[8860] in bugtraq
Fw: "NERP" DoS attack possible in Oracle
daemon@ATHENA.MIT.EDU (Adam Maloney)
Mon Dec 28 20:59:13 1998
Date: Mon, 28 Dec 1998 19:28:08 -0600
Reply-To: Adam Maloney <adam@iexposure.com>
From: Adam Maloney <adam@IEXPOSURE.COM>
To: BUGTRAQ@NETSPACE.ORG
This was my original posting to NTBugtraq back in August.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Adam Maloney
Systems Administrator
Internet Exposure
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-----Original Message-----
From: Adam Maloney <adam@iexposure.com>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>
Date: Thursday, August 27, 1998 12:27 PM
Subject: "NERP" DoS attack possible in Oracle
>NERP DoS attack for Oracle
>
>About two weeks ago I noticed that my NT machine was listening on port
1526.
>I did not recognize this port number as a WKS, and it was not listed in
NT's
>services file, so I becamse suspicious. For lack of a better way, I
>telnetted to the port to try and find out what it was:
>
>telnet localhost 1526
>Connected to kilroy.intexp.com on port 1526
>NERP
>
>Disconnected from kilroy.intexp.com
>
>As soon as I disconnected, my CPU usage jumped to 100%. Upon looking at
>Taskman, I saw that a process named tnslsnr80.exe was the culprit. I could
>not kill the process, and after waiting for about 5 minutes for it to go
>away, I was forced to reboot my machine.
>
>When my machine came back up, I did a search for tnslsnr80.exe, and found
it
>in the Oracle directory. Apparently this program listens for connections
on
>port 1526 (port 1521 may be vulnerable as well), and is not expecting a
mere
>user to telnet to it and feed it garbage.
>
>I contacted Oracle two weeks ago, first via their web comments page, and
>then again via e-mail, and they never acknowledged or responded. It is my
>belief that you can bring an NT machine down to it's knees if it is running
>Oracle.
>
>System Tested:
>NT4.0 SP3 + post SP3 patches
>Oracle 8
>P-Pro 200, 128MB RAM
>
>I am not 100% sure that this attack can be reproduced on anyone elses
>systems. I can reproduce it on my test machine, but all of the people that
>I had contacted, asking to try the exploit out have not gotten back to me
at
>all.
>
>A possible workaround would be to change the port that Oracle listens on
to
>something random (so that the script kiddies have to hunt for it at least).
>I forget where, but I thought I saw a config file that allows you to
specify
>which port.
>
>BTW, a few people have asked me if NERP is significant...it is not, typing
>any random garbage is sufficient. The NERP was just a sporadic random
>thought.
>
>-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> Adam Maloney
> Systems Administrator
> Internet Exposure
>-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
>