Red-Database-Security GmbH is specialized in Oracle Security

Products
Repscan 2.5
Hedgehog Enterprise
Checkpwd (free)

Services
Oracle Audit / Hardening
Security Training
Consulting

Information
Oracle Security Blog
Published AlertsRSS Published Alerts
Upcoming AlertsRSS Published Alerts
Patch Information
Whitepaper
Presentations
Oracle Fact Sheets
Exploits
Tutorials
Videos
Scripts

News & Events
Events
News

Company
Contact
People
Partner
Impressum
Sitemap


Search



Search Red-Database-Security
SQL Injection Vulnerability in Oracle CHECK_DB_PASSWORD

Name SQL Injection Vulnerability in Oracle CHECK_DB_PASSWORD
Systems Affected Oracle APEX
Severity Medium Risk
Category SQL Injection
Vendor URL http://www.oracle.com/
Author Alexander Kornbrust (ak at red-database-security.com)
CVE
Date 17 July 2007 (V 1.00)


Details
The function wwv_flow_security.check_db_password contains a SQL injection vulnerability. Oracle is using the ALTER USER command to change the password of a database user.
Oracle forgot to do an input validation of the password (=typical programming fault). APEX 3.0.1 is doing an input validation on the user password.

Old, vulnerable code
FUNCTION CHECK_DB_PASSWORD (P_USER_NAME VARCHAR2, P_PASSWORD VARCHAR2) RETURN BOOLEAN IS
BEGIN
IF P_USER_NAME IS NULL OR P_PASSWORD IS NULL THEN
RETURN FALSE;END IF;
BEGIN
EXCEPTION
WHEN NO_DATA_FOUND THEN RETURN FALSE;END;
BEGIN
EXCEPTION
WHEN NO_DATA_FOUND THEN RETURN FALSE;END;
L_STMT:= 'ALTER USER "' || P_USER_NAME || '" IDENTIFIED BY "' || P_PASSWORD||'"';
EXECUTE IMMEDIATE L_STMT;


New code

Oracle is now doing a length check of the password (30 characters). Good idea. I'm interested to see if this is changed in 11g where passwords up to 50 characters are allowed.
One part of the input validation is stupid code. If the password contains a chr(34) Oracle throws an error message.
chr(34) is never executed. Even if this code would be executed this could be bypassed quite easily (e.g. chr( 34) or chr(34 ) or chr(35-1) or ...)

FUNCTION CHECK_DB_PASSWORD (P_USER_NAME VARCHAR2, P_PASSWORD VARCHAR2) RETURN BOOLEAN IS
BEGIN
IF P_USER_NAME IS NULL OR P_PASSWORD IS NULL THEN
RETURN FALSE;END IF;
IF LENGTH(P_PASSWORD) > 30 OR INSTR(P_PASSWORD,'"') > 0 OR INSTR(LOWER(P_PASSWORD),'chr(34)') > 0 THEN RETURN FALSE;END IF;

BEGIN
EXCEPTION
WHEN NO_DATA_FOUND THEN RETURN FALSE;END;
BEGIN
EXCEPTION
WHEN NO_DATA_FOUND THEN RETURN FALSE;END;
L_STMT:= 'ALTER USER "' || P_USER_NAME || '" IDENTIFIED BY "' || P_PASSWORD||'"';
EXECUTE IMMEDIATE L_STMT;



Affected Products
This bug is fixed with 3.0.1 of APEX which is not part of the Critical Patch Update July 2006. It's necessary to upgrade your APE installation to 3.0.1 or higher. Apex 3.0.1 is compatible with Oracle Application Express.

Patch Information
This bug is fixed with Apex 3.0.1 or higher.



History
07-may-2007 Oracle secalert was informed
07-may-2007 Bug confirmed
29-jun-2007 Oracle released APEX 3.0.1
17-jul-2007 Oracle published CPU July 2007 and recommends to update to 3.0.1
17-jul-2007 Red-Database-Security published this advisory



2007 by Red-Database-Security GmbH - last update 17-jul-2007