Oracle TNS Listener DoS and Remote Memory Inspection
21 Oct. 2007
Summary
The TNS Listener can be crashed by an attacker causing a Denial of Service; alternatively the attacker can use the same flaw to expose memory contents remotely. This may reveal sensitive information.
There is a bug in GIOP service that can allow an attacker to crash the TNS Listener and/or dump memory. A DWORD in the connect GIOP packet is trusted as the size of the data in the packet.
By setting this to a large value (e.g. 0 1FFFF) causes the listener to allocate this much memory then attempt to copy this much data to it - which eventually leads to a read access violation because the source data is less than this number and the process lands in uninitialized memory. If the attacker uses a smaller number, e.g. 0xFFFF they can dump this many bytes from memory.
This may reveal sensitive information such as the TNS Listener password.
