David Litchfield on details of one of the critical vulnerabilities from the latest Oracle patch

Summary:More details coming out on the Oracle patches that were released last week, see Ryan Naraine's write up here.  David Litchfield, noted security researcher from NGSSoftware, released details of one of the vulnerabilities on the Full-Disclosure email list today, and the details are staggering.

David Litchfield
More details coming out on the Oracle patches that were released last week, see Ryan Naraine's write up here.  David Litchfield, noted security researcher from NGSSoftware, released details of one of the vulnerabilities on the Full-Disclosure email list today, and the details are staggering.  The flaw allows potential unauthenticated remote exploitation resulting in full control of the database server.  One thing that I think is key to note here is that this vulnerability was reported in October of 2007 and is just now getting patched in July of 2008.  End result is, if you are using Oracle, get patched ASAP. Read the details below...

Litchfield's details are provided below:

Name: PLSQL Injection in Oracle Application Server Systems Affected: Oracle Application Server 9.0.4.3, 10.1.2.2, 10.1.4.1 Severity: Critical Vendor URL: http://www.oracle.com/ Author: David Litchfield [ davidl@ngssoftware.com ] Reported: 9th October 2007 Date of Public Advisory: 15th July 2008 Advisory number: #NISR15072008 CVE: CVE-2008-2589

Overview ******** Oracle has just released a fix for a flaw that, when exploited, allows an unauthenticated attacker on the Internet to gain full control of a backend Oracle database server via the front end web server.

Details ******* Oracle Application Server installs a number of PLSQL packages in the backend database server. One of these is the WWV_RENDER_REPORT package and it is vulnerable to PLSQL injection. This package uses definer rights execution and therefore executes with the privileges of the owner, in this case the highly privileged PORTAL user.

Specifically, the SHOW procedure takes as its 2nd argument the name of a function to execute and this is embedded with a dynamically executed anonymous block of PLSQL without first being sanitized. Because it is a block of anonymous PLSQL, an attacker can exploit this flaw to run any SQL statement, for example, create new users, grant dba privileges, delete or modify data. This is achieved by wrapping the statement(s) within an "execute immediate" statement and specifying the autonomous_transaction pragma.

-Nate

Topics: Data Management, Data Centers, Enterprise Software, Oracle, Security, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.