|
#11 - Buffer overflow in procedures REGISTER_USER_REPGROUP and UNREGISTER_USER_REPGROUP of DBMS_REPCAT_ADMIN package
August 31, 2004
Credit: These vulnerabilities were researched and discovered by Esteban Martínez Fayó of Application Security, Inc.
Risk level: Medium
Details:
Oracle Database Server provides the DBMS_REPCAT_ADMIN package that can be used to create users with the privileges needed by the symmetric replication facility. This package contains the procedures REGISTER_USER_REPGROUP and UNREGISTER_USER_REPGROUP used to assign and revoke proxy materialized view administrator or receiver privileges at the master site or master materialized view site for use with remote sites. When this procedure is called with a long string in the "privilege_type" parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
BEGIN
DBMS_REPCAT_ADMIN.REGISTER_USER_REPGROUP ('sys', 'longstring', '');
END;
or
BEGIN
DBMS_REPCAT_ADMIN.UNREGISTER_USER_REPGROUP ('sys', 'longstring', '');
END;
Analysis:
This vulnerability can be exploited by users members of EXECUTE_CATALOG_ROLE or SYSDBA roles and users granted execute permissions on DBMS_REPCAT_ADMIN package.
Exploitation of this vulnerability allows an attacker to execute arbitrary code. It can also be exploited to cause DOS (Denial of service) killing Oracle server process.
Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.
|
