[SHATTER Team Security Alert] Multiple vulnerabilities in Oracle Database Server
AppSecInc Advisory: Multiple vulnerabilities in Oracle Database Server
Date:
August 31, 2004
Detailed Information Provided Online At:
http://www.appsecinc.com/resources/alerts/oracle/2004-0001/
Credit:
These vulnerabilities were researched and discovered by Cesar Cerrudo
and Esteban Martinez Fayo of Application Security, Inc. (www.appsecinc.com)
Risk Level:
High
Abstract:
Multiple buffer overflow and denial of service (DoS) vulnerabilities
exist in the Oracle Database Server which allow database users to take
complete control over the database and optionally cause denial of service.
The official advisory from Oracle Corporation can be obtained from:
http://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdf
Details:
http://www.appsecinc.com/resources/alerts/oracle/2004-0001/
#1 - Buffer overflow in public procedure DROP_SITE_INSTANTIATION of
DBMS_REPCAT_INSTANTIATE package
#2 - Buffer overflow in public function INSTANTIATE_OFFLINE of
DBMS_REPCAT_INSTANTIATE package
#3 - Buffer overflow in public function INSTANTIATE_ONLINE of
DBMS_REPCAT_INSTANTIATE package
#4 - Buffer overflow on "gname" parameter on procedures of Replication
Management API Packages
#5 - Buffer overflow on "sname" and "oname" parameters on procedures of
DBMS_REPCAT package
#6 - Buffer overflow on "type" parameter on procedures of DBMS_REPCAT
package
#7 - Buffer overflow on "gowner" parameter on procedures of the
DBMS_REPCAT package
#8 - Buffer overflow on "operation" parameter on procedures of
DBMS_REPCAT package
#9 - Buffer overflow in procedure CREATE_MVIEW_REPGROUP of DBMS_REPCAT
package
#10 - Buffer overflow in procedure GENERATE_REPLICATION_SUPPORT of
DBMS_REPCAT package
#11 - Buffer overflow in procedures REGISTER_USER_REPGROUP and
UNREGISTER_USER_REPGROUP of DBMS_REPCAT_ADMIN package
#12 - Buffer overflow in functions INSTANTIATE_OFFLINE,
INSTANTIATE_ONLINE and procedure DROP_SITE_INSTANTIATION of
DBMS_REPCAT_RGT package
#13 - Buffer overflow on TEMPFILE parameter
#14 - Buffer overflow on LOGFILE parameter
#15 - Buffer overflow on CONTROLFILE parameter
#16 - Buffer overflow on FILE parameter
#17 - Buffer overflow in Interval Conversion Functions
#18 - Buffer overflow in String Conversion Function
#19 - Buffer overflow in CTX_OUTPUT Package Function
#21 - Buffer overflow on DATAFILE parameter
#22 - Buffer overflow in DBMS_SYSTEM package function
#24 - Buffer overflow on "fname" parameter of the DBMS_REPCAT* packages
#25 - Buffer overflow on procedures of the Replication Management API
packages
#26 - Heap based buffer overflow Vulnerability in Oracle 10g iSQL*PLus
Service
#27 - Buffer overflow in procedure AQ_TABLE_DEFN_UPDATE of
DBMS_AQ_IMPORT_INTERNAL package
#28 - Buffer overflow in procedure VERIFY_QUEUE_TYPES_GET_NRP of
DBMS_AQADM package
#29 - Buffer overflow in procedure VERIFY_QUEUE_TYPES_NO_QUEUE of
DBMS_AQADM package
#30 - Buffer overflow in procedure VERIFY_QUEUE_TYPES of DBMS_AQADM_SYS
package
#31 - Buffer overflow in procedure PARALLEL_PUSH_RECOVERY of
DBMS_DEFER_INTERNAL_SYS package
#32 - Buffer overflow in procedure ENABLE_PROPAGATION_TO_DBLINK of
DBMS_DEFER_REPCAT package
#33 - Buffer overflow in procedure DISABLE_RECEIVER_TRACE of
DBMS_INTERNAL_REPCAT package
#34 - Buffer overflow in procedure ENABLE_RECEIVER_TRACE of
DBMS_INTERNAL_REPCAT package
#35 - Buffer overflow in procedure VALIDATE of DBMS_INTERNAL_REPCAT package
#36 - Buffer overflow in procedure DIFFERENCES of DBMS_RECTIFIER_DIFF
package
#37 - Buffer overflow in procedure ADD_COLUMN of DBMS_REPCAT_RQ package
#39 - Buffer overflow in procedure IS_MASTER of DBMS_REPCAT_UTL package
#40 - Buffer overflow in procedure PUSHDEFERREDTXNS of LTUTIL package
#41 - Buffer overflow in public procedure SDO_CODE_SIZE of MD2 package
#42 - Buffer overflow in public procedure VALIDATE_GEOM of MD2 package
#43 - Buffer overflow in public procedure SDO_CODE_SIZE of SDO_ADMIN package
#44 - Buffer overflow in procedure SUBINDEXPOPULATE of DRIDDLR package
To determine if you are vulnerable, please download AppDetective from:
http://www.appsecinc.com/products/appdetective/oracle/
Comments:
Exploitation of these vulnerabilities will allow an attacker to
completely compromise the OS and the database if Oracle is running on
Windows platform, because Oracle must run under the local System account
or under an administrative account. If Oracle is running on *nix then
only the database would be compromised because Oracle runs mostly under
oracle user which has restricted permissions.
Workaround:
-Check packages permissions and remove public permissions. Set minimal
permissions that fit your needs.
-Restrict users to execute PL/SQL statements directly over the server.
-Periodically audit user permissions on all database objects.
-Lock users that aren't used.
-Change default passwords.
-Keep Oracle up to date with patches.
Vendor Contact:
Vendor was contacted and has released fixes.
Credit:
Esteban Martinez Fayo of Application Security, Inc. (www.appsecinc.com)
discovered all of the following issues:
#1,#2,#3,#4,#5,#6,#7,#8,#9,#10,#11,#12,#24,#25,#26,#27,#28,#29,#30,#31,#32,#33,#34,#35,#36,#37,#39,#40,#41,#42,#43,and
#44
Cesar Cerrudo of Application Security, Inc. (www.appsecinc.com)
discovered all of the following issues: #13,#14,#15,#16,#17,#18,#19,#21,#22
--
Thank you,
shatter[at]appsecinc(dot)com
Application Security, Inc.
phone: 212-947-8787
fax: 212-947-8788
----------------------------------------------------------------------
Application Security, Inc.
www.appsecinc.com
AppSecInc is the leading provider of database security solutions for
the enterprise. AppSecInc products proactively secure enterprise
applications at more than 200 organizations around the world by
discovering, assessing, and protecting the database against rapidly
changing security threats. By securing data at its source, we enable
organizations to more confidently extend their business with
customers, partners and suppliers. Our security experts, combined
with our strong support team, deliver up-to-date application
safeguards that minimize risk and eliminate its impact on business.
----------------------------------------------------------------------