Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
[VulnWatch] [SHATTER Team Security Alert] Multiple vulnerabilities in Oracle Database Server
From: SHATTER (Application Security, Inc.) (vrathodappsecinc.com)
Date: Thu Sep 02 2004 - 09:37:28 CDT
AppSecInc Advisory: Multiple vulnerabilities in Oracle Database Server
August 31, 2004
Detailed Information Provided Online At:
These vulnerabilities were researched and discovered by Cesar Cerrudo
and Esteban Martinez Fayo of Application Security, Inc. (www.appsecinc.com)
Multiple buffer overflow and denial of service (DoS) vulnerabilities
exist in the Oracle Database Server which allow database users to take
complete control over the database and optionally cause denial of service.
The official advisory from Oracle Corporation can be obtained from:
#1 - Buffer overflow in public procedure DROP_SITE_INSTANTIATION of
#2 - Buffer overflow in public function INSTANTIATE_OFFLINE of
#3 - Buffer overflow in public function INSTANTIATE_ONLINE of
#4 - Buffer overflow on "gname" parameter on procedures of Replication
Management API Packages
#5 - Buffer overflow on "sname" and "oname" parameters on procedures of
#6 - Buffer overflow on "type" parameter on procedures of DBMS_REPCAT
#7 - Buffer overflow on "gowner" parameter on procedures of the
#8 - Buffer overflow on "operation" parameter on procedures of
#9 - Buffer overflow in procedure CREATE_MVIEW_REPGROUP of DBMS_REPCAT
#10 - Buffer overflow in procedure GENERATE_REPLICATION_SUPPORT of
#11 - Buffer overflow in procedures REGISTER_USER_REPGROUP and
UNREGISTER_USER_REPGROUP of DBMS_REPCAT_ADMIN package
#12 - Buffer overflow in functions INSTANTIATE_OFFLINE,
INSTANTIATE_ONLINE and procedure DROP_SITE_INSTANTIATION of
#13 - Buffer overflow on TEMPFILE parameter
#14 - Buffer overflow on LOGFILE parameter
#15 - Buffer overflow on CONTROLFILE parameter
#16 - Buffer overflow on FILE parameter
#17 - Buffer overflow in Interval Conversion Functions
#18 - Buffer overflow in String Conversion Function
#19 - Buffer overflow in CTX_OUTPUT Package Function
#21 - Buffer overflow on DATAFILE parameter
#22 - Buffer overflow in DBMS_SYSTEM package function
#24 - Buffer overflow on "fname" parameter of the DBMS_REPCAT* packages
#25 - Buffer overflow on procedures of the Replication Management API
#26 - Heap based buffer overflow Vulnerability in Oracle 10g iSQL*PLus
#27 - Buffer overflow in procedure AQ_TABLE_DEFN_UPDATE of
#28 - Buffer overflow in procedure VERIFY_QUEUE_TYPES_GET_NRP of
#29 - Buffer overflow in procedure VERIFY_QUEUE_TYPES_NO_QUEUE of
#30 - Buffer overflow in procedure VERIFY_QUEUE_TYPES of DBMS_AQADM_SYS
#31 - Buffer overflow in procedure PARALLEL_PUSH_RECOVERY of
#32 - Buffer overflow in procedure ENABLE_PROPAGATION_TO_DBLINK of
#33 - Buffer overflow in procedure DISABLE_RECEIVER_TRACE of
#34 - Buffer overflow in procedure ENABLE_RECEIVER_TRACE of
#35 - Buffer overflow in procedure VALIDATE of DBMS_INTERNAL_REPCAT package
#36 - Buffer overflow in procedure DIFFERENCES of DBMS_RECTIFIER_DIFF
#37 - Buffer overflow in procedure ADD_COLUMN of DBMS_REPCAT_RQ package
#39 - Buffer overflow in procedure IS_MASTER of DBMS_REPCAT_UTL package
#40 - Buffer overflow in procedure PUSHDEFERREDTXNS of LTUTIL package
#41 - Buffer overflow in public procedure SDO_CODE_SIZE of MD2 package
#42 - Buffer overflow in public procedure VALIDATE_GEOM of MD2 package
#43 - Buffer overflow in public procedure SDO_CODE_SIZE of SDO_ADMIN package
#44 - Buffer overflow in procedure SUBINDEXPOPULATE of DRIDDLR package
To determine if you are vulnerable, please download AppDetective from:
Exploitation of these vulnerabilities will allow an attacker to
completely compromise the OS and the database if Oracle is running on
Windows platform, because Oracle must run under the local System account
or under an administrative account. If Oracle is running on *nix then
only the database would be compromised because Oracle runs mostly under
oracle user which has restricted permissions.
-Check packages permissions and remove public permissions. Set minimal
permissions that fit your needs.
-Restrict users to execute PL/SQL statements directly over the server.
-Periodically audit user permissions on all database objects.
-Lock users that aren't used.
-Change default passwords.
-Keep Oracle up to date with patches.
Vendor was contacted and has released fixes.
Esteban Martinez Fayo of Application Security, Inc. (www.appsecinc.com)
discovered all of the following issues:
Cesar Cerrudo of Application Security, Inc. (www.appsecinc.com)
discovered all of the following issues: #13,#14,#15,#16,#17,#18,#19,#21,#22
Application Security, Inc.
Application Security, Inc.
AppSecInc is the leading provider of database security solutions for
the enterprise. AppSecInc products proactively secure enterprise
applications at more than 200 organizations around the world by
discovering, assessing, and protecting the database against rapidly
changing security threats. By securing data at its source, we enable
organizations to more confidently extend their business with
customers, partners and suppliers. Our security experts, combined
with our strong support team, deliver up-to-date application
safeguards that minimize risk and eliminate its impact on business.