<<< Date Index >>>     <<< Thread Index >>>

[SHATTER Team Security Alert] Multiple vulnerabilities in Oracle Database Server



AppSecInc Advisory: Multiple vulnerabilities in Oracle Database Server

Date:
August 31, 2004

Detailed Information Provided Online At:
http://www.appsecinc.com/resources/alerts/oracle/2004-0001/

Credit:
These vulnerabilities were researched and discovered by Cesar Cerrudo and Esteban Martinez Fayo of Application Security, Inc. (www.appsecinc.com)

Risk Level:
High

Abstract:
Multiple buffer overflow and denial of service (DoS) vulnerabilities exist in the Oracle Database Server which allow database users to take complete control over the database and optionally cause denial of service.

The official advisory from Oracle Corporation can be obtained from: http://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdf


Details:

http://www.appsecinc.com/resources/alerts/oracle/2004-0001/

#1 - Buffer overflow in public procedure DROP_SITE_INSTANTIATION of DBMS_REPCAT_INSTANTIATE package

#2 - Buffer overflow in public function INSTANTIATE_OFFLINE of DBMS_REPCAT_INSTANTIATE package

#3 - Buffer overflow in public function INSTANTIATE_ONLINE of DBMS_REPCAT_INSTANTIATE package

#4 - Buffer overflow on "gname" parameter on procedures of Replication Management API Packages

#5 - Buffer overflow on "sname" and "oname" parameters on procedures of DBMS_REPCAT package

#6 - Buffer overflow on "type" parameter on procedures of DBMS_REPCAT package

#7 - Buffer overflow on "gowner" parameter on procedures of the DBMS_REPCAT package

#8 - Buffer overflow on "operation" parameter on procedures of DBMS_REPCAT package

#9 - Buffer overflow in procedure CREATE_MVIEW_REPGROUP of DBMS_REPCAT package

#10 - Buffer overflow in procedure GENERATE_REPLICATION_SUPPORT of DBMS_REPCAT package

#11 - Buffer overflow in procedures REGISTER_USER_REPGROUP and UNREGISTER_USER_REPGROUP of DBMS_REPCAT_ADMIN package

#12 - Buffer overflow in functions INSTANTIATE_OFFLINE, INSTANTIATE_ONLINE and procedure DROP_SITE_INSTANTIATION of DBMS_REPCAT_RGT package

#13 - Buffer overflow on TEMPFILE parameter

#14 - Buffer overflow on LOGFILE parameter

#15 - Buffer overflow on CONTROLFILE parameter

#16 - Buffer overflow on FILE parameter

#17 - Buffer overflow in Interval Conversion Functions

#18 - Buffer overflow in String Conversion Function

#19 - Buffer overflow in CTX_OUTPUT Package Function

#21 - Buffer overflow on DATAFILE parameter

#22 - Buffer overflow in DBMS_SYSTEM package function

#24 - Buffer overflow on "fname" parameter of the DBMS_REPCAT* packages

#25 - Buffer overflow on procedures of the Replication Management API packages

#26 - Heap based buffer overflow Vulnerability in Oracle 10g iSQL*PLus Service

#27 - Buffer overflow in procedure AQ_TABLE_DEFN_UPDATE of DBMS_AQ_IMPORT_INTERNAL package

#28 - Buffer overflow in procedure VERIFY_QUEUE_TYPES_GET_NRP of DBMS_AQADM package

#29 - Buffer overflow in procedure VERIFY_QUEUE_TYPES_NO_QUEUE of DBMS_AQADM package

#30 - Buffer overflow in procedure VERIFY_QUEUE_TYPES of DBMS_AQADM_SYS package

#31 - Buffer overflow in procedure PARALLEL_PUSH_RECOVERY of DBMS_DEFER_INTERNAL_SYS package

#32 - Buffer overflow in procedure ENABLE_PROPAGATION_TO_DBLINK of DBMS_DEFER_REPCAT package

#33 - Buffer overflow in procedure DISABLE_RECEIVER_TRACE of DBMS_INTERNAL_REPCAT package

#34 - Buffer overflow in procedure ENABLE_RECEIVER_TRACE of DBMS_INTERNAL_REPCAT package

#35 - Buffer overflow in procedure VALIDATE of DBMS_INTERNAL_REPCAT package

#36 - Buffer overflow in procedure DIFFERENCES of DBMS_RECTIFIER_DIFF package

#37 - Buffer overflow in procedure ADD_COLUMN of DBMS_REPCAT_RQ package

#39 - Buffer overflow in procedure IS_MASTER of DBMS_REPCAT_UTL package

#40 - Buffer overflow in procedure PUSHDEFERREDTXNS of LTUTIL package

#41 - Buffer overflow in public procedure SDO_CODE_SIZE of MD2 package

#42 - Buffer overflow in public procedure VALIDATE_GEOM of MD2 package

#43 - Buffer overflow in public procedure SDO_CODE_SIZE of SDO_ADMIN package

#44 - Buffer overflow in procedure SUBINDEXPOPULATE of DRIDDLR package


To determine if you are vulnerable, please download AppDetective from:

http://www.appsecinc.com/products/appdetective/oracle/


Comments:

Exploitation of these vulnerabilities will allow an attacker to completely compromise the OS and the database if Oracle is running on Windows platform, because Oracle must run under the local System account or under an administrative account. If Oracle is running on *nix then only the database would be compromised because Oracle runs mostly under oracle user which has restricted permissions.


Workaround:

-Check packages permissions and remove public permissions. Set minimal permissions that fit your needs.
-Restrict users to execute PL/SQL statements directly over the server.
-Periodically audit user permissions on all database objects.
-Lock users that aren't used.
-Change default passwords.
-Keep Oracle up to date with patches.

Vendor Contact:
Vendor was contacted and has released fixes.


Credit:

Esteban Martinez Fayo of Application Security, Inc. (www.appsecinc.com) discovered all of the following issues: #1,#2,#3,#4,#5,#6,#7,#8,#9,#10,#11,#12,#24,#25,#26,#27,#28,#29,#30,#31,#32,#33,#34,#35,#36,#37,#39,#40,#41,#42,#43,and #44

Cesar Cerrudo of Application Security, Inc. (www.appsecinc.com) discovered all of the following issues: #13,#14,#15,#16,#17,#18,#19,#21,#22

--
Thank you,
shatter[at]appsecinc(dot)com
Application Security, Inc.
phone: 212-947-8787
fax: 212-947-8788

----------------------------------------------------------------------
Application Security, Inc.
www.appsecinc.com

AppSecInc is the leading provider of database security solutions for
the enterprise. AppSecInc products proactively secure enterprise
applications at more than 200 organizations around the world by
discovering, assessing, and protecting the database against rapidly
changing security threats. By securing data at its source, we enable
organizations to more confidently extend their business with
customers, partners and suppliers. Our security experts, combined
with our strong support team, deliver up-to-date application
safeguards that minimize risk and eliminate its impact on business. ----------------------------------------------------------------------