Oracle 10g Database SUBSCRIPTION_NAME Remote SQL Injection Vulnerability
BID:13236
Info
Oracle 10g Database SUBSCRIPTION_NAME Remote SQL Injection Vulnerability
| Bugtraq ID: | 13236 |
| Class: | Input Validation Error |
| CVE: |
CVE-2005-4832 |
| Remote: | Yes |
| Local: | No |
| Published: | Apr 12 2005 12:00AM |
| Updated: | May 12 2015 07:52PM |
| Credit: | Discovery of this issue is credited to Esteban Martínez Fayó of Argeniss. |
| Vulnerable: |
Oracle Oracle10g Standard Edition 10.1 .0.4 Oracle Oracle10g Standard Edition 10.1 .0.3.1 Oracle Oracle10g Standard Edition 10.1 .0.3 Oracle Oracle10g Standard Edition 10.1 .0.2 Oracle Oracle10g Standard Edition 9.0.4 .0 Oracle Oracle10g Personal Edition 10.1 .0.4 Oracle Oracle10g Personal Edition 10.1 .0.3.1 Oracle Oracle10g Personal Edition 10.1 .0.3 Oracle Oracle10g Personal Edition 10.1 .0.2 Oracle Oracle10g Personal Edition 9.0.4 .0 Oracle Oracle10g Enterprise Edition 10.1 .0.4 Oracle Oracle10g Enterprise Edition 10.1 .0.3.1 Oracle Oracle10g Enterprise Edition 10.1 .0.3 Oracle Oracle10g Enterprise Edition 10.1 .0.2 Oracle Oracle10g Enterprise Edition 9.0.4 .0 Oracle Oracle10g Application Server 10.1.2 Oracle Oracle10g Application Server 10.1 .0.3.1 Oracle Oracle10g Application Server 10.1 .0.3 Oracle Oracle10g Application Server 10.1 .0.2 Oracle Oracle10g Application Server 9.0.4 .1 Oracle Oracle10g Application Server 9.0.4 .0 |
| Not Vulnerable: | |
Discussion
Oracle 10g Database SUBSCRIPTION_NAME Remote SQL Injection Vulnerability
Oracle database is prone to an SQL-injection vulnerability because the software fails to properly sanitize user-supplied data. The 'SUBSCRIPTION_NAME' parameter is vulnerable.
Packages that employ this parameter execute with 'SYS' user privileges. Exploiting the SQL-injection vulnerability can allow an attacker to gain 'SYS' privileges.
The attacker can exploit this issue using malformed PL/SQL statements to pass unauthorized SQL statements to the database. A successful exploit could allow the attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database implementation.
This issue was originally disclosed in the 'Oracle Critical Patch Update - April 2005' advisory. BID 13139 Oracle Multiple Vulnerabilities describes the issues covered in the Oracle advisory. There is insufficient information at this time to associate this vulnerability with an identifier from the Oracle advisory.
Oracle database is prone to an SQL-injection vulnerability because the software fails to properly sanitize user-supplied data. The 'SUBSCRIPTION_NAME' parameter is vulnerable.
Packages that employ this parameter execute with 'SYS' user privileges. Exploiting the SQL-injection vulnerability can allow an attacker to gain 'SYS' privileges.
The attacker can exploit this issue using malformed PL/SQL statements to pass unauthorized SQL statements to the database. A successful exploit could allow the attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database implementation.
This issue was originally disclosed in the 'Oracle Critical Patch Update - April 2005' advisory. BID 13139 Oracle Multiple Vulnerabilities describes the issues covered in the Oracle advisory. There is insufficient information at this time to associate this vulnerability with an identifier from the Oracle advisory.
Exploit / POC
Oracle 10g Database SUBSCRIPTION_NAME Remote SQL Injection Vulnerability
The following proof of concept has been developed. If the preconditions are met, the exploit grants DBA privileges to user "SCOTT":
http://www.argeniss.com/research/OraDBMS_CDC_SUBSCRIBEExploit.txt
The following exploits are available:
The following proof of concept has been developed. If the preconditions are met, the exploit grants DBA privileges to user "SCOTT":
http://www.argeniss.com/research/OraDBMS_CDC_SUBSCRIBEExploit.txt
The following exploits are available:
Solution / Fix
Oracle 10g Database SUBSCRIPTION_NAME Remote SQL Injection Vulnerability
Solution:
Oracle has released a Critical Patch Update (Critical Patch Update - April 2005) to address these issues. Information regarding obtaining and applying an appropriate patch can be found in the Oracle Critical Patch Update (see the references).
Pre-Installation Notes for Oracle Database Server can be found at the following location:
http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=301045.1
Reports indicate that the patch supplied with 'Oracle Critical Patch Update - April 2005' to address this issue is not effective against systems prior to patchset 2 including Oracle10g versions 10.1.0.2 and 10.1.0.3. The patch reportedly works properly for Oracle10g 10.1.0.4 systems. Note that Symantec has not verified this information.
Solution:
Oracle has released a Critical Patch Update (Critical Patch Update - April 2005) to address these issues. Information regarding obtaining and applying an appropriate patch can be found in the Oracle Critical Patch Update (see the references).
Pre-Installation Notes for Oracle Database Server can be found at the following location:
http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=301045.1
Reports indicate that the patch supplied with 'Oracle Critical Patch Update - April 2005' to address this issue is not effective against systems prior to patchset 2 including Oracle10g versions 10.1.0.2 and 10.1.0.3. The patch reportedly works properly for Oracle10g 10.1.0.4 systems. Note that Symantec has not verified this information.
References
Oracle 10g Database SUBSCRIPTION_NAME Remote SQL Injection Vulnerability
References:
References:
- Critical Patch Update - April 2005 (Oracle)
- Oracle Homepage (Oracle)
- Oracle Reports 10g Home Page (Oracle)
- OraDBMS_CDC_SUBSCRIBEExploit.txt (Argeniss)
- OraDBMS_CDC_SUBSCRIBEWorkaround.sql (Argeniss)
- Multiple SQL Injection vulnerabilities in DBMS_CDC_SUBSCRIBE and DBMS_CDC_ISUBSC (Team SHATTER
- Re: Problems with the Oracle Critical Patch Update for April 2005 (Cesar