Database Security Issues with Oracle 9i

The security specialists Cesar Cerrudo (founder and CEO, Argeniss Security Research Team) and Mark Litchfield have discovered several vulnerabilities in Oracle 9i. These vulnerabilities make user access insecure. Particularly, these vulnerabilities are the reasons for which we cannot say that the database access system of the software’s latest version is foolproof. The conversion functions NUMTOYMINTERVAL and NUMTODSINTERVAL provoke long char_expr string buffer overflows that allow attackers to overwrite the stack with its own code. Moreover, the attacker or hacker might even be able to run the overwritten programs resulting into total corruption of the database files. Also, it doesn’t really matter that what platform (SYSTEM or ORACLE) the database is actually utilizing. The susceptibility of the Oracle 9i at this level can thus become a matter of real concern for the administrators.

» Read more