Reported November 4, 2002, by NGSSoftware.




  • Oracle Database 9i, releases 1 and 2 on all OSs





A vulnerability exists in Oracle’s iSQL*Plus Web-based application that lets an attacker compromise the vulnerable system and obtain SYSTEM-level access. This vulnerability stems from a buffer overflow condition in the iSQL application. By sending an overly long user ID parameter to the Web server, an attacker can overflow the internal buffer on the stack and overwrite the saved return address. The attacker can then run arbitrary code in the Web server's security context. For more details about this vulnerability, see the discoverer’s Web site.




The vendor, Oracle, has released Security Alert #46 to address this vulnerability and recommends that affected users apply the appropriate patch mentioned in Oracle's alert.



Discovered by David Litchfield of NGSSoftware