[20371] in bugtraq
Re: Oracle 8 denial of service
daemon@ATHENA.MIT.EDU (Dave Lee)
Sun Apr 22 15:01:32 2001
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-ID: <20010420191339.89422.qmail@web11507.mail.yahoo.com>
Date: Fri, 20 Apr 2001 12:13:39 -0700
Reply-To: Dave Lee <daverlee@YAHOO.COM>
From: Dave Lee <daverlee@YAHOO.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
I attempted to run the exploit against Oracle 7.3.4.5,
8.0.6 and 8.1.7(8i) listeners running on a Sun SPARC
Solaris 2.7 and an Oracle 7.34 Server on NT (SP6).
The only result was a "TNS-12502: TNS:listener
received no CONNECT_DATA from client" entry in the
listener logfiles.
Oracle has had some DoS issues in the past but it was
dealing with the Oracle Application Server, not the
database listener. Most of the database listener
issues have been due to lack of password protection.
Can you post the exact version of Oracle, with
patchset, that you are running on the NT server?
- Dave Lee
____________
>Hi!
>Attached is a little perl-script, which makes
>TNSLSNR80.EXE consume all
>available cpu-time so the computer becomes unusable.
>It works on
>Oracle 8 servers running Windows NT 4.0 (SP6) and
>does not require any
>authentication credentials to succeed. I have not
>tried it on any other versions
>or platforms.
>
>In case this is a known problem -> sorry. A quick
>search didn't turn
>up anything...
>
>cu
>r0ot
__________________________________________________
Do You Yahoo!?
Yahoo! Auctions - buy the things you want at great prices
http://auctions.yahoo.com/
