|
#6 - Buffer overflow on "type" parameter on procedures of DBMS_REPCAT package
August 31, 2004
Credit: These vulnerabilities were researched and discovered by Esteban Martínez Fayó of Application Security, Inc.
Risk level: Medium
Details:
Oracle Database Server provides the DBMS_REPCAT package that can be used to administer and update the replication catalog and environment. Some procedures of this package use the parameter "type" to specify the type of the object being referenced in other parameters. When a long string is passed to this parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
BEGIN
DBMS_REPCAT.ALTER_MASTER_REPOBJECT ('', '', 'longstring', 'dd', 'ee', false,false);
END;
or
BEGIN<
DBMS_REPCAT.COMMENT_ON_REPOBJECT ('', '', 'longstring', '');
END;
or
BEGIN
DBMS_REPCAT.DROP_MASTER_REPOBJECT ('aa', 'bb', 'longstring');
END;
etc.
Analysis:
This vulnerability can be exploited by members of EXECUTE_CATALOG_ROLE or SYSDBA roles, and users granted execute permissions on the DBMS_REPCAT package.
Exploitation of this vulnerability allows an attacker to execute arbitrary code. It can also be exploited to cause DOS (Denial of service) killing Oracle server process.
Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.
|
