Oracle Version


(from NGSSoftware Insight Security Research Advisory)

Description

Oracle is the leader in the database market with a 54% market share lead under ERP (Enterprise Resource Planning). The database server is vulnerable to a remotely exploitable buffer overflow vulnerability. The problem exists with database links; functionality that allows the querying of one Oracle database server from another.

Details

A classic stack based buffer overflow vulnerability exists in the Oracle database server that can be set up for exploitation by providing an overly long parameter for a connect string with the 'CREATE DATABASE LINK' query:

CREATE DATABASE LINK ngss
CONNECT TO hr
IDENTIFIED BY hr
USING 'longstring'

By default, the 'CREATE DATABASE LINK' privilege is assigned to the CONNECT role and as most Oracle accounts are assigned membership of this role even low privileged accounts such as SCOTT and ADAMS can create database links. By creating a specially crafted database link and then by selecting from the link:

select * from table@ngss

the overflow can be triggered, overwriting the saved return address on the stack. This allows an attacker to gain control of the Oracle process' path of execution and permits the execution of arbitrary, user supplied code. Any code supplied would run in the security context of the account running the Oracle database server. On unix based systems this is typically the 'oracle' user and on Windows the local SYSTEM user. In the former this allows for a full compromise of the data and in the latter a full compromise of the data and the operating system.

This is a high risk vulnerability and as such should be patched as soon as possible, after a suitable period of testing.

Fix Information

NGSSoftware alerted Oracle to this vulnerability on 30th September 2002. Oracle has reviewed the code and created a patch which is available from:

http://otn.oracle.com/deploy/security/pdf/2003alert54.pdf

NGSSoftware advise Oracle database customers to review and install the patch as a matter of urgency.

Further Information

For further information about the scope and effects of buffer overflows, please see

http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf
http://www.ngssoftware.com/papers/ntbufferoverflow.html
http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf
http://www.ngssoftware.com/papers/unicodebo.pdf