Oracle 9i/10g Database OBJECT_TYPE Remote SQL Injection Vulnerability
BID:13238
Info
Oracle 9i/10g Database OBJECT_TYPE Remote SQL Injection Vulnerability
| Bugtraq ID: | 13238 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Apr 12 2005 12:00AM |
| Updated: | Apr 12 2005 12:00AM |
| Credit: | Discovery of this issue is credited to Esteban Martínez Fayó of Argeniss. |
| Vulnerable: |
Oracle Oracle9i Standard Edition 9.2 .6 Oracle Oracle9i Standard Edition 9.2 .3 Oracle Oracle9i Standard Edition 9.2 .0.5 Oracle Oracle9i Standard Edition 9.2 .0.3 Oracle Oracle9i Standard Edition 9.2 .0.2 Oracle Oracle9i Standard Edition 9.2 .0.1 Oracle Oracle9i Standard Edition 9.2 Oracle Oracle9i Standard Edition 9.0.4 Oracle Oracle9i Standard Edition 9.0.2 Oracle Oracle9i Standard Edition 9.0.1 .5 Oracle Oracle9i Standard Edition 9.0.1 .4 Oracle Oracle9i Standard Edition 9.0.1 .3 Oracle Oracle9i Standard Edition 9.0.1 .2 Oracle Oracle9i Standard Edition 9.0.1 Oracle Oracle9i Standard Edition 9.0 .2.4 Oracle Oracle9i Standard Edition 9.0 Oracle Oracle9i Standard Edition 8.1.7 Oracle Oracle9i Personal Edition 9.2 .6 Oracle Oracle9i Personal Edition 9.2 .0.5 Oracle Oracle9i Personal Edition 9.2 .0.3 Oracle Oracle9i Personal Edition 9.2 .0.2 Oracle Oracle9i Personal Edition 9.2 .0.1 Oracle Oracle9i Personal Edition 9.2 Oracle Oracle9i Personal Edition 9.0.4 Oracle Oracle9i Personal Edition 9.0.1 .5 Oracle Oracle9i Personal Edition 9.0.1 .4 Oracle Oracle9i Personal Edition 9.0.1 Oracle Oracle9i Personal Edition 9.0 .2.4 Oracle Oracle9i Personal Edition 8.1.7 Oracle Oracle9i Lite 5.0 .2.9.0 Oracle Oracle9i Lite 5.0 .2.0.0 Oracle Oracle9i Lite 5.0 .1.0.0 Oracle Oracle9i Lite 5.0 .0.0.0 Oracle Oracle9i Enterprise Edition 9.2 .6.0 Oracle Oracle9i Enterprise Edition 9.2 .2 Oracle Oracle9i Enterprise Edition 9.2 .0.5 Oracle Oracle9i Enterprise Edition 9.2 .0.3 Oracle Oracle9i Enterprise Edition 9.2 .0.1 Oracle Oracle9i Enterprise Edition 9.2 .0 Oracle Oracle9i Enterprise Edition 9.0.4 Oracle Oracle9i Enterprise Edition 9.0.1 .5 Oracle Oracle9i Enterprise Edition 9.0.1 .4 Oracle Oracle9i Enterprise Edition 9.0.1 Oracle Oracle9i Enterprise Edition 9.0 .2.4 Oracle Oracle9i Enterprise Edition 8.1.7 Oracle Oracle10g Standard Edition 10.1 .0.4 Oracle Oracle10g Standard Edition 10.1 .0.3.1 Oracle Oracle10g Standard Edition 10.1 .0.3 Oracle Oracle10g Standard Edition 10.1 .0.2 Oracle Oracle10g Standard Edition 9.0.4 .0 Oracle Oracle10g Personal Edition 10.1 .0.4 Oracle Oracle10g Personal Edition 10.1 .0.3.1 Oracle Oracle10g Personal Edition 10.1 .0.3 Oracle Oracle10g Personal Edition 10.1 .0.2 Oracle Oracle10g Personal Edition 9.0.4 .0 Oracle Oracle10g Enterprise Edition 10.1 .0.4 Oracle Oracle10g Enterprise Edition 10.1 .0.3.1 Oracle Oracle10g Enterprise Edition 10.1 .0.3 Oracle Oracle10g Enterprise Edition 10.1 .0.2 Oracle Oracle10g Enterprise Edition 9.0.4 .0 |
| Not Vulnerable: | |
Discussion
Oracle 9i/10g Database OBJECT_TYPE Remote SQL Injection Vulnerability
Oracle database is prone to an SQL injection vulnerability. This issue exists due to insufficient sanitization of user-supplied data.
The 'OBJECT_TYPE' parameter that is used by the 'DBMS_METADATA' package is vulnerable.
The package that is vulnerable, executes with the privileges of the calling user. However, the package employs another package, which executes the injected SQL with SYS user privileges.
This issue can be exploited using malformed PL/SQL statements to pass unauthorized SQL statements to the database. Successful exploitation could result in a compromise of the application, disclosure or modification of data, or may permit an attacker to exploit vulnerabilities in the underlying database implementation.
This issue was originally disclosed in the 'Oracle Critical Patch Update - April 2005' advisory. BID 13139 Oracle Multiple Vulnerabilities describes the issues covered in the Oracle advisory. There is insufficient information at this point in time to associate this vulnerability with an identifier from the Oracle advisory.
Oracle database is prone to an SQL injection vulnerability. This issue exists due to insufficient sanitization of user-supplied data.
The 'OBJECT_TYPE' parameter that is used by the 'DBMS_METADATA' package is vulnerable.
The package that is vulnerable, executes with the privileges of the calling user. However, the package employs another package, which executes the injected SQL with SYS user privileges.
This issue can be exploited using malformed PL/SQL statements to pass unauthorized SQL statements to the database. Successful exploitation could result in a compromise of the application, disclosure or modification of data, or may permit an attacker to exploit vulnerabilities in the underlying database implementation.
This issue was originally disclosed in the 'Oracle Critical Patch Update - April 2005' advisory. BID 13139 Oracle Multiple Vulnerabilities describes the issues covered in the Oracle advisory. There is insufficient information at this point in time to associate this vulnerability with an identifier from the Oracle advisory.
Exploit / POC
Oracle 9i/10g Database OBJECT_TYPE Remote SQL Injection Vulnerability
There is no exploit required. A proof of concept exploit has been published by Argeniss. If the preconditions are met, this exploit will grant DBA privileges to user "SCOTT":
http://www.argeniss.com/research/OraDBMS_METADATAExploit.txt
There is no exploit required. A proof of concept exploit has been published by Argeniss. If the preconditions are met, this exploit will grant DBA privileges to user "SCOTT":
http://www.argeniss.com/research/OraDBMS_METADATAExploit.txt
Solution / Fix
Oracle 9i/10g Database OBJECT_TYPE Remote SQL Injection Vulnerability
Solution:
Oracle has released a Critical Patch Update (Critical Patch Update - April 2005) to address these issues. Information regarding obtaining and applying an appropriate patch can be found in the Oracle Critical Patch Update in references.
Pre-Installation Notes for Oracle Database Server can be found at the following location:
http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=301045.1
Solution:
Oracle has released a Critical Patch Update (Critical Patch Update - April 2005) to address these issues. Information regarding obtaining and applying an appropriate patch can be found in the Oracle Critical Patch Update in references.
Pre-Installation Notes for Oracle Database Server can be found at the following location:
http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=301045.1
References
Oracle 9i/10g Database OBJECT_TYPE Remote SQL Injection Vulnerability
References:
References:
- Critical Patch Update - April 2005 (Oracle)
- Oracle Homepage (Oracle)
- OraDBMS_METADATAExploit.txt (Argeniss)
- OraDBMS_METADATAWorkaround.sql (Argeniss)
- Multiple SQL Injection vulnerabilities in DBMS_METADATA package (Team SHATTER