Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security VulnWatch
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] [VulnWatch] [AppSecInc Team SHATTER Security Advisory]

from [Team SHATTER] Network Security [Permanent Link]
Subject: [Full-disclosure] [VulnWatch] [AppSecInc Team SHATTER Security Advisory] Denial of Service in Oracle interMedia[Scanned]
Date: Mon, 18 Apr 2005 15:45:33 -0700 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Denial of Service in Oracle interMedia

AppSecInc Team SHATTER Security Advisory
http://www.appsecinc.com/resources/alerts/oracle/2005-01.html
April 18, 2005

Affected versions: Oracle Database Server versions 9i and 10g

Risk level: Medium

Credits: This vulnerability was discovered and researched by Esteban
Martínez Fayó of Argeniss for Application Security Inc.

Details:
Within the Oracle interMedia system, two types (ORDImage and ORDDoc)
have a vulnerability that can cause a Denial of Service condition. When
trying to load a specially constructed file, or when setting specially
constructed data to object's property, a Denial of service can be
triggered making Oracle server process consume 100% CPU usage. The
service needs to be restarted to resume normal operation.

This vulnerability can be exploited remotely by supplying a specially
constructed file to an application that uses the vulnerable objects to
process the file in the database server.

Impact:
By default PUBLIC has execute permission on these objects so any Oracle
database user can exploit this vulnerability. Exploitation of this
vulnerability will allow an attacker to cause a DOS (Denial of service).

Vendor Status:
Vendor was contacted and a patch was released.

Fix:
Apply Oracle Critical Patch Update April 2005 available at
http://metalink.oracle.com

Links:
Application Security, Inc advisory:
http://www.appsecinc.com/resources/alerts/oracle/2005-01.html
Oracle security alert:
http://www.oracle.com/technology/deploy/security/pdf/cpuapr2005.pdf

- --
_____________________________________________
Application Security, Inc.
www.appsecinc.com
AppSecInc is the leading provider of database security solutions for the
enterprise. AppSecInc products proactively secure enterprise
applications at more than 300 organizations around the world by
discovering, assessing, and protecting the database against rapidly
changing security threats. By securing data at its source, we enable
organizations to more confidently extend their business with customers,
partners and suppliers. Our security experts, combined with our strong
support team, deliver up-to-date application safeguards that minimize
risk and eliminate its impact on business.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)

iD8DBQFCZAQW/0w1dSVRt4URAmo6AJ9yKUAN3zd5bqhPwUmlLqljTPxrFgCgpleQ
QUm/LCcdiyGz+VgCs+dqJfY=
=ao/r
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-disclosure] [VulnWatch] [AppSecInc Team SHATTER Security Advisory] Denial of Service in Oracle interMedia[Scanned], Team SHATTER <=
Previous by Date:  [Full-disclosure] iDEFENSE Security Advisory 04.18.05: McAfee Internet Security Suite 2005 Insecure File Permission Vulnerability, iDEFENSE Labs
Next by Date:  [Full-disclosure] [VulnWatch] [AppSecInc Team SHATTER Security Advisory] Multiple SQL Injection vulnerabilities in DBMS_CDC_SUBSCRIBE and DBMS_CDC_ISUBSCRIBE packages[Scanned], Team SHATTER
Previous by Thread:  [Full-disclosure] iDEFENSE Security Advisory 04.18.05: McAfee Internet Security Suite 2005 Insecure File Permission Vulnerability, iDEFENSE Labs
Next by Thread:  [Full-disclosure] [VulnWatch] [AppSecInc Team SHATTER Security Advisory] Multiple SQL Injection vulnerabilities in DBMS_CDC_SUBSCRIBE and DBMS_CDC_ISUBSCRIBE packages[Scanned], Team SHATTER
Indexes:  [Date] [Thread] [Top] [All Lists]