|
Multiple SQL Injection vulnerabilities in DBMS_CDC_SUBSCRIBE and DBMS_CDC_ISUBSCRIBE packages
April 18, 2005
To determine if you are vulnerable to this attack, download AppDetective
from http://www.appsecinc.com/products/appdetective/oracle
Risk level: High
Credits: This vulnerability was discovered and researched by Esteban Martínez Fayó of Argeniss for Application Security, Inc.
Affected Versions:
Oracle Database Server version 10g
Details:
The SUBSCRIPTION_NAME parameter -- used in various procedures of SYS.DBMS_CDC_SUBSCRIBE and SYS.DBMS_CDC_ISUBSCRIBE packages -- is vulnerable to SQL injection. These packages execute with privileges of the SYS user; by default, PUBLIC has EXECUTE privilege.
Impact:
Any low privileged database user can execute functions with DBA privileges. Users with privileges to create or modify a function can inject a user-defined function in the vulnerable procedure and thus execute SQL statements with DBA privileges.
Workaround:
Revoke Execute privilege on the vulnerable packages.
Vendor Status:
Vendor was contacted and a patch was released.
Fix:
Apply Oracle Critical Patch Update April 2005 available at http://metalink.oracle.com
Links:
Oracle Security Alert: http://www.oracle.com/technology/deploy/security/pdf/cpuapr2005.pdf
Advanced SQL Injection in Oracle databases presentation: http://www.argeniss.com/research.html
|
