24-Jul-2009: CVE-2009-1963 PoC (CPUjul2009)

- Finally, CVE-2009-1963 also receives a CVSS Base Score of 7.5; however it is not remotely exploitable without authentication, and only affects Oracle Database Server 11.1.0.6.

Here is explanation of vulnerability I did found.

This exploit makes Oracle 11g win32 instance DoS (spinning to 100% CPU) and raise heap corruption problems.

Because, I'm not sure in exact packets structures, please use exactly this:

1. Win32 box with Oracle 11g RDBMS.

2. Win32 box with Oracle 10gR2 (10.2) client installed.

Client is needed by version.cpp/exe program which logon as SCOTT/TIGER and executes "select * from v$version". Do not forget to unlock SCOTT user or change user in version.cpp and recompile it.

Run tcp_fwd program:


tcp_fwd (IP address of 1st box) 1521 (IP address of 2nd box) 1521

All what this simple TCP forwarder do is only modify one packet in our sequence:


	      if (buf[0xA]==0x11 && r==229) // TTIPFN, that's our packet
		{
		  printf ("TTIPFN from client, we modify it.\n");

                  buf[4]=0xF;
                };

So, if packet have TTIPFN type and its size is 229, then this is a packet where "select * from v$version" statement goes. tcp_fwd program modify TNS type of packet to 0xF type. Please note that this is so-called "DD packet" TNS packet type, introduced in 11g.

Run version.exe on box 2:


version (IP address of 2nd box)@orcl

After that, Oracle 11g instance will be spinning to 100% CPU and heap corruption problem should be raised.

Download:

TCP forwarder with source code.

Simple program asking for version, to be running on 10.2 client.


This open sourced site and this page in particular is hosted on GitHub. Patches, suggestions and comments are welcome.


→ [list of blog posts]

The page last updated on 16-September-2016