SQL Injection via CTXSYS.DRILOAD in Oracle 8i/9i

Name                          SQL Injection via CTXSYS.DRILOAD in Oracle 8i/9i
Systems Affected      Oracle 8i / Oracle9i (all platforms)
Severity                      High Risk
Category                     SQL Injection
Vendor URL              http://www.oracle.com
Author                        Alexander Kornbrust (ak at red-database-security.com)
Date                            15 Apr 2005  (V 1.01)
Advisory                    RDS_20040903_1

Details

Any valid database user can become DBA (if CTXSYS is installed) by executing the package DRILOAD
by submitting a specially crafted parameter. Oracle database 10g is NOT affected.

Workarounds

Drop user CTXSYS (if not needed)    or revoke public grant from CTXSYS.DRILOAD.

Patch Information

Please see MetaLink Document ID 281189.1 for the patch download procedures and for the Patch Availability Matrix for this Oracle Security Alert.

http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=281189.1

History:

5 Januar 2004                       Oracle was informed
6 Januar 2004                        Bug confirmed
31 August 2004                      Oracle published alert 68

History:

http://www.idefense.com/application/poi/display?id=136&type=vulnerabilities
http://www.us-cert.gov/cas/techalerts/TA04-245A.html

About Red-Database-Security GmbH

Red-Database-Security GmbH is a specialist in Oracle Security.

http://www.red-database-security.com/

info at red-database-security.com

(c) 2004 by Red-Database-Security GmbH