|
#15 - Buffer overflow on CONTROLFILE parameter
August 31, 2004
Credit: These vulnerabilities were researched and discovered by Cesar Cerrudo of Application Security, Inc.
Risk level: Low
Details:
Oracle Database Server allows creation and backup of control files to be used later, by issuing alter database statement. When a long string is passed to CONTROLFILE parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
ALTER DATABASE BACKUP CONTROLFILE TO 'longstringhere';
or
ALTER DATABASE CREATE STANDBY CONTROLFILE AS'longstringhere';
or
etc.
Analysis:
This vulnerability can be exploited by users with the ALTER DATABASE system privilege.
Exploitation of this vulnerability allows an attacker to execute arbitrary code. It can also be exploited to cause DOS (Denial of service) killing Oracle server process.
Vendor Fix:
Fixed in Oracle 9ir2 Patchset 4 (9.2.0.5) Patch 2. 10g Not vulnerable.
|
