Application Security Inc. - Securing Business by Securing Enterprise Applications

home

client login

partner login

online store

search:

TZ_OFFSET buffer overflow

February 14, 2003

To determine if you are vulnerable to this attack, download AppDetective™ from http://www.appsecinc.com/products/appdetective/oracle

Risk level: High

Threat: This buffer overflow may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database server.

Versions Affected: All Versions of Oracle

Summary:
A buffer overflow exists in the built-in function TZ_OFFSET. This buffer overflow may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database server. TZ_OFFSET is a built-in function and as such permissions to execute this function are granted to all database users.

Details:
Oracle database provides a built-in function called TZ_OFFSET which returns the time zone offset corresponding to the value entered based on the date the statement is executed. You can enter a valid time zone name, a time zone offset from UTC (which simply returns itself), or the keyword SESSIONTIMEZONE or DBTIMEZONE.

A buffer overflow exists in the TZ_OFFSET function. This buffer overflow occurs when a long string is passed as the second parameter of the function. Below is an example:

SELECT TZ_OFFSET('US/EasternXXXX[74 additional Xs]') FROM DUAL;

The buffer overflow occurs as the database attempts to copy the time zone name into a buffer on the stack. This buffer overflow does not result in the Oracle process crashing. However the buffer overflow does result in the saved return address being overwritten on the stack.

A user needs no privileges to execute this function. This security issue allows a non-privileged user to elevate his or her privileges to DBA.

Fix:
To fix this problem, you must download and apply the appropriate patch. Patches for the Oracle database server can be downloaded from Oracle Worldwide Support Services web site, Metalink (http://metalink.oracle.com). This patch is identified by the base bug number 2642267.

The issue is fixed in the 9.2.0.3 patchset. Patches are available for 9.2.0.2, 9.0.1.4, 8.1.7.4, 8.1.7.2, 8.1.7.0, and 8.0.6. For a detailed grid of the platform details, view the grid at http://otn.oracle.com/deploy/security/pdf/2003alert49.pdf.