|
#12 - Buffer overflow in functions INSTANTIATE_OFFLINE, INSTANTIATE_ONLINE and procedure DROP_SITE_INSTANTIATION of DBMS_REPCAT_RGT package
August 31, 2004
Credit: These vulnerabilities were researched and discovered by Esteban Martínez Fayó of Application Security, Inc.
Risk level: Medium
Details:
Oracle Database Server provides the DBMS_REPCAT_RGT package that can be used to control the maintenance and definition of refresh group templates. This package contains the procedures INSTANTIATE_OFFLINE, INSTANTIATE_ONLINE and DROP_SITE_INSTANTIATION. When these procedures are called with a long string in the "refresh_template_name" or the "user_name" parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
SELECT DBMS_REPCAT_RGT.INSTANTIATE_OFFLINE ('longstring', '', '') FROM Dual;
or
SELECT DBMS_REPCAT_RGT.INSTANTIATE_ONLINE ('some_refresh_template_name', '', 'longstring') FROM Dual;
or
BEGIN
DBMS_REPCAT_RGT.DROP_SITE_INSTANTIATION ('longstring', '', '');
END;
etc.
Analysis:
This vulnerability can be exploited by members of SYSDBA role and users granted execute permissions on DBMS_REPCAT_RGT package.
Exploitation of this vulnerability allows an attacker to execute arbitrary code. It can also be exploited to cause DOS (Denial of service) killing Oracle server process.
Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.
|
