|
#18 - Buffer overflow in String Conversion Function
August 31, 2004
Credit: These vulnerabilities were researched and discovered by Cesar Cerrudo of Application Security, Inc.
Risk level: High
Details:
Oracle Database Server provides a function that can be used with PL/SQL to convert a number or date to a string, when this function is called with the function SYSTIMESTAMP (this function returns the system date, including fractional seconds and time zone of the database) as a first parameter and a long string as a second parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
select TO_CHAR(SYSTIMESTAMP, 'longstringhere') from dual;
Analysis:
This vulnerability can be exploited by any Oracle Database user because access to this function can't be restricted.
Exploitation of this vulnerability allows an attacker to execute arbitrary code. It can also be exploited to cause DOS (Denial of service) killing Oracle server process. Calling TO_CHAR function with a different value than SYSTIMESTAMP function as first parameter seems to not cause a buffer overflow, but it shouldn't be discarded that other values could trigger a buffer overflow.
Vendor Fix:
Fixed in Oracle 9ir2 Patchset 4 (9.2.0.5) Patch 2. Fixed in 10g Release 1.
|
