Back to Advisories

Advisories

Rapid7 Advisory R7-0006: Oracle 8i/9i Listener SERVICE_CURLOAD Denial of Service

Oracle: Oracle Security Alert #42
http://otn.oracle.com/deploy/security/pdf/2002alert42rev1.pdf

CVE: CAN-2002-1118
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1118

Bugtraq: 5678
http://online.securityfocus.com/bid/5678

Summary

October 9, 2002 - The Oracle TNS Listener is susceptible to a denial of service attack when issued the SERVICE_CURLOAD command.

Affected system(s):

KNOWN VULNERABLE:

  • Oracle 9i Release 2 (9.2.x)
  • Oracle 9i Release 1 (9.0.x)
  • Oracle 8i (8.1.x)

Apparently NOT VULNERABLE:

  • Oracle 8.0.x (but see below)

Vendor Info

Oracle, Inc.
http://www.oracle.com

Oracle was notified of this vulnerability and has made patches available. This issue is being tracked as bug #2540219 in the Oracle bug database.

Detailed Analysis

Connecting to the Oracle TNS listener (usually on port 1521) and issuing the command "(CONNECT_DATA=(COMMAND=SERVICE_CURLOAD))" causes the Oracle server to respond with a message indicating successful execution. However, once the caller closes the connection, the listener service stops responding. The effects of this DoS vary depending on how long the attacker keeps the original connection open. If the caller keeps the listener connection open while new connections are serviced, the listener service will be disabled and may crash with an access violation. If the caller closes the listener connection before other requests are serviced, the listener service will refuse to accept new connections.

We were unable to reproduce this issue on Oracle 8.0.6. Version 8.0.6 of Oracle logs a result of 0 (success) in listener.log. However, the response to the caller contains error code 12629260, which appears to be a non-standard error code. This may also be the result of an exceptional condition, but we were unable to crash or disable the listener in our testing.

Solution

Download and apply the vendor-supplied patches. Please see Oracle Security Alert #42 for more information:

http://otn.oracle.com/deploy/security/pdf/2002alert42rev1.pdf

Please note that patches for some versions and platforms are not yet available.

Disclaimer & Copyright

Rapid7, LLC is not responsible for the misuse of the information provided in our security advisories. These advisories are a service to the professional security community. There are NO WARRANTIES with regard to this information. Any application or distribution of this information constitutes acceptance AS IS, at the user's own risk. This information is subject to change without notice.

This advisory Copyright (C) 2002 Rapid7, LLC. Permission is hereby granted to redistribute this advisory, providing that no changes are made and that the copyright notices and disclaimers remain intact.