24-Jul-2009: CVE-2009-1963 PoC (CPUjul2009)

- Finally, CVE-2009-1963 also receives a CVSS Base Score of 7.5; however it is not remotely exploitable without authentication, and only affects Oracle Database Server 11.1.0.6.

Here is explanation of vulnerability I did found.

This exploit makes Oracle 11g win32 instance DoS (spinning to 100% CPU) and raise heap corruption problems.

Because, I'm not sure in exact packets structures, please use exactly this:

1. Win32 box with Oracle 11g RDBMS.

2. Win32 box with Oracle 10gR2 (10.2) client installed.

Client is needed by version.cpp/exe program which logon as SCOTT/TIGER and executes "select * from v$version". Do not forget to unlock SCOTT user or change user in version.cpp and recompile it.

Run tcp_fwd program:

tcp_fwd (IP address of 1st box) 1521 (IP address of 2nd box) 1521

All what this simple TCP forwarder do is only modify one packet in our sequence:

	      if (buf[0xA]==0x11 && r==229) // TTIPFN, that's our packet
		{
		  printf ("TTIPFN from client, we modify it.\n");

                  buf[4]=0xF;
                };

So, if packet have TTIPFN type and its size is 229, then this is a packet where "select * from v$version" statement goes. tcp_fwd program modify TNS type of packet to 0xF type. Please note that this is so-called "DD packet" TNS packet type, introduced in 11g.

Run version.exe on box 2:

version (IP address of 2nd box)@orcl

After that, Oracle 11g instance will be spinning to 100% CPU and heap corruption problem should be raised.

Download:

TCP forwarder with source code.

Simple program asking for version, to be running on 10.2 client.


→ [list of blog posts]

Please drop me email about any bug(s) and suggestion(s): dennis(@)yurichev.com.