oreilly.comSafari Books Online.Conferences.


Security Alerts

Oracle9i Database Server Problems


Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at a problem with the Oracle9i Database Server; buffer overflows in XPilot, Tru64 Unix's libc and dtprintinfo, and the Melange Chat Server; and problems in Snort, Mandrake's rsync, Raptor Firewall, restricted shells, and the Informix Web DataBlade.

Oracle9i Database Server

The Oracle9i Database Server has a vulnerability in the SQL syntax for outer joins that can be used by an attacker to read unauthorized data in the database. Oracle 9 release 9.0.1.x is affected by this vulnerability, but Oracle 8i, Oracle 8, and Oracle 7 are not affected.

Oracle has fixed this vulnerability in Oracle 9i release 2 and has made patches available (bug fix number 2121935) for supported releases of Oracle 9i release 9.0.1.x. Oracle also recommends that all views created before the application of the patch be recompiled after the patch, and that users test the stability of their system prior to deleting any of the files replaced by the patch.


A tool named Fragroute has been released that can hide network attacks from the Snort Intrusion Detection System (IDS) by fragmenting the attack's packets in a very specific way. Linux- and OpenBSD-based firewalls are reported to reassemble the packets so that a Snort IDS inside the firewall will detect the attack. However, many other firewalls will not reassemble the packets.

Affected users should watch for an updated version of the Snort IDS and should attempt to keep Snort or any other IDS as up to date as possible to protect against future attacks.


The XPilot game, a multi-player tactical game for Unix machines running the X Window system, has a buffer overflow in the XPilot server that can be used execute arbitrary code with the permissions of the user running XPilot.

It is recommended that users upgrade to version 4.5.2 of XPilot as soon as possible.

Mandrake rsync

Mandrake has released a new version of rsync for Mandrake Linux 7.1, 7.2, 8.0, 8.1, Corporate Server 1.0.1, and Single Network Firewall 7.2. This version repairs the problem of rsync not dropping some group permissions, and also fixes zlib-related problems. It should be noted that Mandrake Linux's default configuration is not vulnerable to the group permissions problem in rsync.

The Mandrake Linux Security Team recommends that all users upgrade to rsync version 2.5.4.

FreeBSD Routing Table Memory Leak

Some versions of FreeBSD have a memory leak in the routing table that can be used by a remote attacker in a denial-of-service attack that exhausts the machine's memory. FreeBSD 4.5-RELEASE and FreeBSD 4-STABLE from the dates 2001-12-07 09:23:11 UTC through 2002-03-22 16:54:19 UTC are vulnerable.

Users should upgrade to a repaired version of FreeBSD. A suggested workaround is to deny ICMP echo packets using the packet filter.

Raptor Firewall

The Raptor Firewall is vulnerable, under some conditions, to an FTP bounce attack that can be used to scan hosts while hiding the source of the attack. The Raptor Firewall version 6.5.3 for Solaris and the Symantec Enterprise Firewall version 7.0 for Solaris are reported to be vulnerable to this attack.

Symantec recommends that all affected users apply the available hotfix. This hotfix provides an updated and enhanced FTP module that provides configurable logging of potential attacks, and optional strict port checking. Symantec is investigating their other supported platforms and products for a vulnerability to this attack.

Tru64 Unix Problems

Compaq has announced buffer overflows in the standard c library libc and the dtprintinfo utility. The libc buffer overflow is in the code that deals with the environmental variables LANG and LOCPATH, and can be exploited to gain additional privileges when used to exploit set user id or set group id applications that are linked with libc. The dtprintinfo utility is used to open the CDE Print Manager window. As dtprintinfo is installed set user id root, the buffer overflow can be used by a local attacker to gain root permissions.

Compaq recommends that users apply the appropriate patches for their system. Systems that do not use the printing subsystem should consider disabling the system and removing the set user id bits from associated utilities.

Restricted Shells

It has been reported that, under some conditions, it is possible to escape from a restricted shell and execute arbitrary commands, including unrestricted shells. The attacker uses scp or rcp to copy a script to a world-writable directory and then uses ssh or rsh to execute that script and escape the restrictions of their shell.

Affected systems may be able to work around this problem with a careful configuration of the r* commands and SSH.

Informix Web DataBlade

Several problems have been reported in the Informix Web DataBlade: under some circumstances, local users can exploit the Perl scripting feature to execute arbitrary code with the permissions of the user executing the database (often root), an attacker can sometimes inject arbitrary SQL code, and under some additional conditions, an attacker can avoid some user input checks and inject SQL code.

Users should watch IBM for an announcement and fix for these problems. The database should be executed by a user with the minimum permissions needed, and developer access should be restricted to required users. Users should also consider disabling the Perl scripting feature if it is not needed.

Melange Chat Server

The Melange Chat Server is vulnerable to multiple remotely-exploitable, buffer overflow attacks that can be used to crash the server in a denial-of-service attack and may be exploitable to execute arbitrary code with the permissions of the user executing Melange. Due to several design decisions, Melange may often be run with root permissions. A script to automate a denial-of-service attack against Melange has been released.

It is reported that the Melange Chat Server is not under active development. Users should consider replacing Melange with a chat server that is being maintained.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.

Read more Security Alerts columns.

Return to the Linux DevCenter.

Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!

Linux Resources
  • Linux Online
  • The Linux FAQ
  • Linux Kernel Archives
  • Kernel Traffic

  • Sponsored by: