Reported February 17, 2003, by NGSSoftware.
Oracle9i Database Releases 1 and 2
Oracle 8i Database 8i, 8.1.7, 8.0.6
A vulnerability in Oracle’s Database Server can result in remote compromise of the vulnerable server. This vulnerability stems from a remotely exploitable buffer-overflow vulnerability in the TZ_OFFSET function. By supplying a long character string for the time-zone name, an attacker can overwrite a saved return address on the stack of Oracle process. For more details about this vulnerability, see the discoverer’s web site.
Discovered by NGSSoftware.