SQL Injection in package DBMS_AQIN [CVE-2009-0992]

Services
Oracle Audit / Hardening
Security Training
Consulting

Information
Oracle Security Blog
Published Alerts
Upcoming Alerts
Patch Information
Whitepaper
Presentations
Oracle Fact Sheets
Exploits
Tutorials
Videos
Scripts

News & Events
Events
News

Company
Contact
People
Partner
Impressum
Sitemap

SQL Injection in package DBMS_AQIN

Name	SQL Injection in package DBMS_AQIN [CVE-2009-0992]
Systems Affected	Oracle 10.1.0.5 - 11.1.0.7
Severity	High Risk
Category	SQL Injection
Vendor URL	http://www.oracle.com/
Author	Alexander Kornbrust (ak at red-database-security.com)
CVE	CVE-2009-0992
Advisory	14 April 2009 (V 1.00)

Details
The package DBMS_AQIN contains a SQL injection vulnerability.

PROCEDURE DEQ_EXEJOB( LOOPVAR OUT BOOLEAN)

[...]

BEGIN

SYS.DBMS_AQIN.AQ$_DEQUEUE_IN(
QUEUE_NAME => 'SYS.AQ_SRVNTF_TABLE_Q',
WAIT => DBMS_AQ.NO_WAIT,
ENQUEUE_TIME => ENQUEUE_TIME,
STATE => STATE,
OUT_MSGID => OUT_MSGID,
OUT_CORRELATION => OUT_CORRELATION,
PRIORITY => PRIORITY,
DELAY => DELAY,
EXPIRATION => EXPIRATION,
ATTEMPTS => ATTEMPTS,
EXCEPTION_QUEUE => EXCEPTION_QUEUE,
REMOTE_RECIPIENTS => REMOTE_RECIPIENT,
SENDER_NAME => SENDER_NAME,
SENDER_ADDR => SENDER_ADDR,
SENDER_PROTOCOL => SENDER_PROTOCOL,
ORIGINAL_MSGID => ORIGINAL_MSGID,
RAW_USER_DATA => RAW_USER_DATA,
OBJECT_USER_DATA => PAYL,
OUT_SIGN => OUT_SIGN);

[...]

PROCSTR := 'begin ' || PAYL.SUB_CALLBACK || '(context => :1,';
PROCSTR := PROCSTR ||'reginfo => sys.aq$_reg_info(:2, :3, :4, :5, :6, :7),';
PROCSTR := PROCSTR ||'descr => sys.aq$_descriptor(:8, :9, :10, sys.msg_prop_t';
PROCSTR := PROCSTR ||'(:11, :12, :13, :14, :15, :16, :17, :18, sys.aq$_agent';
PROCSTR := PROCSTR || '(:19, :20, :21), :22, :23),';
PROCSTR := PROCSTR || ' sys.aq$_ntfn_descriptor(:24))';

Patch Information
Apply the patches for Oracle CPU April 2009.

History
14-apr-2009 Oracle published CPU April 2009 [CVE-2009-0992]
14-apr-2009 Advisory published