|
#5 - Buffer overflow on "sname" and "oname" parameters on procedures of DBMS_REPCAT package
August 31, 2004
Credit: These vulnerabilities were researched and discovered by Esteban Martínez Fayó of Application Security, Inc.
Risk level: Medium
Details:
Oracle Database Server provides the DBMS_REPCAT package that can be used to administer and update the replication catalog and environment. Some procedures of this package use the parameters "sname" to specify a schema name and "oname" to specify an object name. When a long string is passed to any of these parameters a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
BEGIN
DBMS_REPCAT.ADD_GROUPED_COLUMN ('longstring', 'longstring', 'cc','dd');
END;
or
BEGIN
DBMS_REPCAT.ADD_DELETE_RESOLUTION ('longstring', 'longstring', 0, '', '');
END;
or
BEGIN
DBMS_REPCAT.CANCEL_STATISTICS ('longstring', 'longstring');
END;
etc.
Analysis:
This vulnerability can be exploited by members of EXECUTE_CATALOG_ROLE or SYSDBA roles and users granted execute permissions on the DBMS_REPCAT package.
Exploitation of this vulnerability allows an attacker to execute arbitrary code. It can also be exploited to cause DOS (Denial of service) killing Oracle server process.
Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.
|
