Services
Oracle Audit / Hardening
Security Training
Consulting

Information
Oracle Security Blog
Published AlertsRSS Published Alerts
Upcoming AlertsRSS Published Alerts
Patch Information
Whitepaper
Presentations
Oracle Fact Sheets
Exploits
Tutorials
Videos
Scripts

News & Events
Events
News

Company
Contact
People
Partner
Impressum
Sitemap


Search



Search Red-Database-Security
PL/SQL Injection in package SYS.DBMS_EXPORT_EXTENSION

Name SQL Injection in package SYS.DBMS_EXPORT_EXTENSION
Systems Affected Oracle Database
Severity High Risk
Category PL/SQL Injection
Vendor URL http://www.oracle.com/
Author Alexander Kornbrust (ak at red-database-security.com)
Advisory 27 Jul 2009 (V 1.00)


Details
The package SYS.DBMS_EXPORT_EXTENSION (GET_DOMAIN_INDEX, GET_DOMAIN_INDEX_TABLES and GET_V2_DOMAIN_INDEX_TABLES) was vulnerable against a PL/SQL injection vulnerability. Oracle fixed this vulnerabilitiy with the the July 2009 CPU. In the past (Oracle CPU July 2006) this package was already patched from Oracle to fix a PL/SQL Injection. The package dbms_metadata is used by attackers to run OS commands in Oracle via web applications (see Code example)

The previous fix from July 2006 for this PL/SQL Injection vulnerability from Oracle was not complete and the PL/SQL Injection was still exploitable.


Vulnerable Code:
------------dbms_export_extension----------------
FUNCTION GET_DOMAIN_INDEX_METADATA (
INDEX_NAME IN VARCHAR2,
INDEX_SCHEMA IN VARCHAR2,
TYPE_NAME IN VARCHAR2,
TYPE_SCHEMA IN VARCHAR2,
VERSION IN VARCHAR2,
NEWBLOCK OUT PLS_INTEGER,
GMFLAGS IN NUMBER DEFAULT -1 )
RETURN VARCHAR2 IS
CRS INTEGER := DBMS_SQL.OPEN_CURSOR;
DUMMY INTEGER;
RETVAL INTEGER;
STMTSTRING VARCHAR2(32002);
IDX_VERSION NUMBER;
COMPILE_ERROR EXCEPTION;

PRAGMA EXCEPTION_INIT(COMPILE_ERROR, -6550);
BEGIN
IF GMFLAGS = -1 THEN
IDX_VERSION := 1;
STMTSTRING :=
'DECLARE ' ||
'oindexinfo sys.ODCIIndexInfo := sys.ODCIIndexInfo(' ||
''''||SYS.DBMS_ASSERT.SCHEMA_NAME(INDEX_SCHEMA)||''','''||
SYS.DBMS_ASSERT.SIMPLE_SQL_NAME(INDEX_NAME)||''',' ||
'sys.ODCIColInfoList(), NULL, 0, 0); ' ||
'BEGIN ' ||
'SYS.DBMS_ODCI.GetMetadata(oindexinfo,:p1,:p2,:p3,:p4); ' ||
'END;';
DBMS_SYS_SQL.PARSE_AS_USER(CRS, STMTSTRING, DBMS_SYS_SQL.V7);
------------dbms_export_extension----------------

Patch Information
Apply the patches for Oracle CPU Jul 2009.



History
7-jun-2007 Bugs reported
15-jul-2009 Oracle published CPU January 2009
27-jul-2009 Advisory published



© 2009 by Red-Database-Security GmbH - last update 27-jul-2009