CVE-2001-0499
published 2001-07-21CVE-2001-0499: Buffer overflow in Transparent Network Substrate (TNS) Listener in Oracle 8i 8.1.7 and earlier allows remote attackers to gain privileges via a long argument…
PriorityP260critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
85.20%
99.7th percentile
Buffer overflow in Transparent Network Substrate (TNS) Listener in Oracle 8i 8.1.7 and earlier allows remote attackers to gain privileges via a long argument to the commands (1) STATUS, (2) PING, (3) SERVICES, (4) TRC_FILE, (5) SAVE_CONFIG, or (6) RELOAD.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| oracle | oracle8i | <= 8.1.7 | — |
Detection & IOCsextracted from sources · hover to see the quote
command(DESCRIPTION=(CONNECT_DATA=(CID=(PROGRAM=)(HOST=)(USER=))(COMMAND=status)(ARGUMENTS=3)(SERVICE=↗
bytes↗
\x00\x59\x00\x00\x01\x00\x00\x00\x01\x36\x01\x2c\x00\x00\x08\x00\x7f\xff\x7f\x08\x00\x00\x00\x01\x00\x1f\x00\x3a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x34\xe6\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00
- →Detect exploitation attempts by monitoring TNS traffic on port 1521 for oversized ARGUMENTS fields within CONNECT_DATA packets (STATUS, PING, SERVICES, TRC_FILE, SAVE_CONFIG, or RELOAD commands with anomalously long argument strings). ↗
- →Flag unauthenticated TNS connections sending CONNECT_DATA packets with ARGUMENTS values exceeding normal length (offsets of ~6379–6383 bytes observed in exploit code) as potential exploitation attempts. ↗
- →Check for TNS version banner '32-bit Windows: Version 8.1.7.0.0' in responses, which the Metasploit module uses to confirm a vulnerable target before exploitation. ↗
- →On Windows targets, monitor for unexpected child processes (e.g., cmd.exe) spawned by the Oracle TNS Listener process (tnslsnr.exe), as the shellcode binds a reverse/bind shell. ↗
- →Monitor for new listening sockets on port 8080 opened by the Oracle TNS Listener process, as the proof-of-concept shellcode binds cmd.exe to that port. ↗
- →Payload bad characters for this exploit are known; IDS/IPS signatures should flag TNS ARGUMENTS payloads containing high-entropy alpha-upper strings while being free of the bytes: \x00 \x3a \x26 \x3f \x25 \x23 \x20 \x0a \x0d \x2f \x2b \x0b \x5c. ↗
- ·Exploitation does not require authentication; any unauthenticated remote connection to TNS port 1521 can trigger the overflow. ↗
- ·Versions 8.1.5, 8.1.6, and 8.1.7 are confirmed vulnerable; earlier versions are also likely vulnerable and should be treated as in-scope for detection. ↗
- ·On Windows, the TNS Listener runs as LocalSystem, meaning successful exploitation grants full administrative control; on Unix, exploitation yields the Oracle service account, which may still allow full system compromise. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Oracle 8i - TNS Listener 'ARGUMENTS' Remote Buffer Overflow (Metasploit)
exploitdb·2010-11-24
CVE-2001-0499 Oracle 8i - TNS Listener 'ARGUMENTS' Remote Buffer Overflow (Metasploit)
Oracle 8i - TNS Listener 'ARGUMENTS' Remote Buffer Overflow (Metasploit)
---
##
# $Id: tns_arguments.rb 11122 2010-11-24 06:10:13Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Oracle 8i TNS Listener (ARGUMENTS) Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Oracle 8i. When
sending a specially crafted packet containing a overly long
ARGUMENTS string to the TNS service, an attacker may be able
to execute arbitrary code.
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE,
'Version' => '$Revisio
Exploit-DB
Oracle 8i - TNS Listener Buffer Overflow
exploitdb·2001-07-20
CVE-2001-0499 Oracle 8i - TNS Listener Buffer Overflow
Oracle 8i - TNS Listener Buffer Overflow
---
// source: https://www.securityfocus.com/bid/2941/info
Oracle 8i ships with a component called TNS Listener. TNS Listener is used to arbitrate communication between remote database clients/applications and the database server.
There exists a remotely exploitable buffer overflow in TNS Listener. Remote attackers can execute arbitrary code on affected hosts. This vulnerability does not require authentication to exploit.
On Windows 2000/NT4 systems, TNS Listener runs with 'LocalSystem' privileges. These are equivelent to administrative and any attacker to exploit this vulnerability on such a system would gain control over it.
On Unix systems, Oracle processes such as the listener typically run as their own userid. Exploitation of this vulnera
Metasploit
Oracle 8i TNS Listener (ARGUMENTS) Buffer Overflow
metasploit
Oracle 8i TNS Listener (ARGUMENTS) Buffer Overflow
Oracle 8i TNS Listener (ARGUMENTS) Buffer Overflow
This module exploits a stack buffer overflow in Oracle 8i. When sending a specially crafted packet containing an overly long ARGUMENTS string to the TNS service, an attacker may be able to execute arbitrary code.
No writeups or analysis indexed.
http://www.cert.org/advisories/CA-2001-16.htmlhttp://www.kb.cert.org/vuls/id/620495http://www.nai.com/research/covert/advisories/050.asphttp://www.securityfocus.com/bid/2941https://exchange.xforce.ibmcloud.com/vulnerabilities/6758http://www.cert.org/advisories/CA-2001-16.htmlhttp://www.kb.cert.org/vuls/id/620495http://www.nai.com/research/covert/advisories/050.asphttp://www.securityfocus.com/bid/2941https://exchange.xforce.ibmcloud.com/vulnerabilities/6758
2001-07-21
Published