Red-Database-Security GmbH is specialized in Oracle Security

Products
Repscan 2.5
Hedgehog Enterprise
Checkpwd (free)

Services
Oracle Audit / Hardening
Security Training
Consulting

Information
Oracle Security Blog
Published AlertsRSS Published Alerts
Upcoming AlertsRSS Published Alerts
Patch Information
Whitepaper
Presentations
Oracle Fact Sheets
Exploits
Tutorials
Videos
Scripts

News & Events
Events
News

Company
Contact
People
Partner
Impressum
Sitemap


Search



Search Red-Database-Security

Details Oracle Critical Patch Update October 2005 - V1.07

After analyzing the new packages provided by patch 4579182 for Oracle 10.1.0.4 on Windows I could identify the following vulnerabilities and was able to match most of the database vulnerabilities with the DBxx numbers from Oracle. I can not guarantee that all my assumptions concerning the vulnerabilities are correct.

Up to now I was not able to identify the following Vuln# from Oracle: DB01 (sys.standard), DB04 (dbms_cdc_subscribe), DB10 (sys.utl_i18n) , DB13 (map methods), DB 14 (Intelligent Agent), DB16 (Oracle Network Services), DB26 (Programmatic interface), DB28 (sys.it), DB29 (sys.lt_ctx_pkg).

Oracle itself is using a different vulnerability naming convention. If a package (like MD2) with several procedures and functions contains several different vulnerabilities in different packages it is just 1 bug for Oracle.
On the 31-oct-2005 I reported 25 security issues with Oracle CPU October and Oracle 10g Rel. 2 to Oracle.

--- NEW --- NEW --- NEW --- NEW --- NEW --- NEW --- NEW

On the 7-nov-2005 Oracle Global Product Support sent a message to all customers using Oracle Enterprise Manager to download and re-apply Oracle CPU October again.

On the 8-nov-2005 David Litchfield posted a message on Buqtraq that the database patches for Oracle CPU October are buggy again. Few hours later Oracle Global Product Support sent an email to all customers what additional steps are necessary to perform, if you downloaded the patch before 9-nov-2005.

Extract of Oracle's email to their customers:

[...]
1) Go to the patch directory and execute the following steps. For e.g. if $ORACLE_HOME/Patch/4560405 is the patch directory, then: # cd $ORACLE_HOME/Patch/4560405
# $ORACLE_HOME/bin/sqlplus "/as sysdba"
SQL> shutdown
SQL> startup
SQL>ALTER SYSTEM ENABLE RESTRICTED SESSION;
SQL>@ctxcpu.sql
SQL>ALTER SYSTEM DISABLE RESTRICTED SESSION;

2) You can check for any invalid objects by executing following statement:
SQL> select OBJECT_NAME from DBA_OBJECTS where status = 'INVALID';

3) If you get any invalid objects returned from the above query, compile the invalid objects using the following commands:

# cd $ORACLE_HOME/rdbms/admin
# $ORACLE_HOME/bin/sqlplus "/as sysdba"
SQL> @utlrp.sql

Similarly, if you rollback the patch in the future, repeat the steps above to complete the de-installation after executing the Post-deinstallation steps as described in the Readme.html file.
Please accept our apologies for any inconvenience you may have experienced, and we thank you for your patience and cooperation in securing your Oracle server products.


[...]
--- NEW --- NEW --- NEW --- NEW --- NEW --- NEW --- NEW

Package

Function/Procedure

Granted to

Vulnerability / Change

KUPW$WORKER MAIN PUBLIC Buffer Overflow when using mult-byte characters
KUPW$WORKER RECREATE_DDL PUBLIC Buffer Overflow when using mult-byte characters
KUPM$MCP METADATA_FILTER PUBLIC Buffer overflow
KUPF$FILE GETJOBINFOR PUBLIC SQL Injection
KUPF$FILE ADD_TDX_ROW_CB PUBLIC SQL Injection
KUPF$FILE NEWEXPFILE PUBLIC Vulnerability Filename (DB07)
KUPF$FILE NEWIMPFILE PUBLIC Vulnerability Filename (DB07)
KUPF$FILE NEWWILDCARD PUBLIC Vulnerability Filename (DB07)
DBMS_STATS EXECUTE_COUNT_LSCALABLE_VALUES PUBLIC SQL Injection
DBMS_METADATA_INT FETCH_VIEW_ERRORS EXECUTE_CATALOG_ROLE SQL Injection
DBMS_METADATA_INT FETCH_FILTERS EXECUTE_CATALOG_ROLE SQL Injection
DBMS_METADATA_INT FETCH_VIEWS EXECUTE_CATALOG_ROLE SQL Injection
DBMS_METADATA_INT FETCH_COMMON EXECUTE_CATALOG_ROLE SQL Injection
DBMS_METADATA_INT SET_TABLE_FILTERS EXECUTE_CATALOG_ROLE SQL Injection
DBMS_METADATA_INT SET_MULTI_TABLE_FILTERS EXECUTE_CATALOG_ROLE Buffer Overflow
DBMS_METADATA_INT DO_SUBST_FILTER EXECUTE_CATALOG_ROLE Buffer Overflow
DBMS_METADATA_INT SUBST_FILTER EXECUTE_CATALOG_ROLE Buffer Overflow
DBMS_METADATA_INT APPEND_FILTER_TEXT EXECUTE_CATALOG_ROLE Buffer Overflow
DBMS_METADATA_INT GET_STMT_QUERY EXECUTE_CATALOG_ROLE Buffer Overflow
DBMS_METADATA_INT NEW_SYSTEM_TRANSFORM_ENTRY EXECUTE_CATALOG_ROLE SQL Injection
DBMS_EXPORT_EXTENSION GET_DOMAIN_INDEX_METADATA SQL Injection (DB09)
DBMS_EXPORT_EXTENSION GET_DOMAIN_INDEX_TABLES SQL Injection (DB09)
DBMS_EXPORT_EXTENSION GET_V2_DOMAIN_INDEX_TABLES SQL Injection (DB09)
DBMS_LOGSTDBY SKIP_TRANSACTION Parameter Validation issue (DB06)
DBMS_LOGSTDBY UNSKIP_TRANSACTION Parameter Validation issue (DB06)
DBMS_CDC_IMPDP IMPORT_CHANGE_TABLE PUBLIC Parameter Validation issue (DB03, DB02)
DBMS_CDC_DPUTIL VALID_TABLE PUBLIC Parameter Validation issue (DB05)
CWM2_OLAP_AW_AWUTIL GETTOKENATINDEX Buffer Overflow
CWM2_OLAP_AW_AWUTIL OPENFILE Buffer Overflow
CWM2_OLAP_AW_AWUTIL OPENDEBUGFILE Buffer Overflow
CWM2_OLAP_AW_AWUTIL PARSELIMITMAP Buffer Overflow
SDO_GEOM RELATE Buffer Overflow
SDO_GEOR_UTL CREATEDMLTRIGGER SQL Injection
MD2 INTERACT Buffer Overflow (DB22)
MD2 RELATE Buffer Overflow (DB22)
MD2 TESSELLATE Buffer Overflow (DB22)
MD2 TESSELLATE SQL Injection (DB22)
MD2 TESSELLATE_FIXED Buffer Overflow (DB22)
MD2 TESSELLATE_FIXED SQL Injection (DB22)
MD2 SDO_READ_LAYER Buffer Overflow (DB22)
MD2 TEST_LOADGEOM Buffer Overflow (DB22)
SDO_IDX IMP_EXP SQL Injection (DB24)
SDO_IDX CMT_IDX_CHNGS SQL Injection (DB24)
SDO_PRIDX GEN_RID_RANGE_BY_AREA SQL Injection (DB21)
SDO_PRIDX GEN_RID_RANGE SQL Injection (DB25)
RTREE_IDX INDEX_TRUNCATE SQL Injection (DB23)
RTREE_IDX POPULATE_ROOT_MBRS SQL Injection (DB23)
SAMCLUST_IMP_T ODCITABLESTART SQL Injection (DB20)
SAMCLUST_IMP_T PREDICATED_JOIN SQL Injection (DB20)
SAMCLUST_IMP_T BEST_AGGREGATE_LOCATIONS SQL Injection (DB20)
SAMCLUST_IMP_T SIMPLIFY_GEOMETRY SQL Injection (DB20)
SAMCLUST_IMP_T BIN_GEOMETRY SQL Injection (DB20)
SAMCLUST_IMP_T BIN_LAYER SQL Injection (DB20)
SAMCLUST_IMP_T AGGREGATES_FOR_GEOMETRY SQL Injection (DB20)
SAMCLUST_IMP_T AGGREGATES_FOR_LAYERS SQL Injection (DB20)
SAMCLUST_IMP_T TILED_AGGREGATES SQL Injection (DB20)
MDPRVT_IDX EXECUTE_INSERT SQL Injection
MDPRVT_IDX EXECUTE_DELETE SQL Injection
MDPRVT_IDX EXECUTE_UPDATE SQL Injection
MDPRVT_IDX EXECUTE_GUPDATE SQL Injection
MDPRVT_IDX CRT_DUMMY_IDX SQL Injection
MDPRVT_IDX EXCHANGE SQL Injection
SDO_TPIDX INDEX_UPDATE SQL Injection
SDO_TPIDX INDEX_INSERT SQL Injection
SDO_TPIDX INDEX_DELETE SQL Injection
ODCIINDEXSPLITPARTITION SQL Injection
SDO_TUNE AVG_DELTAS_FOR_LAYER SQL Injection (DB17)
SDO_TUNE EXTENT_OF_LAYERS SQL Injection (DB17)
SDO_TUNE ESTIMATE_TILING_LEVEL SQL Injection (DB17)
SDO_TUNE EXTENT_OF SQL Injection (DB17)
SDO_TUNE AVERAGE_MBR SQL Injection (DB17)
SDO_TUNE HISTOGRAM_ANALYSIS SQL Injection (DB17)
SDO_TUNE MIX_INFO SQL Injection (DB17)
SDO_TUNE SETUP_TEMP_LAYER SQL Injection (DB17)
SDO_TUNE SAMPLE_GEOMS SQL Injection (DB17)
SDO_TUNE CLEANUP_TEMP_LAYER SQL Injection (DB17)
SDO_TUNE ESTIMATE_TILING_TIME SQL Injection (DB17)
SDO_TUNE ESTIMATE_TOTAL_NUMTILES SQL Injection (DB17)
SDO_TUNE ESTIMATE_INDEX_PERFORMANCE SQL Injection (DB17)
SDO_TUNE AVG_DELTAS_OF_OBJECTS SQL Injection (DB17)
SDO_TUNE EXTENT_OF_OBJECTS SQL Injection (DB17)
SDO_TUNE ESTIMATE_TILING_LEVEL SQL Injection (DB17)
SDO_TUNE EXTENT_OF SQL Injection (DB17)
SDO_TUNE AVERAGE_MBR SQL Injection (DB17)
SDO_TUNE SETUP_TEMP_TABLE SQL Injection (DB17)
SDO_TUNE SAMPLE_GEOMS SQL Injection (DB17)
SDO_TUNE CLEANUP_TEMP_TABLE SQL Injection (DB17)
SDO_TUNE ESTIMATE_RTREE_INDEX_SIZE SQL Injection (DB17)
SDO_UTIL PREPARE_FOR_TTS SQL Injection (DB18)
  SDO_JOIN SQL Injection (DB19)
PBSDE INIT PUBLIC

Workaround - use at own risk!!!:
revoke execute on sys.pbsde from public;
Buffer Overflow(DB27) + Exploit
dbms_snapshot unregister_mview PUBLIC Buffer Overflow(DB11)
dbms_snapshot register_mview PUBLIC Buffer Overflow(DB11)
dbms_snapshot unregister_snapshot PUBLIC Buffer Overflow(DB12)
dbms_snapshot register_snapshot PUBLIC Buffer Overflow(DB12)
dbms_snapshot_utl unregister_snapshot PUBLIC Buffer Overflow(DB12)
dbms_snapshot_utl register_snapshot PUBLIC Buffer Overflow(DB12)
lbac_sysdba (LABEL Security) Buffer Overflow(DB15)
dbms_scheduler PUBLIC Escalate privileges after running a job (DB08)


References


History
  • 9-nov-2005 - 1.07 - Problems with ctxsys & 8.1.7.4 and 9i Rel. 1 added
  • 2-nov-2005 - 1.06 - History and References added

2005 by Red-Database-Security GmbH - last update 09-nov-2005

Oracle Patch Policy

Vulnerability Fixing Order of Oracke Vulnerabilities

  • Main line of Code
  • New Products (e.g. 10g Rel. 2)
  • Patchsets for older products (e.g. 9.2.0.7)
  • Critical Patch Update

More information available on Oracle OTN:

Security Vulnerability Fixing Policy and Process