July 15th, 2008
David Litchfield on details of one of the critical vulnerabilities from the latest Oracle patch
More details coming out on the Oracle patches that were released last week, see Ryan Naraine’s write up here. David Litchfield, noted security researcher from NGSSoftware, released details of one of the vulnerabilities on the Full-Disclosure email list today, and the details are staggering. The flaw allows potential unauthenticated remote exploitation resulting in full control of the database server. One thing that I think is key to note here is that this vulnerability was reported in October of 2007 and is just now getting patched in July of 2008. End result is, if you are using Oracle, get patched ASAP.
Read the details below…
Litchfield’s details are provided below:
Name: PLSQL Injection in Oracle Application Server
Systems Affected: Oracle Application Server 9.0.4.3, 10.1.2.2, 10.1.4.1
Severity: Critical
Vendor URL: http://www.oracle.com/
Author: David Litchfield [ davidl@ngssoftware.com ]
Reported: 9th October 2007
Date of Public Advisory: 15th July 2008
Advisory number: #NISR15072008
CVE: CVE-2008-2589Overview
********
Oracle has just released a fix for a flaw that, when exploited, allows an unauthenticated attacker on the Internet to gain full control of a backend Oracle database server via the front end web server.Details
*******
Oracle Application Server installs a number of PLSQL packages in the backend
database server. One of these is the WWV_RENDER_REPORT package and it is vulnerable to PLSQL injection. This package uses definer rights execution and therefore executes with the privileges of the owner, in this case the highly privileged PORTAL user.Specifically, the SHOW procedure takes as its 2nd argument the name of a function to execute and this is embedded with a dynamically executed anonymous block of PLSQL without first being sanitized. Because it is a block of anonymous PLSQL, an attacker can exploit this flaw to run any SQL statement, for example, create new users, grant dba privileges, delete or
modify data. This is achieved by wrapping the statement(s) within an “execute immediate” statement and specifying the autonomous_transaction pragma.
-Nate
Nathan McFeters is a Senior Security Advisor for Ernst & Young's Advanced Security Center in Chicago. The views and opinions expressed in this article are his own and do not represent the views and opinions of Ernst & Young Advanced Security Center or Ernst & Young, LLP. Nathan has performed web application, deep source code, Internet, Intranet, wireless, dial-up, and social engineering engagements for numerous clients in the Fortune 500 during his career at Ernst & Young and has spoken at a number of prestigious conferences, including Black Hat, DEFCON, ToorCon, and Hack in the Box. He can be found at his Pwn* blog and XS-Sniper, a blog with Billy Rios. See his full profile and disclosure of his industry affiliations.
