mailing list archives
R7-0006: Oracle 8i/9i Listener SERVICE_CURLOAD Denial of Service
From: "Rapid 7 Security Advisories" <advisory () rapid7 com>
Date: Wed, 9 Oct 2002 12:07:50 -0700
-----BEGIN PGP SIGNED MESSAGE-----
Rapid 7, Inc. Security Advisory
Visit http://www.rapid7.com/ to download NeXpose(tm), our
advanced vulnerability scanner. Linux and Windows 2000
versions are available now!
Rapid 7 Advisory R7-0006
Oracle 8i/9i Listener SERVICE_CURLOAD Denial of Service
Published: October 9, 2002
Oracle: Oracle Security Alert #42
1. Affected system(s):
o Oracle 9i Release 2 (9.2.x)
o Oracle 9i Release 1 (9.0.x)
o Oracle 8i (8.1.x)
Apparently NOT VULNERABLE:
o Oracle 8.0.x (but see below)
The Oracle TNS Listener is susceptible to a denial of service attack
when issued the SERVICE_CURLOAD command.
3. Vendor status and information
Oracle was notified of this vulnerability and has made patches
available. This issue is being tracked as bug #2540219 in
the Oracle bug database.
Download and apply the vendor-supplied patches. Please see Oracle
Security Alert #42 for more information:
Please note that patches for some versions and platforms are not
5. Detailed analysis
Connecting to the Oracle TNS listener (usually on port 1521) and
issuing the command "(CONNECT_DATA=(COMMAND=SERVICE_CURLOAD))"
causes the Oracle server to respond with a message indicating
successful execution. However, once the caller closes the
connection, the listener service stops responding. The effects
of this DoS vary depending on how long the attacker keeps the
original connection open. If the caller keeps the listener
connection open while new connections are serviced, the listener
service will be disabled and may crash with an access violation.
If the caller closes the listener connection before other requests
are serviced, the listener service will refuse to accept new
We were unable to reproduce this issue on Oracle 8.0.6. Version
8.0.6 of Oracle logs a result of 0 (success) in listener.log.
However, the response to the caller contains error code 12629260,
which appears to be a non-standard error code. This may also be
the result of an exceptional condition, but we were unable to crash
or disable the listener in our testing.
6. Contact Information
Rapid 7 Security Advisories
Email: advisory () rapid7 com
Phone: +1 (212) 558-8700
7. Disclaimer and Copyright
Rapid 7, Inc. is not responsible for the misuse of the information
provided in our security advisories. These advisories are a service
to the professional security community. There are NO WARRANTIES
with regard to this information. Any application or distribution of
this information constitutes acceptance AS IS, at the user's own
risk. This information is subject to change without notice.
This advisory Copyright (C) 2002 Rapid 7, Inc. Permission is
hereby granted to redistribute this advisory, providing that no
changes are made and that the copyright notices and disclaimers
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (OpenBSD)
-----END PGP SIGNATURE-----
- R7-0006: Oracle 8i/9i Listener SERVICE_CURLOAD Denial of Service Rapid 7 Security Advisories (Oct 12)