Application Security Inc. - Securing Business by Securing Enterprise Applications

home

client login

partner login

online store

search:

MOST POPULAR CONTENT

1.	Top Database Security Threats for 2008
2.	Database Security Best Practices for Federal Agencies
3.	PCI Compliance at the Database Level
4.	Forrester WAVE Summary Scorecard
5.	SOX Compliance and Database Security

SQL Injection in OWF_MGR.WF_LOV

August 3, 2005

To determine if you are vulnerable to this attack, download AppDetective from http://www.appsecinc.com/products/appdetective/oracle

Risk level: Medium

Credits: This vulnerability was discovered and researched by Aaron Newman for Application Security, Inc.

Affected versions:
All versions of Oracle Database Server

Background:
Oracle contains a large number of built-in PL/SQL packages. These packages contain code which typically execute under the privileges of the package owner. Package owners usually possess elevated privileges resulting in potential security problems.

The PL/SQL package OWF_MGR.WF_LOV contains a function called display_lov_details which contains an instance of SQL injection.

Details:
By default, EXECUTE permissions on the WF_LOV package is granted to PUBLIC and the package is owned by the OWF_MGR schema. This results in any commands executed by the procedure executing under the elevated privileges of the OWF_MGR user.

The OWF_MGR user has been granted the SELECT_CATALOG_ROLE and AQ_ADMINISTRATOR roles.

The function requires the executing user to have a valid wfa_sec session. SQL commands can be injected into the third parameter. We see the following call at line 1021:

EXECUTE IMMEDIATE l_sql_stmt

The l_sql_stmt variable is created on the line:
l_sql_stmt := 'BEGIN '||p_validation_callback || '(:a, :b, :c, :d, :e, :f, :g';

The third parameter to the function is:
p_validation_callback in varchar2 default null,

This use of execute immediate results in a SQL injection attack. Although performing this SQL injection may depend on several other factors, it is highly recommended you revoke EXECUTE permissions from PUBLIC on this package.

Impact:
Attackers can execute SQL under the privileges of OWF_MGR user.

Workaround:
Revoke the EXECUTE privileges on this package from the PUBLIC role. To revoke the privilege run the following command:

REVOKE EXECUTE ON OWF_MGR.WF_LOV FROM PUBLIC

Vendor Status:
Vendor was contacted and a patch was released.

Fix:
To fix the problem apply the Critical Patch Update - July 2005 patches.
http://www.oracle.com/technology/deploy/security/pdf/cpujul2005.html

Oracle Advisory: http://www.oracle.com/technology/deploy/security/pdf/cpujul2005.html