|
#4 - Buffer overflow on "gname" parameter on procedures of Replication Management API Packages
August 31, 2004
Credit: These vulnerabilities were researched and discovered by Esteban Martínez Fayó of Application Security, Inc.
Risk level: Medium
Details:
Oracle Database Server provides a set of packages that can be used to administer a replicated environment. Some procedures of these packages use the parameter "gname" to specify a group name. When a long string is passed to this parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
BEGIN
DBMS_REPCAT.DROP_MASTER_REPGROUP ('longstring');
END;
or
BEGIN
DBMS_REPCAT.ALTER_MVIEW_PROPAGATION ('longstring', '');
END;
or
BEGIN
DBMS_OFFLINE_OG.BEGIN_LOAD ('longstring', 'x');
END;
or
BEGIN
DBMS_OFFLINE_SNAPSHOT.END_LOAD ('longstring', 'x','d');
END;
etc.
Analysis:
This vulnerability can be exploited by members of EXECUTE_CATALOG_ROLE or SYSDBA roles, and users granted execute permissions on the vulnerable packages.
Exploitation of this vulnerability allows an attacker to execute arbitrary code. It can also be exploited to cause DOS (Denial of service) killing Oracle server process.
Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.
|
