Oracle Character Conversion Bugs (#NISR2122004G)

From: NGSSoftware Insight Security Research (nisr_at_NEXTGENSS.COM)
Date: 12/23/04

  • Next message: NGSSoftware Insight Security Research: "Oracle extproc buffer overflow (#NISR23122004A)"
    Date:         Thu, 23 Dec 2004 16:31:16 -0000
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    NGSSoftware Insight Security Research Advisory

    Name: Oracle 10g character conversion bug
    Systems Affected: Oracle 10g/AS on all operating systems
    Severity: High risk
    Vendor URL: http://www.oracle.com/
    Author: David Litchfield [ davidl at ngssoftware.com ]
    Relates to: http://www.nextgenss.com/advisories/oracle-01.txt
    Date of Public Advisory: 23rd December 2004
    Advisory number: #NISR2122004G
    Advisory URL: http://www.ngssoftware.com/advisories/oracle23122004G.txt

    Description
    ***********
    Due to character conversion problems in Oracle 10g with Oracle's Application
    server it is possible to bypass pl/sql exclusions and gain access to the
    database server as SYS.

    Details
    *******
    There is a character conversion bug in 10g that can lead to a compromised
    backend database server. Both Windows and Linux are affected. Consider the
    following set up. There's a Oracle HTTP Server (running apache 1.3.22 on
    Windows) using the PL/SQL module feeding into a 10g box running on Windows
    and a 10g box running on Linux. The character set for both instances is
    WE8ISO8859P1. When the app server receives a request of

    http://server/pls/windad/%FF%FF%FF%FF%FF

    the %FFs are converted to the byte 0xFF (as expected) but sniffing the
    database response to the app server we get

    "ORA-06550: line 8, column 2: PLS-00201: identifier 'YYYYY' must be
    declared....."

    10g, when using the WE8ISO8859P1 character set, converts 0xFF to 0x59 - that
    is uppercase Y. Due to this conversion an attacker can request

    http://server/pls/windad/S%FFS.OWA_UTIL.CELLSPRINT?P_THEQUERY=select+usernam
    e+from+all_users

    and gain access to "banned" and dangerous procedures. The character set for
    the HTTP server is set to AMERICAN_AMERICA.WE8ISO8859P1.

    If, however, we set the character set on the HTTP Server to
    ENGLISH_UNITEDKINGDOM.WE8MSWIN1252 not only is the 0xFF still converted to
    0x59 but if

    http://server/pls/windad/%9F%9F%9F%9F%9F%9F

    is requested

    the _app_server_ (note - not 10g) converts the %9F to a Y and again this
    allows us to do the following

    http://server/pls/windad/S%9FS.OWA_UTIL.CELLSPRINT?P_THEQUERY=select+usernam
    e+from+all_users

    again giving access to the "banned" and dangerous procedures.

    Other character sets and scenarios may cause similar problems.

    Fix Information
    ***************
    A patch (#68) was released for this problem by Oracle. See
    http://metalink.oracle.com/ for more details. NGSSQuirreL for Oracle
    (http://www.nextgenss.com/squirrelora.htm), can be used to assess whether
    your Oracle servers are vulnerable to this.

    About NGSSoftware
    *****************
    NGSSoftware design, research and develop intelligent, advanced application
    security assessment scanners. Based in the United Kingdom, NGSSoftware have
    offices in the South of London and the East Coast of Scotland. NGSSoftware's
    sister company NGSConsulting, offers best of breed security consulting
    services, specialising in application, host and network security
    assessments.

    http://www.ngssoftware.com/

    Telephone +44 208 401 0070
    Fax +44 208 401 0076

    enquiries@ngssoftware.com

    --
    Editor's Note: The 43rd Most Powerful Person in Networking says...
    Register today to take the TruSecure ICSA exam by 12/31/04  at
    <http://www.2test.com> ,  use promo code "CT1204" and you will pay just
    $221.25 US Dollars for domestic exam delivery and  $296.25 US Dollars
    for international delivery.
    Visit <https://ticsa.trusecure.com>  for complete details regarding the
    TICSA credential and to take the free sample exam.
    --
    

  • Next message: NGSSoftware Insight Security Research: "Oracle extproc buffer overflow (#NISR23122004A)"