Application Security Inc. - Database Security, Monitoring, Assessment, Auditing, Encryption, and Regulatory Compliance.
 
 
 
home client login partner login purchasing info contact us
search:
Solutions Products Partners Support News & Events About Us
add this

Team SHATTER Security Alert

SQL Injection in OWF_MGR.WF_LOV

August 3, 2005

To determine if you are vulnerable to this attack, download AppDetective from http://www.appsecinc.com/products/appdetective/oracle

Risk level: Medium

Credits: This vulnerability was discovered and researched by Aaron Newman for Application Security, Inc.

Affected versions:
All versions of Oracle Database Server

Background:
Oracle contains a large number of built-in PL/SQL packages. These packages contain code which typically execute under the privileges of the package owner. Package owners usually possess elevated privileges resulting in potential security problems.

The PL/SQL package OWF_MGR.WF_LOV contains a function called display_lov_details which contains an instance of SQL injection.

Details:
By default, EXECUTE permissions on the WF_LOV package is granted to PUBLIC and the package is owned by the OWF_MGR schema. This results in any commands executed by the procedure executing under the elevated privileges of the OWF_MGR user.

The OWF_MGR user has been granted the SELECT_CATALOG_ROLE and AQ_ADMINISTRATOR roles.

The function requires the executing user to have a valid wfa_sec session. SQL commands can be injected into the third parameter. We see the following call at line 1021:

EXECUTE IMMEDIATE l_sql_stmt

The l_sql_stmt variable is created on the line:
l_sql_stmt := 'BEGIN '||p_validation_callback || '(:a, :b, :c, :d, :e, :f, :g';

The third parameter to the function is:
p_validation_callback in varchar2 default null,

This use of execute immediate results in a SQL injection attack. Although performing this SQL injection may depend on several other factors, it is highly recommended you revoke EXECUTE permissions from PUBLIC on this package.

Impact:
Attackers can execute SQL under the privileges of OWF_MGR user.

Workaround:
Revoke the EXECUTE privileges on this package from the PUBLIC role. To revoke the privilege run the following command:

REVOKE EXECUTE ON OWF_MGR.WF_LOV FROM PUBLIC

Vendor Status:
Vendor was contacted and a patch was released.

Fix:
To fix the problem apply the Critical Patch Update - July 2005 patches.
http://www.oracle.com/technology/deploy/security/pdf/cpujul2005.html

Oracle Advisory: http://www.oracle.com/technology/deploy/security/pdf/cpujul2005.html
 
Contact Us | Privacy | Sitemap | Legal
sales@appsecinc.com | support@appsecinc.com 		Call us toll free at: 1-866-927-7732 | FAX: 1-212-947-8788
. Application Security, Inc. All Rights Reserved