Re: SQL Smuggling

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: SQL Smuggling
From: Marco Ivaldi <raptor@xxxxxxxxxxxxxxxx>
Date: Wed, 10 Sep 2008 13:03:24 +0200 (ora solare Europa occidentale)
In-reply-to: <20080909112220.9772.qmail@xxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20080909112220.9772.qmail@xxxxxxxxxxxxxxxxx>

Avi,

On Tue, 9 Sep 2008, douglen@xxxxxxxxxxx wrote:

[snip]

Of course, I'm looking forward to hearing about other instances ofthis...


Interesting reasearch.

It looks like Oracle DBMS may be vulnerable to the "Unicode Smuggling"attack exploiting homoglyphic translation. As outlined by David Litchfieldin an old full-disclosure post [1]:

"It didn't take long to discover that this patch could be bypassed usingthe following techinque: due to internationalization, an Oracle databaseserver will convert the ? character (value 0xFF) to a capital Y. The PLSQLGateway will not. Thus, if we request:


http://www.example.com/pls/dad/S%FFS.PACKAGE.PROCEDURE

the gateway will happily pass it over to the database server where the ?is conveted to a Y and we can gain access again".


Cheers,

[1]. See http://seclists.org/fulldisclosure/2006/Feb/0011.html

--
Marco Ivaldi, OPST
Red Team Coordinator      Data Security Division
@ Mediaservice.net Srl    http://mediaservice.net/

References:
- SQL Smuggling
  - From: douglen

Prev by Date: DeepSec 2008 - Conference Schedule
Next by Date: RE: Sun M-class hardware denial of service
Previous by thread: SQL Smuggling
Next by thread: Re: SQL Smuggling
Index(es):
- Date
- Thread