Rule:

--
Sid:
3526

--
Summary:
This event is generated when an attempt is made to exploit a vulnerability
associated with the Oracle XML Database (XDB) FTP UNLOCK command.

--
Impact:
A successful attack may allow arbitrary commands to be executed on a
vulnerable server by an authenticated user.

--
Detailed Information:
The Oracle XDB UNLOCK command is vulnerable to a buffer overflow
attack.  A fixed size buffer is allocated for a parameter associated
with the command.  A user-supplied parameter value that is longer than
the allocated buffer can cause a buffer overflow and allow the subsequent
execution of arbitrary commands on a vulnerable server.  It should be
noted that valid credentials must be supplied for authentication and access
to the server.

--
Affected Systems:
Oracle 9.2.0.1

--
Attack Scenarios:
An attacker can craft an UNLOCK command and supply it an overly long
parameter.

--
Ease of Attack:
Simple. Exploits exist.

--
False Positives:
None known.

--
False Negatives:
None known.

--
Corrective Action:
Upgrade to the most current non-affected version of the product.


--
Contributors:
Sourcefire Vulnerability Research Team
Judy Novak <judy.novak@sourcefire.com>

--
Additional References:

Variations in Exploit methods between Linux and Windows - David Litchfield:
http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-litchfield-paper.pdf

--
