Here is explanation of vulnerability I did found.
This exploit makes Oracle 11g win32 instance DoS (spinning to 100% CPU) and raise heap corruption problems.
Because, I'm not sure in exact packets structures, please use exactly this:
1. Win32 box with Oracle 11g RDBMS.
2. Win32 box with Oracle 10gR2 (10.2) client installed.
Client is needed by version.cpp/exe program which logon as SCOTT/TIGER and executes "select * from v$version". Do not forget to unlock SCOTT user or change user in version.cpp and recompile it.
Run tcp_fwd program:
tcp_fwd (IP address of 1st box) 1521 (IP address of 2nd box) 1521
All what this simple TCP forwarder do is only modify one packet in our sequence:
if (buf[0xA]==0x11 && r==229) // TTIPFN, that's our packet { printf ("TTIPFN from client, we modify it.\n"); buf[4]=0xF; };
So, if packet have TTIPFN type and its size is 229, then this is a packet where "select * from v$version" statement goes. tcp_fwd program modify TNS type of packet to 0xF type. Please note that this is so-called "DD packet" TNS packet type, introduced in 11g.
Run version.exe on box 2:
version (IP address of 2nd box)@orcl
After that, Oracle 11g instance will be spinning to 100% CPU and heap corruption problem should be raised.
Download:
TCP forwarder with source code.
Simple program asking for version, to be running on 10.2 client.
→ [list of blog posts] Please drop me email about bug(s) and/or suggestion(s): my emails.