More details coming out on the Oracle patches that were released last week, see Ryan Naraine's write up here. David Litchfield, noted security researcher from NGSSoftware, released details of one of the vulnerabilities on the Full-Disclosure email list today, and the details are staggering. The flaw allows potential unauthenticated remote exploitation resulting in full control of the database server. One thing that I think is key to note here is that this vulnerability was reported in October of 2007 and is just now getting patched in July of 2008. End result is, if you are using Oracle, get patched ASAP. Read the details below...
Litchfield's details are provided below:
Name: PLSQL Injection in Oracle Application Server Systems Affected: Oracle Application Server 188.8.131.52, 10.1.2.2, 10.1.4.1 Severity: Critical Vendor URL: http://www.oracle.com/ Author: David Litchfield [ firstname.lastname@example.org ] Reported: 9th October 2007 Date of Public Advisory: 15th July 2008 Advisory number: #NISR15072008 CVE: CVE-2008-2589
Overview ******** Oracle has just released a fix for a flaw that, when exploited, allows an unauthenticated attacker on the Internet to gain full control of a backend Oracle database server via the front end web server.
Details ******* Oracle Application Server installs a number of PLSQL packages in the backend database server. One of these is the WWV_RENDER_REPORT package and it is vulnerable to PLSQL injection. This package uses definer rights execution and therefore executes with the privileges of the owner, in this case the highly privileged PORTAL user.
Specifically, the SHOW procedure takes as its 2nd argument the name of a function to execute and this is embedded with a dynamically executed anonymous block of PLSQL without first being sanitized. Because it is a block of anonymous PLSQL, an attacker can exploit this flaw to run any SQL statement, for example, create new users, grant dba privileges, delete or modify data. This is achieved by wrapping the statement(s) within an "execute immediate" statement and specifying the autonomous_transaction pragma.