Multiple Vulnerabilities in Oracle Database Server (40 Issues)
2 Sep. 2004
Summary
Multiple buffer overflow and denial of service (DoS) vulnerabilities exist in the Oracle Database Server that allow database users to take complete control over the database and optionally cause denial of service.
Please follow the links for details of the vulnerabilities: #1 - Buffer overflow in public procedure DROP_SITE_INSTANTIATION of DBMS_REPCAT_INSTANTIATE package
Oracle Database Server provides the DBMS_REPCAT_INSTANTIATE package that can be used in replicated environments to manage the instantiation of deployment templates. This package contains a public procedure DROP_SITE_INSTANTIATION that is used to remove a template instantiation at a target site. When this procedure is called with a long string in the first parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
BEGIN
DBMS_REPCAT_INSTANTIATE.DROP_SITE_INSTANTIATION ('longstring','');
END;
Analysis:
By default DBMS_REPCAT_INSTANTIATE has EXECUTE permission to PUBLIC so any Oracle database user can exploit this vulnerability.
Exploitation of this vulnerability allows an attacker to execute arbitrary code. It can also be exploited to cause DOS (Denial of service) killing Oracle server process.
Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.
#2 - Buffer overflow in public function INSTANTIATE_OFFLINE of DBMS_REPCAT_INSTANTIATE package Details:
Oracle Database Server provides the DBMS_REPCAT_INSTANTIATE package that can be used in replicated environments to manage the instantiation of deployment templates. This package contains a public function INSTANTIATE_OFFLINE that is used to generate a script at the master site to create the materialized view environment at the remote materialized view site while offline. When this function is called with a long string in the first parameter a buffer overflow occurs.
To reproduce the overflow, execute the next SQL:
SELECT DBMS_REPCAT_INSTANTIATE.INSTANTIATE_OFFLINE ('longstring','') FROM Dual
or
DECLARE
a NUMBER;
BEGIN
a := DBMS_REPCAT_INSTANTIATE.INSTANTIATE_OFFLINE('longstring','');
END;
Analysis:
By default DBMS_REPCAT_INSTANTIATE has EXECUTE permission to PUBLIC so any Oracle database user can exploit this vulnerability.
Exploitation of this vulnerability allows an attacker to execute arbitrary code. It can also be exploited to cause DOS (Denial of service) killing Oracle server process.
Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.
#3 - Buffer overflow in public function INSTANTIATE_ONLINE of DBMS_REPCAT_INSTANTIATE package Details:
Oracle Database Server provides the DBMS_REPCAT_INSTANTIATE package that can be used in replicated environments to manage the instantiation of deployment templates. This package contains a public function INSTANTIATE_ONLINE that is used to generate a script at the master site to create the materialized view environment at the remote materialized view site while online. When this function is called with a long string in the first parameter a buffer overflow occurs.
To reproduce the overflow, execute the next SQL:
SELECT DBMS_REPCAT_INSTANTIATE.INSTANTIATE_ONLINE ('longstring','') FROM Dual
Analysis:
By default DBMS_REPCAT_INSTANTIATE has EXECUTE permission to PUBLIC so any Oracle database user can exploit this vulnerability
Exploitation of this vulnerability allows an attacker to execute arbitrary code. It can also be exploited to cause DOS (Denial of service) killing Oracle server process.
Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.
#4 - Buffer overflow on "gname" parameter on procedures of Replication Management API Packages Details:
Oracle Database Server provides a set of packages that can be used to administer a replicated environment. Some procedures of these packages use the parameter "gname" to specify a group name. When a long string is passed to this parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
BEGIN
DBMS_REPCAT.DROP_MASTER_REPGROUP ('longstring');
END;
or
BEGIN
DBMS_REPCAT.ALTER_MVIEW_PROPAGATION ('longstring', '');
END;
or
BEGIN
DBMS_OFFLINE_OG.BEGIN_LOAD ('longstring', 'x');
END;
or
BEGIN
DBMS_OFFLINE_SNAPSHOT.END_LOAD ('longstring', 'x',\u2019d\u2019);
END;
etc.
Analysis:
This vulnerability can be exploited by members of EXECUTE_CATALOG_ROLE or SYSDBA roles, and users granted execute permissions on the vulnerable packages.
Exploitation of this vulnerability allows an attacker to execute arbitrary code. It can also be exploited to cause DOS (Denial of service) killing Oracle server process.
Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.
#5 - Buffer overflow on "sname" and "oname" parameters on procedures of DBMS_REPCAT package Details:
Oracle Database Server provides the DBMS_REPCAT package that can be used to administer and update the replication catalog and environment. Some procedures of this package use the parameters "sname" to specify a schema name and "oname" to specify an object name. When a long string is passed to any of these parameters a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
BEGIN
DBMS_REPCAT.ADD_GROUPED_COLUMN ('longstring', 'longstring', 'cc','dd');
END;
or
BEGIN
DBMS_REPCAT.ADD_DELETE_RESOLUTION ('longstring', 'longstring', 0, '', '');
END;
or
BEGIN
DBMS_REPCAT.CANCEL_STATISTICS ('longstring', 'longstring');
END;
etc.
Analysis:
This vulnerability can be exploited by members of EXECUTE_CATALOG_ROLE or SYSDBA roles and users granted execute permissions on the DBMS_REPCAT package.
Exploitation of this vulnerability allows an attacker to execute arbitrary code. It can also be exploited to cause DOS (Denial of service) killing Oracle server process.
Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.
#6 - Buffer overflow on "type" parameter on procedures of DBMS_REPCAT package Details:
Oracle Database Server provides the DBMS_REPCAT package that can be used to administer and update the replication catalog and environment. Some procedures of this package use the parameter "type" to specify the type of the object being referenced in other parameters. When a long string is passed to this parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
BEGIN
DBMS_REPCAT.ALTER_MASTER_REPOBJECT ('', '', 'longstring', 'dd', 'ee', false,false);
END;
BEGIN
DBMS_REPCAT.DROP_MASTER_REPOBJECT ('aa', 'bb', 'longstring');
END;
etc.
Analysis:
This vulnerability can be exploited by members of EXECUTE_CATALOG_ROLE or SYSDBA roles, and users granted execute permissions on the DBMS_REPCAT package.
Exploitation of this vulnerability allows an attacker to execute arbitrary code. It can also be exploited to cause DOS (Denial of service) killing Oracle server process.
Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.
#7 - Buffer overflow on "gowner" parameter on procedures of the DBMS_REPCAT package Details:
Oracle Database Server provides the DBMS_REPCAT package that can be used to administer and update the replication catalog and environment. Some procedures of this package use the parameter "gowner" to specify the owner of the materialized view group. When a long string is passed to this parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
BEGIN
DBMS_REPCAT.DROP_MVIEW_REPGROUP ('', false, 'longstring');
END;
or
BEGIN
DBMS_REPCAT.REFRESH_MVIEW_REPGROUP ('', false, false, false, 'longstring');
END;
or
BEGIN
DBMS_REPCAT.REPCAT_IMPORT_CHECK ('longstring', false, 'longstring');
END;
etc.
Analysis:
This vulnerability can be exploited by members of EXECUTE_CATALOG_ROLE or SYSDBA roles, and users granted execute permissions on the DBMS_REPCAT package.
Exploitation of this vulnerability allows an attacker to execute arbitrary code. It can also be exploited to cause DOS (Denial of service) killing Oracle server process.
Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.
#8 - Buffer overflow on "operation" parameter on procedures of DBMS_REPCAT package Details:
Oracle Database Server provides the DBMS_REPCAT package that can be used to administer and update the replication catalog and environment. Some procedures of this package use the parameter "operation" to specify a kind data operation ('update', 'delete' or both). When a long string is passed to this parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
BEGIN
DBMS_REPCAT.COMPARE_OLD_VALUES ('hr', 'employees', 'employee_id', 'longstring', true);
END;
or
BEGIN
DBMS_REPCAT.SEND_OLD_VALUES ('hr', 'employees', 'employee_id','longstring');
END;
etc.
Analysis:
This vulnerability can be exploited by members of EXECUTE_CATALOG_ROLE or SYSDBA roles and users granted execute permissions on the DBMS_REPCAT package.
Exploitation of this vulnerability allows an attacker to execute arbitrary code. It can also be exploited to cause DOS (Denial of service) killing Oracle server process.
Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.
#9 - Buffer overflow in procedure CREATE_MVIEW_REPGROUP of DBMS_REPCAT package Details:
Oracle Database Server provides the DBMS_REPCAT package that can be used to administer and update the replication catalog and environment. This package contains a procedure CREATE_MVIEW_REPGROUP used to create a new materialized view group in the local database. When this procedure is called with a long string in the fifth parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
BEGIN
DBMS_REPCAT.CREATE_MVIEW_REPGROUP ('', '', '', '', 'longstring', '');
END;
Analysis:
This vulnerability can be exploited by members of EXECUTE_CATALOG_ROLE or SYSDBA roles and users granted execute permissions on DBMS_REPCAT package.
Exploitation of this vulnerability allows an attacker to execute arbitrary code. It can also be exploited to cause DOS (Denial of service) killing Oracle server process.
Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.
#10 - Buffer overflow in procedure GENERATE_REPLICATION_SUPPORT of DBMS_REPCAT package Details:
Oracle Database Server provides the DBMS_REPCAT package that can be used to administer and update the replication catalog and environment. This package contains a procedure GENERATE_REPLICATION_SUPPORT used to generate the triggers and packages needed to support replication for a specified object.
When this procedure is called with a long string in the "package_prefix" or "procedure_prefix" parameters a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
BEGIN
DBMS_REPCAT.GENERATE_REPLICATION_SUPPORT ('aa', 'bb', 'TABLE', 'longstring','longstring', true, 'gg');
END;
Analysis:
This vulnerability can be exploited by members of EXECUTE_CATALOG_ROLE or SYSDBA roles and users granted execute permissions on DBMS_REPCAT package.
Exploitation of this vulnerability allows an attacker to execute arbitrary code. It can also be exploited to cause DOS (Denial of service) killing Oracle server process.
Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.
#11 - Buffer overflow in procedures REGISTER_USER_REPGROUP and UNREGISTER_USER_REPGROUP of DBMS_REPCAT_ADMIN package Details:
Oracle Database Server provides the DBMS_REPCAT_ADMIN package that can be used to create users with the privileges needed by the symmetric replication facility. This package contains the procedures REGISTER_USER_REPGROUP and UNREGISTER_USER_REPGROUP used to assign and revoke proxy materialized view administrator or receiver privileges at the master site or master materialized view site for use with remote sites. When this procedure is called with a long string in the "privilege_type" parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
BEGIN
DBMS_REPCAT_ADMIN.REGISTER_USER_REPGROUP ('sys', 'longstring', '');
END;
or
BEGIN
DBMS_REPCAT_ADMIN.UNREGISTER_USER_REPGROUP ('sys', 'longstring', '');
END;
Analysis:
This vulnerability can be exploited by users members of EXECUTE_CATALOG_ROLE or SYSDBA roles and users granted execute permissions on DBMS_REPCAT_ADMIN package.
Exploitation of this vulnerability allows an attacker to execute arbitrary code. It can also be exploited to cause DOS (Denial of service) killing Oracle server process.
Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.
#12 - Buffer overflow in functions INSTANTIATE_OFFLINE, INSTANTIATE_ONLINE and procedure DROP_SITE_INSTANTIATION of DBMS_REPCAT_RGT package Details:
Oracle Database Server provides the DBMS_REPCAT_RGT package that can be used to control the maintenance and definition of refresh group templates. This package contains the procedures INSTANTIATE_OFFLINE, INSTANTIATE_ONLINE and DROP_SITE_INSTANTIATION. When these procedures are called with a long string in the "refresh_template_name" or the "user_name" parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
SELECT DBMS_REPCAT_RGT.INSTANTIATE_OFFLINE ('longstring', '', '') FROM Dual;
or
SELECT DBMS_REPCAT_RGT.INSTANTIATE_ONLINE ('some_refresh_template_name', '', 'longstring') FROM Dual;
or
BEGIN
DBMS_REPCAT_RGT.DROP_SITE_INSTANTIATION ('longstring', '', '');
END;
etc.
Analysis:
This vulnerability can be exploited by members of SYSDBA role and users granted execute permissions on DBMS_REPCAT_RGT package.
Exploitation of this vulnerability allows an attacker to execute arbitrary code. It can also be exploited to cause DOS (Denial of service) killing Oracle server process.
Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.
#13 - Buffer overflow on TEMPFILE parameter Details:
Oracle Database Server allows specifying temporary files to be used by database, when creating or altering a tablespace, altering a database, etc. When a long string is passed to TEMPFILE parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
ALTER TABLESPACE TablespaceName ADD TEMPFILE 'longstringhere';
Analysis:
This vulnerability can be exploited on ALTER DATABASE by users with the ALTER DATABASE system privilege, on CREATE TABLESPACE by users with CREATE TABLESPASE system privilege, on ALTER TABLESPACE by users with ALTER TABLESPACE system privilege. Exploitation of this vulnerability allows an attacker to execute arbitrary code. It can also be exploited to cause DOS (Denial of service) killing Oracle server process.
Vendor Fix:
Fixed in Oracle 9ir2 Patchset 4 (9.2.0.5) Patch 2. 10g Not vulnerable.
#14 - Buffer overflow on LOGFILE parameter Details:
Oracle Database Server allows adding redo log files to be used by database, by using alter database statement. When a long string is passed to LOGFILE parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
ALTER DATABASE CLEAR LOGFILE 'longstringhere';
or
ALTER DATABASE RECOVER LOGFILE 'longstringhere';
or
ALTER DATABASE DROP LOGFILE MEMBER 'longstringhere';
or
etc.
Analysis:
This vulnerability can be exploited by users with the ALTER DATABASE system privilege. Exploitation of this vulnerability allows an attacker to execute arbitrary code. It can also be exploited to cause DOS (Denial of service) killing Oracle server process.
Vendor Fix:
Fixed in Oracle 9ir2 Patchset 4 (9.2.0.5) Patch 2. 10g Not vulnerable.
#15 - Buffer overflow on CONTROLFILE parameter Details:
Oracle Database Server allows creation and backup of control files to be used later, by issuing alter database statement. When a long string is passed to CONTROLFILE parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
ALTER DATABASE BACKUP CONTROLFILE TO 'longstringhere';
or
ALTER DATABASE CREATE STANDBY CONTROLFILE AS'longstringhere';
or
etc.
Analysis:
This vulnerability can be exploited by users with the ALTER DATABASE system privilege. Exploitation of this vulnerability allows an attacker to execute arbitrary code. It can also be exploited to cause DOS (Denial of service) killing Oracle server process.
Vendor Fix:
Fixed in Oracle 9ir2 Patchset 4 (9.2.0.5) Patch 2. 10g Not vulnerable.
#16 - Buffer overflow on FILE parameter Details:
Oracle Database Server allows to rename data files used by database, by using the alter database statement. When a long string is passed to FILE parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
ALTER DATABASE RENAME FILE 'longstringhere' TO 'anything';
Analysis:
This vulnerability can be exploited by users with the ALTER DATABASE system privilege.
Exploitation of this vulnerability allows an attacker to execute arbitrary code. It can also be exploited to cause DOS (Denial of service) killing Oracle server process.
Vendor Fix:
Fixed in Oracle 9ir2 Patchset 4 (9.2.0.5) Patch 2. 10g Not vulnerable.
#17 - Buffer overflow in Interval Conversion Functions Details:
Oracle Database Server provides two functions that can be used with PL/SQL to convert numbers to date/time intervals, when any of these functions are called with a long string as a second parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
SELECT NUMTOYMINTERVAL(1,'longstringhere') from dual;
SELECT NUMTODSINTERVAL(1,'longstringhere') from dual;
Analysis:
This vulnerability can be exploited by any Oracle Database user because access to these functions can't be restricted.
Exploitation of this vulnerability allows an attacker to execute arbitrary code. It can also be exploited to cause DOS (Denial of service) killing Oracle server process.
Vendor Fix:
Fixed in Oracle 9ir2 Patchset 3 (9.2.0.4) Patch 3. 10g Not vulnerable.
#18 - Buffer overflow in String Conversion Function Details:
Oracle Database Server provides a function that can be used with PL/SQL to convert a number or date to a string, when this function is called with the function SYSTIMESTAMP (this function returns the system date, including fractional seconds and time zone of the database) as a first parameter and a long string as a second parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
select TO_CHAR(SYSTIMESTAMP, 'longstringhere') from dual;
Analysis:
This vulnerability can be exploited by any Oracle Database user because access to this function can't be restricted.
Exploitation of this vulnerability allows an attacker to execute arbitrary code. It can also be exploited to cause DOS (Denial of service) killing Oracle server process. Calling TO_CHAR function with a different value than SYSTIMESTAMP function as first parameter seems to not cause a buffer overflow, but it shouldn't be discarded that other values could trigger a buffer overflow.
Vendor Fix:
Fixed in Oracle 9ir2 Patchset 4 (9.2.0.5) Patch 2. Fixed in 10g Release 1.
#19 - Buffer overflow in CTX_OUTPUT Package Function Details:
Oracle Database Server provides many packages, one of them called CTX_OUTPUT which can be used to log indexing and document service requests, has a vulnerable function, when this function is called with a long string a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
begin
CTX_OUTPUT.START_LOG('longstringhere');
end;
Analysis:
This vulnerability can be exploited by members of Oracle CTXAPP Role, CTXSYS user and users granted execute permissions on CTX_OUTPUT package.
Exploitation of this vulnerability allows an attacker to execute arbitrary code. It can also be exploited to cause DOS (Denial of service) killing Oracle server process.
Vendor Fix:
Fixed in latest Oracle 9ir2 Patchset 4 (9.2.0.5) patch 2. 10g not vulnerable.
#21 - Buffer overflow on DATAFILE parameter Details:
Oracle Database Server allows specifying data files where the data will be stored when creating a database, altering an index etc. When a long string is passed to DATAFILE parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
ALTER DATABASE datafile 'longstringhere' ONLINE;
or
ALTER INDEX indexname allocate extent(datafile 'longstringhere');
ALTER CLUSTER clustername allocate extent(datafile 'longstringhere');
or
etc.
Analysis:
This vulnerability can be exploited in many ways:
1. using ALTER INDEX statement by users who have their own schema and users with ALTER ANY INDEX system privilege
2. using ALTER DATABASE by users with the ALTER DATABASE system privilege
3. using CREATE TABLESPACE by users with CREATE TABLESPASE system privilege
4. using ALTER CLUSTER by users who have their own schema and users with ALTER ANY CLUSTER system privilege
Exploitation of this vulnerability allows an attacker to execute arbitrary code. It can also be exploited to cause DOS (Denial of service) killing Oracle server process.
Vendor Fix:
Fixed in latest Oracle 9ir2 Patchset 4 (9.2.0.5) patch 2. 10g not vulnerable.
#22 - Buffer overflow in DBMS_SYSTEM package function Details:
Oracle Database Server provides many packages. One of them called DBMS_SYSTEM can be used to gather information about events set in the current session. It can also be used to manipulate other user\u2019s sessions and change the values of certain init.ora parameters. It contains a vulnerable function which causes buffer overflow when called with a long string in the second parameter.
To reproduce the overflow, execute the next PL/SQL:
begin
DBMS_SYSTEM.KSDWRT(2,'longstringhere');
end;
Analysis:
This vulnerability can be exploited by members of SYSDBA role and users granted execute permissions on DBMS_SYSTEM package.
Exploitation of this vulnerability allows an attacker to execute arbitrary code. It can also be exploited to cause DOS (Denial of service) killing Oracle server process.
Vendor Fix:
Fixed in Oracle 9ir2 Patchset 4 (9.2.0.5). 10g not vulnerable.
#24 - Buffer overflow on "fname" parameter of the DBMS_REPCAT* packages Details:
Oracle Database Server provides the DBMS_REPCAT package that can be used to administer and update the replication catalog and environment. Some procedures of this package use the parameter "fname". When a long string is passed to this parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
BEGIN
SYS.DBMS_REPCAT_FLA.ENSURE_NOT_PUBLISHED('', 'longstring');
END;
etc.
Analysis:
This vulnerability can be exploited by members of EXECUTE_CATALOG_ROLE or SYSDBA roles, and users granted execute permissions on the DBMS_REPCAT package.
Exploitation of this vulnerability allows an attacker to execute arbitrary code. It can also be exploited to cause DOS (Denial of service) killing Oracle server process.
Vendor Fix:
Fixed in Oracle 9ir2 Patchset 4 (9.2.0.5). 10g not vulnerable.
#25 - Buffer overflow on procedures of the Replication Management API packages Details:
Oracle Database Server provides a set of packages that can be used to administer a replicated environment. Some procedures of these packages are vulnerable to buffer overflow.
To reproduce the overflow, execute the next PL/SQL:
BEGIN
SYS.DBMS_REPCAT_AUTH.GRANT_SURROGATE_REPCAT('longstring');
END;
or
BEGIN
SYS.DBMS_REPCAT_AUTH.REVOKE_SURROGATE_REPCAT('longstring');
END;
etc.
Analysis:
This vulnerability can be exploited by members of SYSDBA role and users granted execute permissions on the packages.
Exploitation of this vulnerability allows an attacker to execute arbitrary code. It can also be exploited to cause DOS (Denial of service) killing Oracle server process.
Vendor Fix:
Fixed in Oracle 9ir2 Patchset 4 (9.2.0.5). 10g not vulnerable.
#26 - Heap based buffer overflow Vulnerability in Oracle 10g iSQL*PLus Service Details:
SQL*Plus is an interactive and batch query tool that is installed with every Oracle Database Server or Client installation. It has a command-line user interface, a Windows Graphical User Interface (GUI) and the iSQL*Plus web-based user interface. iSQL*Plus is a browser-based interface which uses the SQL*Plus processing engine. A heap overflow vulnerability exists on this service. To overflow the buffer you need to provide a long string in the 'username' or in the 'connectID' parameters of /isqlplus/login.uix
Analysis:
A remote unaunteticated user can execute arbitrary code in the context of the iSQLPlus Service.It can also be exploited to cause DOS (Denial of service) killing Oracle server process.
Vendor Fix:
Oracle 9i not affected. Fixed in Oracle 10g Patchset 1.
#27 - Buffer overflow in procedure AQ_TABLE_DEFN_UPDATE of DBMS_AQ_IMPORT_INTERNAL package Details:
When AQ_TABLE_DEFN_UPDATE procedure is called with a long string in the QT_NAME parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
Analysis:
This vulnerability can be exploited by members of any of the following roles EXECUTE_CATALOG_ROLE, EXP_FULL_DATABASE, EXP_FULL_DATABASE, AQ_ADMINISTRATOR_ROLE, SYSDBA roles and users granted execute permissions on DBMS_AQ_IMPORT_INTERNAL package.
Exploitation of this vulnerability allows an attacker to execute arbitrary code. It can also be exploited to cause DOS (Denial of service) killing Oracle server process.
Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.
#28 - Buffer overflow in procedure VERIFY_QUEUE_TYPES_GET_NRP of DBMS_AQADM package Details:
When VERIFY_QUEUE_TYPES_GET_NRP procedure is called with a long string in the SRC_QUEUE_NAME parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
Analysis:
This vulnerability can be exploited by members of any of the following roles EXECUTE_CATALOG_ROLE, IMP_FULL_DATABASE, IMP_FULL_DATABASE, QS_ADM, QS, QS_WS, QS_ES, QS_OS, QS_CBADM, QS_CB, QS_CS, SYSDBA roles and users granted execute permissions on DBMS_AQADM package.
Exploitation of this vulnerability allows an attacker to execute arbitrary code. It can also be exploited to cause DOS (Denial of service) killing Oracle server process.
Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.
#29 - Buffer overflow in procedure VERIFY_QUEUE_TYPES_NO_QUEUE of DBMS_AQADM package Details:
When VERIFY_QUEUE_TYPES_NO_QUEUE procedure is called with a long string in the SRC_QUEUE_NAME parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
Analysis:
This vulnerability can be exploited by members of any of the following roles EXECUTE_CATALOG_ROLE, IMP_FULL_DATABASE, IMP_FULL_DATABASE, QS_ADM, QS, QS_WS, QS_ES, QS_OS, QS_CBADM, QS_CB, QS_CS, SYSDBA roles and users granted execute permissions on DBMS_AQADM package.
Exploitation of this vulnerability allows an attacker to execute arbitrary code. It can also be exploited to cause DOS (Denial of service) killing Oracle server process.
Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.
#30 - Buffer overflow in procedure VERIFY_QUEUE_TYPES of DBMS_AQADM_SYS package Details:
When VERIFY_QUEUE_TYPES procedure is called with a long string in the SRC_QUEUE_NAME parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
Analysis:
This vulnerability can be exploited by members of SYSDBA role and users granted execute permissions on DBMS_AQADM_SYS package.
Exploitation of this vulnerability allows an attacker to execute arbitrary code. It can also be exploited to cause DOS (Denial of service) killing Oracle server process.
Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.
#31 - Buffer overflow in procedure PARALLEL_PUSH_RECOVERY of DBMS_DEFER_INTERNAL_SYS package Details:
When PARALLEL_PUSH_RECOVERY procedure is called with a long string in the DESTINATION parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
Analysis:
This vulnerability can be exploited by members SYSDBA role and users granted execute permissions on DBMS_DEFER_INTERNAL_SYS package.
Exploitation of this vulnerability allows an attacker to execute arbitrary code. It can also be exploited to cause DOS (Denial of service) killing Oracle server process.
Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.
#32 - Buffer overflow in procedure ENABLE_PROPAGATION_TO_DBLINK of DBMS_DEFER_REPCAT package Details:
When ENABLE_PROPAGATION_TO_DBLINK procedure is called with a long string as the parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
DECLARE
RET_VALUE_X123 BOOLEAN;
BEGIN
RET_VALUE_X123 := SYS.DBMS_DEFER_REPCAT.ENABLE_PROPAGATION_TO_DBLINK('longstring');
END;
or
DECLARE a BOOLEAN; -- return value
BEGIN
a := SYS.DBMS_DEFER_REPCAT.ENABLE_PROPAGATION_TO_DBLINK (DBLINK => 'longstring', NORMAL_ONLY => FALSE, INTERNAL_SET => FALSE);
END;
Analysis:
This vulnerability can be exploited by members of EXECUTE_CATALOG_ROLE or SYSDBA role and users granted execute permissions on DBMS_DEFER_REPCAT package.
Exploitation of this vulnerability allows an attacker to execute arbitrary code. It can also be exploited to cause DOS (Denial of service) killing Oracle server process.
Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.
#33 - Buffer overflow in procedure DISABLE_RECEIVER_TRACE of DBMS_INTERNAL_REPCAT package Details:
When DISABLE_RECEIVER_TRACE procedure is called with a long string in the GNAME parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
BEGIN
SYS.DBMS_INTERNAL_REPCAT.DISABLE_RECEIVER_TRACE (GNAME => 'longstring');
END;
Analysis:
This vulnerability can be exploited by members of EXECUTE_CATALOG_ROLE or SYSDBA role and users granted execute permissions on DBMS_INTERNAL_REPCAT package.
Exploitation of this vulnerability allows an attacker to execute arbitrary code. It can also be exploited to cause DOS (Denial of service) killing Oracle server process.
Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.
#34 - Buffer overflow in procedure ENABLE_RECEIVER_TRACE of DBMS_INTERNAL_REPCAT package Details:
When ENABLE_RECEIVER_TRACE procedure is called with a long string in the GNAME parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
BEGIN
SYS.DBMS_INTERNAL_REPCAT.ENABLE_RECEIVER_TRACE (GNAME => 'longstring');
END;
Analysis:
This vulnerability can be exploited by members of EXECUTE_CATALOG_ROLE or SYSDBA role and users granted execute permissions on DBMS_INTERNAL_REPCAT package.
Exploitation of this vulnerability allows an attacker to execute arbitrary code. It can also be exploited to cause DOS (Denial of service) killing Oracle server process.
Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.
#35 - Buffer overflow in procedure VALIDATE of DBMS_INTERNAL_REPCAT package Details:
When VALIDATE procedure is called with a long string in the GNAME parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
Analysis:
This vulnerability can be exploited by members of EXECUTE_CATALOG_ROLE or SYSDBA role and users granted execute permissions on DBMS_INTERNAL_REPCAT package.
Exploitation of this vulnerability allows an attacker to execute arbitrary code. It can also be exploited to cause DOS (Denial of service) killing Oracle server process.
Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.
#36 - Buffer overflow in procedure DIFFERENCES of DBMS_RECTIFIER_DIFF package Details:
When DIFFERENCES procedure is called with a long string in the one of the parameters a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
Analysis:
This vulnerability can be exploited by members of EXECUTE_CATALOG_ROLE or SYSDBA role and users granted execute permissions on DBMS_RECTIFIER_DIFF package.
Exploitation of this vulnerability allows an attacker to execute arbitrary code. It can also be exploited to cause DOS (Denial of service) killing Oracle server process.
Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.
#37 - Buffer overflow in procedure ADD_COLUMN of DBMS_REPCAT_RQ package Details:
When ADD_COLUMN procedure is called with a long string in the SCHEMA_NAME parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
Analysis:
This vulnerability can be exploited by members of SYSDBA role and users granted execute permissions on DBMS_REPCAT_RQ package.
Exploitation of this vulnerability allows an attacker to execute arbitrary code. It can also be exploited to cause DOS (Denial of service) killing Oracle server process.
Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.
#39 - Buffer overflow in procedure IS_MASTER of DBMS_REPCAT_UTL package Details:
When IS_MASTER procedure is called with a long string in the CANON_GNAME parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
Analysis:
This vulnerability can be exploited by members of SYSDBA role and users granted execute permissions on DBMS_REPCAT_UTL package.
Exploitation of this vulnerability allows an attacker to execute arbitrary code. It can also be exploited to cause DOS (Denial of service) killing Oracle server process.
Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.
#40 - Buffer overflow in procedure PUSHDEFERREDTXNS of LTUTIL package Details:
When PUSHDEFERREDTXNS procedure is called with a long string in the REPGRPNAME parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
Analysis:
This vulnerability can be exploited by members of WMSYS or SYSDBA role and users granted execute permissions on LTUTIL package.
Exploitation of this vulnerability allows an attacker to execute arbitrary code. It can also be exploited to cause DOS (Denial of service) killing Oracle server process.
Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.
#41 - Buffer overflow in public procedure SDO_CODE_SIZE of MD2 package Details:
When SDO_CODE_SIZE procedure is called with a long string in the LAYER parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
DECLARE a BINARY_INTEGER; -- return value
BEGIN
a := MDSYS.MD2.SDO_CODE_SIZE (LAYER => 'longstring');
END;
Analysis:
By default SDO_CODE_SIZE has EXECUTE permission to PUBLIC so any Oracle database user can exploit this vulnerability.
Exploitation of this vulnerability allows an attacker to execute arbitrary code. It can also be exploited to cause DOS (Denial of service) killing Oracle server process.
Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). Fixed in 10g (10.1.0.2) Patch 2.
#42 - Buffer overflow in public procedure VALIDATE_GEOM of MD2 package Details:
When VALIDATE_GEOM procedure is called with a long string in the LAYER parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
DECLARE a VARCHAR2(32767); -- return value
BEGIN
a := MDSYS.MD2.VALIDATE_GEOM (LAYER => 'longstring', GID => 1, ESEQ => 1);
END;
Analysis:
By default VALIDATE_GEOM has EXECUTE permission to PUBLIC so any Oracle database user can exploit this vulnerability.
Exploitation of this vulnerability allows an attacker to execute arbitrary code. It can also be exploited to cause DOS (Denial of service) killing Oracle server process.
Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). Fixed in 10g (10.1.0.2) Patch 2.
#43 - Buffer overflow in public procedure SDO_CODE_SIZE of SDO_ADMIN package Details:
When SDO_CODE_SIZE procedure is called with a long string in the LAYER parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
DECLARE a BINARY_INTEGER; -- return value
BEGIN
a := MDSYS.SDO_ADMIN.SDO_CODE_SIZE (LAYER => 'longstring');
END;
Analysis:
By default SDO_CODE_SIZE has EXECUTE permission to PUBLIC so any Oracle database user can exploit this vulnerability.
Exploitation of this vulnerability allows an attacker to execute arbitrary code. It can also be exploited to cause DOS (Denial of service) killing Oracle server process.
Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). Fixed in 10g (10.1.0.2) Patch 2.
#44 - Buffer overflow in procedure SUBINDEXPOPULATE of DRIDDLR package Details:
When SUBINDEXPOPULATE procedure is called with a long string in the LOGFILE parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
Analysis:
This vulnerability can be exploited by members of SYSDBA role and users granted execute permissions on DRIDDLR package.
Exploitation of this vulnerability allows an attacker to execute arbitrary code. It can also be exploited to cause DOS (Denial of service) killing Oracle server process.
Vendor Fix:
Fixed in Patchset 4 (9.2.0.5) Patch 3. 10g Release 1 not vulnerable.
Comments:
Exploitation of these vulnerabilities will allow an attacker to completely compromise the OS and the database if Oracle is running on Windows platform, because Oracle must run under the local System account or under an administrative account. If Oracle is running on *nix then only the database would be compromised because Oracle runs mostly under oracle user which has restricted permissions.
Workaround:
* Check packages permissions and remove public permissions. Set minimal permissions that fit your needs
* Restrict users to execute PL/SQL statements directly over the server
* Periodically audit user permissions on all database objects
* Lock users that aren't used
* Change default passwords
* Keep Oracle up to date with patches
Vendor Contact:
Vendor was contacted and has released fixes. Please click on each vulnerability to see details.
