NGSSoftware Insight Security Research Advisory
Name: Oracle PL/SQL Apache Module
Systems Affected: Oracle 9iAS
Platforms: Sun SPARC Solaris 2.6
MS Windows NT/2000 Server
HP-UX 11.0/32-bit
Severity: High Risk
Vendor URL: http://www.oracle.com/
Author: David Litchfield (david@nextgenss.com)
Date: 6th February 2002
Advisory number: #NISR06022002B
Advisory URL:
http://www.nextgenss.com/advisories/oramodplsbos.txt
Issue
*****
There are multiple buffer overflows in the PL/SQL module for Oracle
Application Server running on Apache web servers that allow the execution
of arbitary code. A non-overflow DoS also exists.
Description
***********
The web service with Oracle 9iAS is powered by Apache and provides many
application environments with which to offer services from the site. These
include SOAP, PL/SQL, XSQL and JSP. There are multiple buffer overrun
vulnerabilities in the PL/SQL Apache module that allow the execution of
arbitrary code.
Details
*******
The PL/SQL module exists to allow remote users to call procedures exported
by a PL/SQL package stored in the database server. This module can be
overflowed by making an overly long request to the plsql module; An overly
long password set in the Authorization HTTP client header; An overly long
cache directory name in the cache form; Setting an overly long password in
the adddad form;
Some of these attacks require that attacker know the name of the adminPath
whereas others do not.
All allow the execution of arbitrary code. On Windows NT/2000 systems the
Oracle Apache web server by default runs in the context of the local SYSTEM
account so any code will run with full privileges.
A further problem also exists whereby a request made to the pls module with
an HTTP client Authorization header set but with no auth type will cause the
server to access violate. The server needs to be restarted after an attack.
Fix Information
***************
NGSSoftware alerted Oracle to these problems between December 2001 and early
January 2002. Oracle has produced a patch to fix these problems and can be
downloaded from the Metalink site (http://metalink.oracle.com).