|
BFILENAME buffer overflow
February 14, 2003
To determine if you are vulnerable to this attack, download AppDetective™
from http://www.appsecinc.com/products/appdetective/oracle
Risk level: High
Threat: This buffer overflow may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database server.
Versions Affected: All Versions of Oracle
Summary:
A buffer overflow exists in the built-in function BFILENAME. This buffer overflow may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database server. BFILENAME is a built-in function and as such permissions to execute this function are granted to all database users.
Details:
The Oracle database provides a built-in function called BFILENAME. BFILENAME is used to return a BFILE locator which is associated with a physical LOB binary file. The function accepts two parameters: DIRECTORY and FILENAME.
The buffer overflow occurs as Oracle attempts to copy the DIRECTORY value into a buffer on the stack. This buffer overflow does not result in the Oracle process crashing. However the buffer overflow does result in the saved return address being overwritten on the stack.
A user needs no privileges to execute this function. This security issue allows a non-privileged user to elevate his or her privileges to DBA.
Fix:
To fix this problem, you must download and apply the appropriate patch. Patches for the Oracle database server can be downloaded from Oracle Worldwide Support Services web site, Metalink (http://metalink.oracle.com). This patch is identified by the base bug number 2642117.
The issue is fixed in the 9.2.0.3 patchset. Patches are available for 9.2.0.2, 9.0.1.4, 8.1.7.4, and 8.0.6. For a detailed grid of the platform details, view the grid at http://otn.oracle.com/deploy/security/pdf/2003alert48.pdf.
|
