|
Multiple SQL Injection vulnerabilities in DBMS_METADATA package
April 18, 2005
To determine if you are vulnerable to this attack, download AppDetective
from http://www.appsecinc.com/products/appdetective/oracle
Risk level: High
Credits: This vulnerability was discovered and researched by Esteban Martínez Fayó of Argeniss for AppSec, Inc.
Affected Versions:
Oracle Database Server versions 9i and 10g
Details:
The OBJECT_TYPE parameter -- used in various procedures of the DBMS_METADATA package -- is vulnerable to SQL injection. Although this package executes with the privileges of the calling user, it internally uses another package that executes the injected SQL with the privileges of the SYS user thereby allowing an attacker to gain DBA privileges. By default PUBLIC has EXECUTE privilege on DBMS_METADATA.
Impact:
Any low privileged database user can execute functions with DBA privileges. Users with privileges to create or modify a function can inject a user-defined function in the vulnerable procedure and thus execute SQL statements with DBA privileges.
Workaround:
Revoke Execute privilege on the vulnerable package.
Vendor Status:
Vendor was contacted and a patch was released.
Fix:
Apply Oracle Critical Patch Update April 2005 available at http://metalink.oracle.com
Links:
Oracle Security Alert: http://www.oracle.com/technology/deploy/security/pdf/cpuapr2005.pdf
Advanced SQL Injection in Oracle databases presentation: http://www.argeniss.com/research.html
|
