CVE-2003-1208 (CNNVD-200412-010)

CRITICAL
中文标题:
Oracle数据库Parameter/Statement缓冲区溢出漏洞
英文标题:
Multiple buffer overflows in Oracle 9i 9 before 9.2.0.3 allow local users to execute arbitrary code ...
CVSS分数: 10.0
发布时间: 2005-05-19 04:00:00
漏洞类型: 授权问题
状态: PUBLISHED
数据质量分数: 0.30
数据版本: v3
漏洞描述
中文描述:

Oracle是一款大型数据库软件。 Oracle在处理部分参数和函数时缺少充分缓冲区边界检查,远程攻击者可以利用这个漏洞进行缓冲区溢出攻击,可能以数据库进程权限执行任意指令。 Oralce存在多个缓冲区溢出,具体如下: 1、TIME_ZONE参数指定默认时区置换,TIME_ZONE仅是一个会话参数,而不是一个初始化参数,一个类似的合法请求为: ALTER SESSION SET TIME_ZONE = '-5:00'; TIME_ZONE参数由于缺少充分缓冲区边界检查,提交包含超长字符串的请求可导致触发缓冲区溢出,如: ALTER SESSION SET TIME_ZONE = '<long string here>'; SELECT CURRENT_TIMESTAMP, LOCALTIMESTAMP FROM DUAL; 默认情况下,任意用户可以提交此请求。上面的攻击必须使用SCOTT / TIGER帐户。 2、NUMTOYMINTERVAL是用于转换N为一个INTERVAL YEAR TO MONTH,n可以为数字或数字表达式,char_expr可以为CHAR, VARCHAR2, NCHAR, or NVARCHAR2数据类型,类似合法请求为: SELECT last_name, hire_date, salary, SUM(salary) OVER (ORDER BY hire_date RANGE NUMTOYMINTERVAL(1,'year') PRECEDING) AS t_sal FROM employees; n = 1 char_expr = year NUMTOYMINTERVAL函数由于对参数缺少充分缓冲区边界检查,提交包含超长字符串的请求可导致触发缓冲区溢出,如: SELECT last_name, hire_date, salary, SUM(salary) OVER (ORDER BY hire_date RANGE NUMTOYMINTERVAL(1,'<long string here>') PRECEDING) AS t_sal FROM employees; 默认情况下,任意用户可以提交此请求。上面的攻击必须使用SCOTT / TIGER帐户。 3、NUMTODSINTERVAL是用于转换n为INTERVAL DAY TO SECOND的函数,n可以为数字或数字表达式,char_expr可以为CHAR, VARCHAR2, NCHAR, or NVARCHAR2数据类型,类似合法请求为: SELECT manager_id, last_name, hire_date, COUNT(*) OVER (PARTITION BY manager_id ORDER BY hire_date RANGE NUMTODSINTERVAL(100, 'day') PRECEDING) AS t_count FROM employees; n = 100 char_expr = day NUMTODSINTERVAL函数由于对参数缺少充分边界缓冲区检查,提交包含超长字符串的请求可导致触发缓冲区溢出,如: SELECT empno, ename, hiredate, COUNT(*) OVER (PARTITION BY empno ORDER BY hiredate RANGE NUMTODSINTERVAL(100, '<long string here>') PRECEDING) AS t_count FROM emp; 默认情况下,任意用户可以提交此请求。上面的攻击必须使用SCOTT / TIGER帐户。 4、FROM_TZ函数用于转换时间戳,类似请求如下: SELECT FROM_TZ(TIMESTAMP '2003-09-8 08:00:00', '12:00') FROM DUAL; 此语法返回如下值: which would return the values FROM_TZ函数对TZD参数缺少充分边界缓冲区检查,提交包含超长字符串的请求可导致触发缓冲区溢出,如: SELECT FROM_TZ(TIMESTAMP '2000-03-28 08:00:00','long string here') FROM DUAL; 默认情况下,任意用户可以提交此请求。

英文描述:

Multiple buffer overflows in Oracle 9i 9 before 9.2.0.3 allow local users to execute arbitrary code by (1) setting the TIME_ZONE session parameter to a long value, or providing long parameters to the (2) NUMTOYMINTERVAL, (3) NUMTODSINTERVAL or (4) FROM_TZ functions.

CWE类型:
(暂无数据)
标签:
(暂无数据)
受影响产品
厂商 产品 版本 版本范围 平台 CPE
oracle oracle9i enterprise_9.0.1 - - cpe:2.3:a:oracle:oracle9i:enterprise_9.0.1:*:*:*:*:*:*:*
oracle oracle9i enterprise_9.2.0 - - cpe:2.3:a:oracle:oracle9i:enterprise_9.2.0:*:*:*:*:*:*:*
oracle oracle9i enterprise_9.2.0.1 - - cpe:2.3:a:oracle:oracle9i:enterprise_9.2.0.1:*:*:*:*:*:*:*
oracle oracle9i enterprise_9.2.0.2 - - cpe:2.3:a:oracle:oracle9i:enterprise_9.2.0.2:*:*:*:*:*:*:*
oracle oracle9i personal_9.0.1 - - cpe:2.3:a:oracle:oracle9i:personal_9.0.1:*:*:*:*:*:*:*
oracle oracle9i personal_9.2 - - cpe:2.3:a:oracle:oracle9i:personal_9.2:*:*:*:*:*:*:*
oracle oracle9i personal_9.2.0.1 - - cpe:2.3:a:oracle:oracle9i:personal_9.2.0.1:*:*:*:*:*:*:*
oracle oracle9i personal_9.2.0.2 - - cpe:2.3:a:oracle:oracle9i:personal_9.2.0.2:*:*:*:*:*:*:*
oracle oracle9i standard_9.0 - - cpe:2.3:a:oracle:oracle9i:standard_9.0:*:*:*:*:*:*:*
oracle oracle9i standard_9.0.1 - - cpe:2.3:a:oracle:oracle9i:standard_9.0.1:*:*:*:*:*:*:*
oracle oracle9i standard_9.0.1.2 - - cpe:2.3:a:oracle:oracle9i:standard_9.0.1.2:*:*:*:*:*:*:*
oracle oracle9i standard_9.0.1.3 - - cpe:2.3:a:oracle:oracle9i:standard_9.0.1.3:*:*:*:*:*:*:*
oracle oracle9i standard_9.0.1.4 - - cpe:2.3:a:oracle:oracle9i:standard_9.0.1.4:*:*:*:*:*:*:*
oracle oracle9i standard_9.0.2 - - cpe:2.3:a:oracle:oracle9i:standard_9.0.2:*:*:*:*:*:*:*
oracle oracle9i standard_9.2 - - cpe:2.3:a:oracle:oracle9i:standard_9.2:*:*:*:*:*:*:*
oracle oracle9i standard_9.2.0.1 - - cpe:2.3:a:oracle:oracle9i:standard_9.2.0.1:*:*:*:*:*:*:*
oracle oracle9i standard_9.2.0.2 - - cpe:2.3:a:oracle:oracle9i:standard_9.2.0.2:*:*:*:*:*:*:*
解决方案
中文解决方案:
(暂无数据)
英文解决方案:
(暂无数据)
临时解决方案:
(暂无数据)
参考链接
oracle-multiple-function-bo(15060) vdb-entry
cve.org
访问
VU#399806 third-party-advisory
cve.org
访问
3840 vdb-entry
cve.org
访问
O-093 third-party-advisory
cve.org
访问
10805 third-party-advisory
cve.org
访问
VU#819126 third-party-advisory
cve.org
访问
3838 vdb-entry
cve.org
访问
VU#240174 third-party-advisory
cve.org
访问
20040205 Oracle Database 9ir2 Interval Conversion Functions Buffer Overflow mailing-list
cve.org
访问
9587 vdb-entry
cve.org
访问
3839 vdb-entry
cve.org
访问
VU#846582 third-party-advisory
cve.org
访问
3837 vdb-entry
cve.org
访问
无标题 x_refsource_MISC
cve.org
访问
无标题 x_refsource_MISC
cve.org
访问
无标题 x_refsource_MISC
cve.org
访问
无标题 x_refsource_MISC
cve.org
访问
CVSS评分详情
10.0
CRITICAL
CVSS向量: AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS版本: 2.0
机密性
COMPLETE
完整性
COMPLETE
可用性
COMPLETE
时间信息
发布时间:
2005-05-19 04:00:00
修改时间:
2024-08-08 02:19:46
创建时间:
2025-11-11 15:32:20
更新时间:
2025-11-11 15:48:54
利用信息
暂无可利用代码信息
数据源详情
数据源 记录ID 版本 提取时间
CVE cve_CVE-2003-1208 2025-11-11 15:17:28 2025-11-11 07:32:20
NVD nvd_CVE-2003-1208 2025-11-11 14:50:38 2025-11-11 07:41:06
CNNVD cnnvd_CNNVD-200412-010 2025-11-11 15:08:43 2025-11-11 07:48:54
版本与语言
当前版本: v3
主要语言: EN
支持语言:
EN ZH
安全公告
暂无安全公告信息
变更历史
v3 CNNVD
2025-11-11 15:48:54
vulnerability_type: 未提取 → 授权问题; cnnvd_id: 未提取 → CNNVD-200412-010; data_sources: ['cve', 'nvd'] → ['cnnvd', 'cve', 'nvd']
查看详细变更
  • vulnerability_type: 未提取 -> 授权问题
  • cnnvd_id: 未提取 -> CNNVD-200412-010
  • data_sources: ['cve', 'nvd'] -> ['cnnvd', 'cve', 'nvd']
v2 NVD
2025-11-11 15:41:06
severity: SeverityLevel.MEDIUM → SeverityLevel.CRITICAL; cvss_score: 未提取 → 10.0; cvss_vector: NOT_EXTRACTED → AV:N/AC:L/Au:N/C:C/I:C/A:C; cvss_version: NOT_EXTRACTED → 2.0; affected_products_count: 0 → 17; data_sources: ['cve'] → ['cve', 'nvd']
查看详细变更
  • severity: SeverityLevel.MEDIUM -> SeverityLevel.CRITICAL
  • cvss_score: 未提取 -> 10.0
  • cvss_vector: NOT_EXTRACTED -> AV:N/AC:L/Au:N/C:C/I:C/A:C
  • cvss_version: NOT_EXTRACTED -> 2.0
  • affected_products_count: 0 -> 17
  • data_sources: ['cve'] -> ['cve', 'nvd']