Application Security Inc. - Securing Business by Securing Enterprise Applications

home

client login

partner login

purchasing info

search:

add this

1.	Defending Against New and Emerging Database Threats
2.	Top Database Vulnerabilities Federal Agencies Face
3.	Solution Brief - Reviewing Database User Rights
4.	SOX Compliance and Database Security
5.	Grounding PCI Compliance in the Databasel

#8 - Buffer overflow on "operation" parameter on procedures of DBMS_REPCAT package

August 31, 2004

Credit: These vulnerabilities were researched and discovered by Esteban Martínez Fayó of Application Security, Inc.

Risk level: Medium

Details:
Oracle Database Server provides the DBMS_REPCAT package that can be used to administer and update the replication catalog and environment. Some procedures of this package use the parameter "operation" to specify a kind data operation ('update', 'delete' or both). When a long string is passed to this parameter a buffer overflow occurs.

To reproduce the overflow, execute the next PL/SQL:

BEGIN
DBMS_REPCAT.COMPARE_OLD_VALUES ('hr', 'employees', 'employee_id', 'longstring', true);
END;

BEGIN
DBMS_REPCAT.SEND_OLD_VALUES ('hr', 'employees', 'employee_id','longstring');
END;

etc.

Analysis:
This vulnerability can be exploited by members of EXECUTE_CATALOG_ROLE or SYSDBA roles and users granted execute permissions on the DBMS_REPCAT package.
Exploitation of this vulnerability allows an attacker to execute arbitrary code. It can also be exploited to cause DOS (Denial of service) killing Oracle server process.

Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.