Multiple SQL Injection vulnerabilities in DBMS_CDC_SUBSCRIBE and DBMS_CDC_ISUBSCRIBE packages
April 18, 2005
To determine if you are vulnerable to this attack, download AppDetective
Risk level: High
Credits: This vulnerability was discovered and researched by Esteban Martínez Fayó of Argeniss for Application Security, Inc.
Oracle Database Server version 10g
The SUBSCRIPTION_NAME parameter -- used in various procedures of SYS.DBMS_CDC_SUBSCRIBE and SYS.DBMS_CDC_ISUBSCRIBE packages -- is vulnerable to SQL injection. These packages execute with privileges of the SYS user; by default, PUBLIC has EXECUTE privilege.
Any low privileged database user can execute functions with DBA privileges. Users with privileges to create or modify a function can inject a user-defined function in the vulnerable procedure and thus execute SQL statements with DBA privileges.
Revoke Execute privilege on the vulnerable packages.
Vendor was contacted and a patch was released.
Apply Oracle Critical Patch Update April 2005 available at http://metalink.oracle.com
Oracle Security Alert: http://www.oracle.com/technology/deploy/security/pdf/cpuapr2005.pdf
Advanced SQL Injection in Oracle databases presentation: http://www.argeniss.com/research.html