Application Security Inc. - Securing Business by Securing Enterprise Applications

home

client login

partner login

online store

search:

MOST POPULAR CONTENT

1.	Top Database Security Threats for 2008
2.	Database Security Best Practices for Federal Agencies
3.	PCI Compliance at the Database Level
4.	Forrester WAVE Summary Scorecard
5.	SOX Compliance and Database Security

#8 - Buffer overflow on "operation" parameter on procedures of DBMS_REPCAT package

August 31, 2004

Credit: These vulnerabilities were researched and discovered by Esteban Martínez Fayó of Application Security, Inc.

Risk level: Medium

Details:
Oracle Database Server provides the DBMS_REPCAT package that can be used to administer and update the replication catalog and environment. Some procedures of this package use the parameter "operation" to specify a kind data operation ('update', 'delete' or both). When a long string is passed to this parameter a buffer overflow occurs.

To reproduce the overflow, execute the next PL/SQL:

BEGIN
DBMS_REPCAT.COMPARE_OLD_VALUES ('hr', 'employees', 'employee_id', 'longstring', true);
END;

BEGIN
DBMS_REPCAT.SEND_OLD_VALUES ('hr', 'employees', 'employee_id','longstring');
END;

etc.

Analysis:
This vulnerability can be exploited by members of EXECUTE_CATALOG_ROLE or SYSDBA roles and users granted execute permissions on the DBMS_REPCAT package.
Exploitation of this vulnerability allows an attacker to execute arbitrary code. It can also be exploited to cause DOS (Denial of service) killing Oracle server process.

Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.