|
#22 - Buffer overflow in DBMS_SYSTEM package function
August 31, 2004
Credit: These vulnerabilities were researched and discovered by Cesar Cerrudo of Application Security, Inc.
Risk level: Medium
Details:
Oracle Database Server provides many packages. One of them called DBMS_SYSTEM can be used to gather information about events set in the current session. It can also be used to manipulate other user's sessions and change the values of certain init.ora parameters. It contains a vulnerable function which causes buffer overflow when called with a long string in the second parameter.
To reproduce the overflow, execute the next PL/SQL:
begin
DBMS_SYSTEM.KSDWRT(2,'longstringhere');
end;
Analysis:
This vulnerability can be exploited by members of SYSDBA role and users granted execute permissions on DBMS_SYSTEM package.
Exploitation of this vulnerability allows an attacker to execute arbitrary code. It can also be exploited to cause DOS (Denial of service) killing Oracle server process.
Vendor Fix:
Fixed in Oracle 9ir2 Patchset 4 (9.2.0.5). 10g not vulnerable.
|
