|
Services
Information
Company |
PL/SQL Injection in package SYS.DBMS_EXPORT_EXTENSION
Details The package SYS.DBMS_EXPORT_EXTENSION (GET_DOMAIN_INDEX, GET_DOMAIN_INDEX_TABLES and GET_V2_DOMAIN_INDEX_TABLES) was vulnerable against a PL/SQL injection vulnerability. Oracle fixed this vulnerabilitiy with the the July 2009 CPU. In the past (Oracle CPU July 2006) this package was already patched from Oracle to fix a PL/SQL Injection. The package dbms_metadata is used by attackers to run OS commands in Oracle via web applications (see Code example) The previous fix from July 2006 for this PL/SQL Injection vulnerability from Oracle was not complete and the PL/SQL Injection was still exploitable. Vulnerable Code: ------------dbms_export_extension---------------- FUNCTION GET_DOMAIN_INDEX_METADATA ( INDEX_NAME IN VARCHAR2, INDEX_SCHEMA IN VARCHAR2, TYPE_NAME IN VARCHAR2, TYPE_SCHEMA IN VARCHAR2, VERSION IN VARCHAR2, NEWBLOCK OUT PLS_INTEGER, GMFLAGS IN NUMBER DEFAULT -1 ) RETURN VARCHAR2 IS CRS INTEGER := DBMS_SQL.OPEN_CURSOR; DUMMY INTEGER; RETVAL INTEGER; STMTSTRING VARCHAR2(32002); IDX_VERSION NUMBER; COMPILE_ERROR EXCEPTION; PRAGMA EXCEPTION_INIT(COMPILE_ERROR, -6550); BEGIN IF GMFLAGS = -1 THEN IDX_VERSION := 1; STMTSTRING := 'DECLARE ' || 'oindexinfo sys.ODCIIndexInfo := sys.ODCIIndexInfo(' || ''''||SYS.DBMS_ASSERT.SCHEMA_NAME(INDEX_SCHEMA)||''','''|| SYS.DBMS_ASSERT.SIMPLE_SQL_NAME(INDEX_NAME)||''',' || 'sys.ODCIColInfoList(), NULL, 0, 0); ' || 'BEGIN ' || 'SYS.DBMS_ODCI.GetMetadata(oindexinfo,:p1,:p2,:p3,:p4); ' || 'END;'; DBMS_SYS_SQL.PARSE_AS_USER(CRS, STMTSTRING, DBMS_SYS_SQL.V7); ------------dbms_export_extension---------------- Patch Information Apply the patches for Oracle CPU Jul 2009. History 7-jun-2007 Bugs reported 15-jul-2009 Oracle published CPU January 2009 27-jul-2009 Advisory published © 2009 by Red-Database-Security GmbH - last update 27-jul-2009 |
