Rule: -- Sid: 3526 -- Summary: This event is generated when an attempt is made to exploit a vulnerability associated with the Oracle XML Database (XDB) FTP UNLOCK command. -- Impact: A successful attack may allow arbitrary commands to be executed on a vulnerable server by an authenticated user. -- Detailed Information: The Oracle XDB UNLOCK command is vulnerable to a buffer overflow attack. A fixed size buffer is allocated for a parameter associated with the command. A user-supplied parameter value that is longer than the allocated buffer can cause a buffer overflow and allow the subsequent execution of arbitrary commands on a vulnerable server. It should be noted that valid credentials must be supplied for authentication and access to the server. -- Affected Systems: Oracle 9.2.0.1 -- Attack Scenarios: An attacker can craft an UNLOCK command and supply it an overly long parameter. -- Ease of Attack: Simple. Exploits exist. -- False Positives: None known. -- False Negatives: None known. -- Corrective Action: Upgrade to the most current non-affected version of the product. -- Contributors: Sourcefire Vulnerability Research Team Judy Novak -- Additional References: Variations in Exploit methods between Linux and Windows - David Litchfield: http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-litchfield-paper.pdf --
