Multiple SQL Injection Vulnerabilities in DBMS_METADATA Package
21 Apr. 2005
Summary
The OBJECT_TYPE parameter -- used in various procedures of theDBMS_METADATA package -- is vulnerable to SQL injection. Although this package executes with the privileges of the calling user, it internally uses another package that executes the injected SQL with the privileges of the SYS user thereby allowing an attacker to gain DBA privileges. By default PUBLIC has EXECUTE privilege on DBMS_METADATA.
Vulnerable Systems:
* Oracle Database Server versions 9i
* Oracle Database Server versions 10g
Impact:
Any low privileged database user can execute functions with DBA privileges. Users with privilges to create or modify a function can
inject a user-defined function in the vulnerable procedure and thus execute SQL statements with DBA privileges.
Workaround:
Revoke Execute privilege on the vulnerable package.
Vendor Status:
Vendor was contacted and a patch was released.
