full-disclosure-uk August 2008 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: [Full-disclosure] Team SHATTER Security Advi

[Full-disclosure] Team SHATTER Security Advisory: SQL Injection in Oracle Database (DBMS_DEFER_SYS.DELETE_TRAN)

From: Team SHATTER <shatter_at_nospam>
Date: Mon Aug 04 2008 - 16:41:30 GMT
To: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk


-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

Team SHATTER Security Advisory

SQL Injection in Oracle Database (DBMS_DEFER_SYS.DELETE_TRAN)

August 4, 2008

Risk Level:
Medium

Affected versions:
Oracle Database Server versions 9iR1, 9iR2, 10gR1, 10gR2 and 11gR1

Remote exploitable:
Yes (Authentication to Database Server is needed)

Credits:
This vulnerability was discovered and researched by Esteban Martínez Fayó of Application Security Inc.

Details:
The PL/SQL package DBMS_DEFER_SYS owned by SYS has an instance of SQL Injection in the DELETE_TRAN procedure. A malicious user can call the vulnerable procedure of this package with specially crafted parameters and execute SQL statements with the elevated privileges of SYS user.

Impact:
Any Oracle database user with EXECUTE privilege on the package SYS.DBMS_DEFER_SYS can exploit this vulnerability. By default, users granted DBA have the required privilege. Exploitation of this vulnerability allows an attacker to execute SQL commands with SYS privileges.

Vendor Status:
Vendor was contacted and a patch was released.

Workaround:
Restrict access to the SYS.DBMS_DEFER_SYS package.

Fix:
Apply Oracle Critical Patch Update July 2008 available at Oracle Metalink.

Links:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2008.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2592

Timeline:
Vendor Notification - 9/24/2007
Vendor Response - 9/28/2007
Fix - 7/15/2008
Public Disclosure - 7/23/2008
-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.9 (MingW32)

iEYEARECAAYFAkiXMToACgkQ9EOAcmTuFN3LGQCeK6pvkshjrIqiw8rdmE8tWIdK O9sAnjeSiwasj2U7SpoPhQVvYKyYvUMI
=X2Bp
-----END PGP SIGNATURE-----



Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/