Application Security Inc. - Securing Business by Securing Enterprise Applications

home

client login

partner login

online store

search:

MOST POPULAR CONTENT

1.	Top Database Security Threats for 2008
2.	Database Security Best Practices for Federal Agencies
3.	PCI Compliance at the Database Level
4.	Forrester WAVE Summary Scorecard
5.	SOX Compliance and Database Security

#13 - Buffer overflow on TEMPFILE parameter

August 31, 2004

Credit: These vulnerabilities were researched and discovered by Cesar Cerrudo of Application Security, Inc.

Risk level: Low

Details:
Oracle Database Server allows specifying temporary files to be used by database, when creating or altering a tablespace, altering a database, etc. When a long string is passed to TEMPFILE parameter a buffer overflow occurs.

To reproduce the overflow, execute the next PL/SQL:

ALTER TABLESPACE TablespaceName ADD TEMPFILE 'longstringhere';

CREATE TEMPORARY TABLESPACE TablespaceName TEMPFILE 'longstringhere';

ALTER DATABASE TEMPFILE 'longstringhere' online;

etc.

Analysis:
This vulnerability can be exploited on ALTER DATABASE by users with the ALTER DATABASE system privilege, on CREATE TABLESPACE by users with CREATE TABLESPASE system privilege, on ALTER TABLESPACE by users with ALTER TABLESPACE system privilege. Exploitation of this vulnerability allows an attacker to execute arbitrary code. It can also be exploited to cause DOS (Denial of service) killing Oracle server process.

Vendor Fix:
Fixed in Oracle 9ir2 Patchset 4 (9.2.0.5) Patch 2. 10g Not vulnerable.