Application Security Inc. - Securing Business by Securing Enterprise Applications

home

client login

partner login

online store

search:

MOST POPULAR CONTENT

1.	Top Database Security Threats for 2008
2.	Database Security Best Practices for Federal Agencies
3.	PCI Compliance at the Database Level
4.	Forrester WAVE Summary Scorecard
5.	SOX Compliance and Database Security

SQL Injection in ORASSO.WPG_SESSION

August 3, 2005

To determine if you are vulnerable to this attack, download AppDetective from http://www.appsecinc.com/products/appdetective/oracle

Risk level: Medium

Credits: This vulnerability was discovered and researched by Aaron Newman Application Security, Inc.

Affected Versions:
All versions of Oracle Database Server

Background:
Oracle contains a large number of built-in PL/SQL packages. These packages contain code which typically execute under the privileges of the package owner. Package owners usually possess elevated privileges resulting in potential security problems. The PL/SQL package ORASSO.WPG_SESSION contains a function called init which contains an instance of SQL injection.

Details:
By default, the EXECUTE permissions on the WPG_SESSION package is granted to PUBLIC and the package is owned by the ORASSO schema. This results in any commands executed by the procedure executing under the elevated privileges of the ORASSO user.

The ORASSO schema contains code used to perform single-sign on for Oracle. This user has been granted the DBA role.

The function init in this package accesses a structure called wwctx_api.get_nls_language. The function pulls out the language and territory values and then executes the following commands with these values:

execute immediate 'alter session set nls_language = "' || l_language || '" nls_territory = "' || l_territory || '"';

The use of execute immediate results in a possible SQL injection attack if the attacker has privileges to set the language and territory values. Although performing this SQL injection may depend on several other factors, it is highly recommended you revoke EXECUTE permissions from PUBLIC on this package.

Impact:
Attackers can execute SQL under the privileges of the ORASSO user, a DBA.

Workaround:
Revoke the EXECUTE privileges on this package from the PUBLIC role. To revoke the privilege run the following command:
REVOKE EXECUTE ON ORASSO.WPG_SESSION FROM PUBLIC

Vendor Status:
Vendor was contacted and a patch was released.

Fix:
To fix the problem apply the Critical Patch Update - July 2005 patches.
http://www.oracle.com/technology/deploy/security/pdf/cpujul2005.html

Oracle Advisory: http://www.oracle.com/technology/deploy/security/pdf/cpujul2005.html