Oracle 9I Application Server PL/SQL Apache Module Buffer Overflow Vulnerability
Oracle 9i Application Server comes with an Apache-based web server and support for environments such as SOAP, PL/SQL, XSQL and JSP.
The PL/SQL Apache module for Oracle 9iAS provides functionality for remote
administration of the Database Access Descriptors and access to help pages.
A remotely exploitable buffer overflow exists in the PL/SQL Apache module. A request for an excessively long help page can cause stack variables to be overwritten. As a result, the return address can be overwritten with attacker-supplied values, allowing for arbitrary code execution.
On Microsoft Windows NT/2000 systems this may mean that the attacker-supplied code is executed with SYSTEM level privileges, as this is the privilege level that the Apache process runs under. On other operating systems successful exploitation may merit local access for the attacker.
It should be noted that when a web user tries to access an /admin_/ page, the user will receive a challenge for authentication via a username/password prompt. However, no such challenge is issued when a web user attempts to access help pages.
This issue may also be exploited to cause a crude denial of service attack.