[NEWS] Oracle Database Buffer Overflow (VERIFY_LOG)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Oracle Database Buffer Overflow (VERIFY_LOG)
------------------------------------------------------------------------


SUMMARY

Oracle Database Server provides the DBMS_SNAPSHOT_UTL package that
includes capability to manage materialized views. This package contains
the public procedure VERIFY_LOG that is vulnerable to buffer overflow.

DETAILS

Vulnerable Systems:
* Oracle Database Server version 10gR1.

By default DBMS_SNAPSHOT_UTL has EXECUTE permission to PUBLIC so any
Oracle database user can exploit this vulnerability.

Exploitation of this vulnerability allows an attacker to execute arbitrary
code. It can also be exploited to cause DoS (Denial of Service) killing
Oracle server process.

Vendor Status:
Vendor was contacted and a Critical Patch Update was released.
<http://www.oracle.com/technology/deploy/security/pdf/cpuapr2006.html>
http://www.oracle.com/technology/deploy/security/pdf/cpuapr2006.html

Workaround:
Restrict access to the DBMS_SNAPSHOT_UTL package:
<http://www.argeniss.com/research/Workaround-ADV-040603.sql>
http://www.argeniss.com/research/Workaround-ADV-040603.sql

-- WARNING: This workaround may cause your application to work incorrectly
-- if it depends (directly or indirectly) on any of the affected database
objects.

-- REVOKE_EXECUTE_PRIV: This procedure revokes all the EXECUTE privileges
granted
-- to the database object identified by the parameters P_OWNER and
P_OBJECT_NAME.
CREATE OR REPLACE PROCEDURE REVOKE_EXECUTE_PRIV (P_OWNER IN VARCHAR2,
P_OBJECT_NAME IN VARCHAR2) AUTHID CURRENT_USER IS

CURSOR my_cur IS
select grantee from dba_tab_privs where owner = P_OWNER AND TABLE_NAME =
P_OBJECT_NAME;

BEGIN
FOR my_rec IN my_cur
LOOP
DBMS_OUTPUT.PUT_LINE ('Revoking EXECUTE privilege from ' ||
my_rec.grantee);
EXECUTE IMMEDIATE 'REVOKE EXECUTE ON ' || P_OWNER || '.' ||
P_OBJECT_NAME ||' FROM ' || my_rec.grantee || ' FORCE';
END LOOP;
END REVOKE_EXECUTE_PRIV;
/


-- To remove all execute privileges granted on vulnerable objects execute
this PL/SQL:
BEGIN
REVOKE_EXECUTE_PRIV ('SYS', 'DBMS_SNAPSHOT_UTL');
END;
/


-- To remove execute privilege granted only to PUBLIC role on vulnerable
objects
-- execute this PL/SQL:
REVOKE EXECUTE ON SYS.DBMS_SNAPSHOT_UTL FROM PUBLIC FORCE;

Patch Availability:
Although this security bug is addressed in the Critical Patch Update April
2006, for most of the affected platforms there are no patches available at
this moment. Oracle informed that the missing patches would be available
on 01-May-06.


ADDITIONAL INFORMATION

The original article can be found at:
<http://www.argeniss.com/research/ARGENISS-ADV-040603.txt>
http://www.argeniss.com/research/ARGENISS-ADV-040603.txt



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages