: “How a company responds to a bug is extremely important. Oracle responds as quickly as possible with information, patches and workarounds that customers can apply. No Oracle customers have reported issues stemming from these bugs.”
The advisories are available at www.nextgenss.com/advisories and the patches are at http://otn.oracle.com/deploy/security/alerts.htm.
