Multiple SQL Injection Vulnerabilities in Oracle Application Server 9i and RDBMS (#NISR05112003)

From: NGSSoftware Insight Security Research (nisr_at_NEXTGENSS.COM)
Date: 11/05/03

  • Next message: Kurt Seifried: "Re: POS#1 Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part III"
    Date:         Wed, 5 Nov 2003 18:46:21 -0000
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    NGSSoftware Insight Security Research Advisory

    Name : Multiple Oracle Application Server SQL Injection Vulnerabilities
    Systems Affected: All OS platforms; Oracle9i Application Server Release 1
    and 2 and RDBMS
    Severity : High Risk
    Vendor URL : http://www.oracle.com/
    Author : David Litchfield (david@ngssoftware.com)
    Date : 5th November 2003
    Advisory number : #NISR05112003

    Description
    ***********
    Oracle's RDBMS, a leading database server package, supports stored packages
    and procedures through the use of PL/SQL. These packages and procedures can
    be accessed through Oracle's Application Server's Portal module. Oracle
    Application Server is a web server designed for Oracle applications. Many of
    the PL/SQL packages and procedures are vulnerable to SQL Injection. Using
    these vulnerabilities an unauthenticated attacker can gain access to all
    data in the database from the Internet.

    Details
    *******
    By default, Oracle Application Server allows unauthenticated users on the
    web to access PL/SQL packages and procedures stored in the RDBMS. When a
    PL/SQL procedure is executed it either does so with the security rights of
    the invoker or the definer. In the latter case, if a PL/SQL procedure
    defined by the powerful 'SYS' or 'SYSTEM' login is executed by a low
    privileged user that user can access data they would not directly be able to
    access. By executing such a procedure via Oracle Application Server and with
    these SQL Injection vulnerabilities it is possible for an attacker to gain
    access to all data within the database. For example, an attacker could gain
    access to account details including database usernames and password hashes.
    Whilst there are some vulnerable packages that do allow this level of access
    most do not. Those known to be vulnerable include the packages used for
    Portal DB Forms, Hierarchy, XML Components and List of Values. All of the
    packages are required by the RDBMS so they can't be deleted.

    Fix Information
    ***************
    NGSSoftware alerted Oracle to these vulnerabilities between September and
    October 2002, last year. Oracle has reviewed the code of the PL/SQL Packages
    and procedures and fixed these issues. A patch is available from Metalink.
    Please see

    http://otn.oracle.com/deploy/security/pdf/2003alert61.pdf

    for more details.

    NGSSoftware advise Oracle database customers to review and install the patch
    as a matter of urgency.

    A check for this issue already exists in NGSSQuirreL for Oracle, a
    comprehensive automated vulnerability assessment tool for Oracle Database
    Servers of which more information is available from the NGSSite.

    http://www.ngssoftware.com/software/squirrelfororacle.html

    About NGSSoftware
    *****************
    NGSSoftware design, research and develop intelligent, advanced application
    security assessment scanners. Based in the United Kingdom, NGSSoftware have
    offices in the South of London and the East Coast of Scotland. NGSSoftware's
    sister company NGSConsulting, offers best of breed security consulting
    services, specialising in application, host and network security
    assessments.

    http://www.ngssoftware.com/
    http://www.ngsconsulting.com/

    Telephone +44 208 401 0070
    Fax +44 208 401 0076

    enquiries@ngssoftware.com

    ----
    NTBugtraq subscribers save $103.00 off the TICSA exam by using promo
    code "NT1003" when registering to take the TICSA exam at www.2test.com.
    Prove to your employer and peers that you have the knowledge and
    abilities to be an active stakeholder in today's enterprise security.
    Become TICSA certified www.trusecure.com/ticsa.  Promotion expires
    12/31/03 and cannot be used in combination with other offers.
    ----
    

  • Next message: Kurt Seifried: "Re: POS#1 Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part III"

    Relevant Pages

    • Re: FTP Tagging anyone?
      ... > secured against various different kinds of vulnerabilities, ... formatting the system is probably not necessary. ... baseline server looks like, so they can't tell what is and isn't suspicious ... this depends on your security needs. ...
      (microsoft.public.inetserver.iis.security)
    • Multiple Vulnerabilities Sybase Anywhere 9
      ... NGSSoftware Insight Security Research Advisory ... Multiple Vulnerabilities in Adaptive Server Anywhere Network Server ... attack allowing an authenticated user to escalate privileges to 'dba' within ...
      (NT-Bugtraq)
    • [EXPL] Multiple Exploit Codes for Oracle (interMedia, DBMS_CDC_SUBSCRIBE, DBMS_CDC_ISUBSCRIBE and DB
      ... Get your security news from a reliable source. ... Injection Vulnerabilities in DBMS_METADATA Package, ... vulnerabilities have been discovered in Oracle. ... Oracle, you think you are secure because you are up to date with patches, ...
      (Securiteam)
    • Fwd: CERT Advisory CA-2003-05 Multiple Vulnerabilities in Oracle Servers
      ... Multiple vulnerabilities exist in Oracle software that may lead to ... Multiple vulnerabilities exist in Oracle9i Application Server, ... Oracle has published Security Alerts describing these vulnerabilities. ... Any material furnished by Carnegie Mellon University and the Software ...
      (Bugtraq)
    • [NEWS] CERT advisory: Multiple vulnerabilities in Oracle Servers
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Multiple vulnerabilities in Oracle Application Server have recently ... Oracle Application Server includes a web server based on the Apache ... VU#500203 - Oracle9i Application Server Apache PL/SQL module ...
      (Securiteam)