Application Security Inc. - Securing Business by Securing Enterprise Applications

home

client login

partner login

purchasing info

search:

add this

1.	Defending Against New and Emerging Database Threats
2.	Top Database Vulnerabilities Federal Agencies Face
3.	Solution Brief - Reviewing Database User Rights
4.	SOX Compliance and Database Security
5.	Grounding PCI Compliance in the Databasel

TO_TIMESTAMP_TZ buffer overflow

February 14, 2003

To determine if you are vulnerable to this attack, download AppDetective™ from http://www.appsecinc.com/products/appdetective/oracle

Risk level: High

Threat: This buffer overflow may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database server.

Versions Affected: All Versions of Oracle

Summary:
A buffer overflow exists in the function TO_TIMESTAMP_TZ. This buffer overflow may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database server. TO_TIMESTAMP_TZ is a built-in function and as such permissions to execute this function are granted to all database users.

Details:
Oracle database provides a built-in function called TO_TIMESTAMP_TZ which converts a datatype of CHAR, VARCHAR2, NCHAR, or NVARCHAR2 to a value of TIMESTAMP WITH TIME ZONE datatype.

A buffer overflow exists in the TO_TIMESTAMP_TZ function. This buffer overflow occurs when a long string is passed as the second parameter of the function. Below is an example:

SELECT TO_TIMESTAMP_TZ('1999-12-01 11:00:00 -8:00', 'YYYY-MM-DD HH:MI:SS TZH:TZMXXXX[230 additional Xs]') FROM DUAL;

The buffer overflow occurs as the database attempts to parse the format string passed as the second function.

This buffer overflow does not result in the Oracle process crashing. However the buffer overflow does result in the saved return address being overwritten on the stack.

A user needs no privileges to execute this function. This security issue allows a non-privileged user to elevate his or her privileges to DBA.

Fix:
To fix this problem, you must download and apply the appropriate patch. Patches for the Oracle database server can be downloaded from Oracle Worldwide Support Services web site, Metalink (http://metalink.oracle.com). This patch is identified by the base bug number 2642439.

The issue is fixed in the 9.2.0.3 patchset. Patches are available for 9.0.1.4, 8.1.7.4, 8.1.7.2, 8.1.7.0, and 8.0.6. For a detailed grid of the platform details, view the grid at http://otn.oracle.com/deploy/security/pdf/2003alert50.pdf.