|
SQL Injection in CREATE_SCN_CHANGE_SET procedure
April 18, 2005
To determine if you are vulnerable to this attack, download AppDetective
from http://www.appsecinc.com/products/appdetective/oracle
Risk level: High
Credits: This vulnerability was discovered and researched by Esteban Martínez Fayó of Argeniss for Application Security, Inc.
Affected Versions:
Oracle Database Server version 10g
Details:
The CHANGE_SET_NAME parameter of the standard procedure SYS.DBMS_CDC_IPUBLISH.CREATE_SCN_CHANGE_SET is vulnerable to SQL injection. This procedure executes with privileges of the SYS user; by default, PUBLIC has EXECUTE privilege.
Impact:
Any low privileged database user can execute functions with DBA privileges. Users with privileges to create or modify a function can inject a user-defined function in the vulnerable procedure and thus execute SQL statements with DBA privileges.
Workaround:
Revoke Execute privilege on DBMS_CDC_IPUBLISH package.
Vendor Status:
Vendor was contacted and a patch was released.
Fix:
Apply Oracle Critical Patch Update April 2005 available at http://metalink.oracle.com
Links:
Oracle Security Alert: http://www.oracle.com/technology/deploy/security/pdf/cpuapr2005.pdf
Advanced SQL Injection in Oracle databases presentation: http://www.argeniss.com/research.html
|
