CVE-2002-0965
published 2002-10-04CVE-2002-0965: Buffer overflow in TNS Listener for Oracle 9i Database Server on Windows systems, and Oracle 8 on VM, allows local users to execute arbitrary code via a long…
PriorityP346high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
69.81%
99.3th percentile
Buffer overflow in TNS Listener for Oracle 9i Database Server on Windows systems, and Oracle 8 on VM, allows local users to execute arbitrary code via a long SERVICE_NAME parameter, which is not properly handled when writing an error message to a log file.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| oracle | oracle9i | — | — |
| oracle | oracle9i | — | — |
| oracle | oracle9i | — | — |
Detection & IOCsextracted from sources · hover to see the quote
command(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=<rhost>(PORT=<rport>))(CONNECT_DATA=(SERVICE_NAME=<overflow_buff>)(CID=(PROGRAM=MSF))))↗
- →Detect TNS packets with an abnormally long SERVICE_NAME field (>6392 bytes) in the CONNECT_DATA, which is the overflow trigger for this vulnerability. ↗
- →Monitor TNS traffic on port 1521 for CONNECT_DATA packets containing CID=(PROGRAM=MSF), which is a Metasploit-specific fingerprint left in the exploit packet. ↗
- →Use the TNS VERSION command probe (CONNECT_DATA=(COMMAND=VERSION)) followed by a check for '32-bit Windows: Version 8.1.7.0.0' in the response as an attacker reconnaissance indicator. ↗
- →Flag exploit payloads using a stack adjustment of -3500 bytes combined with a short JMP over a NOP sled targeting return address 0x60a1e154 on Oracle 8.1.7.0.0 Windows targets. ↗
- →Bad characters for payload filtering in this exploit include null bytes and common URL/shell metacharacters; payloads will consist of uppercase alpha text with these bytes absent. ↗
- ·The exploit targets only Oracle 8.1.7.0.0 Standard Edition on Windows 2000 and Windows 2003; the return address 0x60a1e154 is version-specific and will not work on other builds. ↗
- ·The vulnerability is described as local on Windows and also affects Oracle 8 on VM; the Metasploit module treats it as a remote network exploit over TCP/1521, so detection scope should cover both local and network attack vectors. ↗
- ·The payload space is limited to 600 bytes; shellcode larger than this will not fit within the exploit's buffer constraints. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Oracle 8i - TNS Listener SERVICE_NAME Buffer Overflow (Metasploit)
exploitdb·2010-11-24
CVE-2002-0965 Oracle 8i - TNS Listener SERVICE_NAME Buffer Overflow (Metasploit)
Oracle 8i - TNS Listener SERVICE_NAME Buffer Overflow (Metasploit)
---
##
# $Id: tns_service_name.rb 11128 2010-11-24 19:43:49Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Oracle 8i TNS Listener SERVICE_NAME Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Oracle. When
sending a specially crafted packet containing a long SERVICE_NAME
to the TNS service, an attacker may be able to execute arbitrary code.
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 11128 $',
'Re
Metasploit
Oracle 8i TNS Listener SERVICE_NAME Buffer Overflow
metasploit
Oracle 8i TNS Listener SERVICE_NAME Buffer Overflow
Oracle 8i TNS Listener SERVICE_NAME Buffer Overflow
This module exploits a stack buffer overflow in Oracle. When sending a specially crafted packet containing a long SERVICE_NAME to the TNS service, an attacker may be able to execute arbitrary code.
No writeups or analysis indexed.
http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0096.htmlhttp://online.securityfocus.com/archive/1/276526http://otn.oracle.com/deploy/security/pdf/net9_dos_alert.pdfhttp://www.iss.net/security_center/static/9288.phphttp://www.kb.cert.org/vuls/id/630091http://www.securityfocus.com/bid/4845http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0096.htmlhttp://online.securityfocus.com/archive/1/276526http://otn.oracle.com/deploy/security/pdf/net9_dos_alert.pdfhttp://www.iss.net/security_center/static/9288.phphttp://www.kb.cert.org/vuls/id/630091http://www.securityfocus.com/bid/4845
2002-10-04
Published