Application Security Inc. - Securing Business by Securing Enterprise Applications

home

client login

partner login

online store

search:

MOST POPULAR CONTENT

1.	Top Database Security Threats for 2008
2.	Database Security Best Practices for Federal Agencies
3.	PCI Compliance at the Database Level
4.	Forrester WAVE Summary Scorecard
5.	SOX Compliance and Database Security

SQL Injection in OWF_MGR.WF_EVENT_HTML

To determine if you are vulnerable to this attack, download AppDetective from http://www.appsecinc.com/products/appdetective/oracle

Risk level: Medium

Credits: This vulnerability was discovered and researched by Aaron Newman for Application Security, Inc.

Affected versions:
All versions of Oracle Database Server

Background:
Oracle contains a large number of built-in PL/SQL packages. These packages contain code which typically execute under the privileges of the package owner. Package owners usually possess elevated privileges resulting in potential security problems.

The PL/SQL package OWF_MGR.WF_EVENT_HTML contains a function called EventQueueDisplay which contains an instance of SQL injection.

Details: By default, EXECUTE permissions on the WF_EVENT_HTML package is granted to PUBLIC and the package is owned by the OWF_MGR schema. This results in any commands executed by the procedure executing under the elevated privileges of the OWF_MGR user.

The OWF_MGR user has been granted the SELECT_CATALOG_ROLE and AQ_ADMINISTRATOR roles.

The function requires the executing user to have a valid wfa_sec session. The procedure pulls values out of the ALL_QUEUES view and then executes as follows:

EXECUTE IMMEDIATE l_sqlstmt INTO l_count USING queues.queue_name;

Anyone with access to the ALL_QUEUES view can insert values that will in turn be executed.

The use of execute immediate results in a possible SQL injection attack if the attacker has privileges to insert values in the ALL_QUEUES view. Although performing this SQL injection may depend on several other factors, it is highly recommended you revoke EXECUTE permissions from PUBLIC on this package.

Impact:
Attackers can execute SQL under the privileges of OWF_MGR user.

Workaround:
Revoke the EXECUTE privileges on this package from the PUBLIC role. To revoke the privilege run the following command:
REVOKE EXECUTE ON OWF_MGR.WF_EVENT_HTML FROM PUBLIC

Vendor Status:
Vendor was contacted and a patch was released.

Fix:
To fix the problem apply the Critical Patch Update - July 2005 patches.
http://www.oracle.com/technology/deploy/security/pdf/cpujul2005.html

Oracle Advisory: http://www.oracle.com/technology/deploy/security/pdf/cpujul2005.html