EXPOSURE:


1. A remote compromise in the Database server in Oracle 8 and 9i on
all platforms could result in a hacker executing any function
from any system library. A system library is a compilation of
functions that are commonly used in a particular Operating
System (OS). For instance, these libraries may contain functions
that open a common shell for that OS. By establishing a remote
connection to the Oracle Database server's listening port (TCP
1521) masqueraded as an Oracle process, a hacker could trick the
Oracle Database server into executing any function from any of
these libraries even though the attacker has not authenticated
to the server with a user name and password. The function would
be called with the permissions of the Oracle processes
(typically full system permissions). Commands executed with
these permissions could result in significant damage to your
system. For a more detailed explanation of this
vulnerability and its workaround, see NGSSoftware's advisory
<http://www.nextgenss.com/advisories/oraplsextproc.txt> and
Oracle's Security Alert # 29.
<http://technet.oracle.com/deploy/sec...proc_alert.pdf>


2. Oracle 9iAS for Solaris, Windows and HP-UX machines has a PL/SQL
module that allows remote users to call special procedures
stored on a database server. Multiple buffer overflows have been
found in relation to this PL/SQL module. Each overflow can
result in the execution of arbitrary code with the permissions
of the Oracle Apache Web service. By default, this service runs
with the permissions of the local SYSTEM account in Windows.
This would allow a hacker to execute any code with full
privileges. For a more detailed explanation of this
vulnerability and its workaround, see NGSSoftware's advisory
<http://www.nextgenss.com/advisories/oraplsbos.txt> and Oracle's
Security Alert # 28.
<http://technet.oracle.com/deploy/sec...lsql_alert.pdf>


3. Oracle 9iAS's Web server on all platforms supports JavaServer
Pages <http://java.sun.com/products/jsp/> (JSP). JSP allows for
dynamic Web pages containing elements like Java scriptlets and
XML-tags. The code contained within a JSP Web page is compiled
by the Web server when a user requests the page. NGSSoftware
found that Oracle's Web server creates three temporary files in
a publicly accessible folder whenever a JSP page is accessed.
One of these files contains the source code for the JSP page in
clear text. This source code might contain sensitive information
such as user IDs and passwords. For a more detailed explanation
of this vulnerability and its patch, see NGSSoftware's advisory
<http://www.nextgenss.com/advisories/orajsp.txt> and part 2 in
Oracle's Security Alert # 28.
<http://technet.oracle.com/deploy/sec...lsql_alert.pdf>