Application Security Inc. - Securing Business by Securing Enterprise Applications

home

client login

partner login

purchasing info

search:

add this

1.	Defending Against New and Emerging Database Threats
2.	Top Database Vulnerabilities Federal Agencies Face
3.	Solution Brief - Reviewing Database User Rights
4.	SOX Compliance and Database Security
5.	Grounding PCI Compliance in the Databasel

SQL Injection in OWF_MGR.WF_EVENT_HTML

To determine if you are vulnerable to this attack, download AppDetective from http://www.appsecinc.com/products/appdetective/oracle

Risk level: Medium

Credits: This vulnerability was discovered and researched by Aaron Newman for Application Security, Inc.

Affected versions:
All versions of Oracle Database Server

Background:
Oracle contains a large number of built-in PL/SQL packages. These packages contain code which typically execute under the privileges of the package owner. Package owners usually possess elevated privileges resulting in potential security problems.

The PL/SQL package OWF_MGR.WF_EVENT_HTML contains a function called EventQueueDisplay which contains an instance of SQL injection.

Details: By default, EXECUTE permissions on the WF_EVENT_HTML package is granted to PUBLIC and the package is owned by the OWF_MGR schema. This results in any commands executed by the procedure executing under the elevated privileges of the OWF_MGR user.

The OWF_MGR user has been granted the SELECT_CATALOG_ROLE and AQ_ADMINISTRATOR roles.

The function requires the executing user to have a valid wfa_sec session. The procedure pulls values out of the ALL_QUEUES view and then executes as follows:

EXECUTE IMMEDIATE l_sqlstmt INTO l_count USING queues.queue_name;

Anyone with access to the ALL_QUEUES view can insert values that will in turn be executed.

The use of execute immediate results in a possible SQL injection attack if the attacker has privileges to insert values in the ALL_QUEUES view. Although performing this SQL injection may depend on several other factors, it is highly recommended you revoke EXECUTE permissions from PUBLIC on this package.

Impact:
Attackers can execute SQL under the privileges of OWF_MGR user.

Workaround:
Revoke the EXECUTE privileges on this package from the PUBLIC role. To revoke the privilege run the following command:
REVOKE EXECUTE ON OWF_MGR.WF_EVENT_HTML FROM PUBLIC

Vendor Status:
Vendor was contacted and a patch was released.

Fix:
To fix the problem apply the Critical Patch Update - July 2005 patches.
http://www.oracle.com/technology/deploy/security/pdf/cpujul2005.html

Oracle Advisory: http://www.oracle.com/technology/deploy/security/pdf/cpujul2005.html