cbcvebase.
CVE-2001-0499
published 2001-07-21

CVE-2001-0499: Buffer overflow in Transparent Network Substrate (TNS) Listener in Oracle 8i 8.1.7 and earlier allows remote attackers to gain privileges via a long argument…

PriorityP260critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
85.20%
99.7th percentile
Buffer overflow in Transparent Network Substrate (TNS) Listener in Oracle 8i 8.1.7 and earlier allows remote attackers to gain privileges via a long argument to the commands (1) STATUS, (2) PING, (3) SERVICES, (4) TRC_FILE, (5) SAVE_CONFIG, or (6) RELOAD.

Affected

1 ranges
VendorProductVersion rangeFixed in
oracleoracle8i<= 8.1.7

Detection & IOCsextracted from sources · hover to see the quote

port1521
port1521
port8080
command(CONNECT_DATA=(COMMAND=STATUS)(ARGUMENTS=<overflow_buffer>))
command(CONNECT_DATA=(COMMAND=VERSION))
command(DESCRIPTION=(CONNECT_DATA=(CID=(PROGRAM=)(HOST=)(USER=))(COMMAND=status)(ARGUMENTS=3)(SERVICE=
other0x60a1e154
other\x63\x0d\xfa\x7f
bytes
\x00\x59\x00\x00\x01\x00\x00\x00\x01\x36\x01\x2c\x00\x00\x08\x00\x7f\xff\x7f\x08\x00\x00\x00\x01\x00\x1f\x00\x3a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x34\xe6\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00
  • Detect exploitation attempts by monitoring TNS traffic on port 1521 for oversized ARGUMENTS fields within CONNECT_DATA packets (STATUS, PING, SERVICES, TRC_FILE, SAVE_CONFIG, or RELOAD commands with anomalously long argument strings).
  • Flag unauthenticated TNS connections sending CONNECT_DATA packets with ARGUMENTS values exceeding normal length (offsets of ~6379–6383 bytes observed in exploit code) as potential exploitation attempts.
  • Check for TNS version banner '32-bit Windows: Version 8.1.7.0.0' in responses, which the Metasploit module uses to confirm a vulnerable target before exploitation.
  • On Windows targets, monitor for unexpected child processes (e.g., cmd.exe) spawned by the Oracle TNS Listener process (tnslsnr.exe), as the shellcode binds a reverse/bind shell.
  • Monitor for new listening sockets on port 8080 opened by the Oracle TNS Listener process, as the proof-of-concept shellcode binds cmd.exe to that port.
  • Payload bad characters for this exploit are known; IDS/IPS signatures should flag TNS ARGUMENTS payloads containing high-entropy alpha-upper strings while being free of the bytes: \x00 \x3a \x26 \x3f \x25 \x23 \x20 \x0a \x0d \x2f \x2b \x0b \x5c.
  • ·Exploitation does not require authentication; any unauthenticated remote connection to TNS port 1521 can trigger the overflow.
  • ·Versions 8.1.5, 8.1.6, and 8.1.7 are confirmed vulnerable; earlier versions are also likely vulnerable and should be treated as in-scope for detection.
  • ·On Windows, the TNS Listener runs as LocalSystem, meaning successful exploitation grants full administrative control; on Unix, exploitation yields the Oracle service account, which may still allow full system compromise.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.