[20360] in bugtraq
Re: Oracle8 denial of service (fwd)
daemon@ATHENA.MIT.EDU (James W. Abendschan)
Sun Apr 22 13:18:24 2001
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.LNX.4.30.0104201252581.929-100000@nimue.int.jammed.com>
Date: Fri, 20 Apr 2001 13:04:25 -0700
Reply-To: "James W. Abendschan" <jwa@JAMMED.COM>
From: "James W. Abendschan" <jwa@JAMMED.COM>
X-To: Stephen Oberther <oberther@CS.FSU.EDU>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.30.0104201012320.4438-100000@quake.cs.fsu.edu>
On Fri, 20 Apr 2001, Stephen Oberther wrote:
> > Oracle 8 servers running Windows NT 4.0 (SP6) and does not require any
> > authentication credentials to succeed. I have not tried it on any other versions
> > or platforms.
>
> This works on Oracle 8 running on Solaris 8 as well. No credentials
> needed to do the name lookup either it just eats up a processor. Good
> thing it isn't threaded.
There were some remote DoS and general security bugs in the Oracle tnslsnr
in (at least) 8.1.6. This was reported to Oracle back in October 2000;
8.1.7 fixes the DoS and most of the security problems (TNS 'query leaking'
is still possible in 8.1.7 -- by sending tnslsnr a packet with a bogus length,
it's possible to see the contents of previous TNS packets. While this
won't reveal past SQL sessions, it does show usernames and other oddities.)
http://otn.oracle.com/deploy/security/alerts.htm
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0818
http://xforce.iss.net/alerts/advise66.php
http://www.jammed.com/~jwa/hacks/security/tnscmd/ - my kludgy 'tnsping'
James
