full-disclosure-uk January 2009 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: Re: [Full-disclosure] Trigger Abuse of MDSYS

Re: [Full-disclosure] Trigger Abuse of MDSYS.SDO_TOPO_DROP_FTBL in Oracle 10g R1 and R2

From: <sexyazngrl69_at_nospam>
Date: Wed Jan 14 2009 - 00:32:23 GMT
To: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com, davidl@ngssoftware.com


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

afaik, no one cares about oracle.

retarded blind scavengers make careers selling fallen, rotten, previously low hanging fruit.

<3 2 n3td3v

> Tue, 13 Jan 2009 15:52:02 -0800 David Litchfield
<davidl@ngssoftware.com> wrote:
>NGSSoftware Insight Security Research Advisory
>
>Name: Trigger abuse of MDSYS.SDO_TOPO_DROP_FTBL
>Systems Affected: Oracle 10g R1 and R2 (10.1.0.5 and 10.2.0.2)
>Severity: High
>Vendor URL: http://www.oracle.com/
>Author: David Litchfield [ davidl@ngssoftware.com ]
>Reported: 23rd July 2008
>Date of Public Advisory: 13th January 2009
>Advisory number: #NISR13012009
>CVE: CVE-2008-3979
>
>Overview
>********
>Oracle has just released a fix for a flaw that, when exploited,
>allows a low
>privileged authenticated database user to gain MDSYS privileges.
>This can be
>abused by an attacker to perform actions as the MDSYS user.
>
>Details
>*******
>MDSYS.SDO_TOPO_DROP_FTBL is one of the triggers that forms part of

>the
>Oracle Spatial Application. It is vulnerable to SQL injection.
>When a user
>drops a table the trigger fires. The name of the table is embedded

>in a
>dynamic SQL query which is then executed by the trigger. Note that

>the
>Oracle advisory states that the attacker requires the DROP TABLE
>and CREATE
>PROCEDURE privileges. This is not the case and only CREATE SESSION

>
>privileges are required.
>
>Fix Information
>***************
>Oracle was alerted to this flaw on the 23rd July 2008. A patch has

>now been
>made available:
>
>http://www.oracle.com/technology/deploy/security/critical-patch-
>updates/cpujan2009.html
>
>NGSSQuirreL for Oracle, an advanced vulnerability assessment
>scanner
>designed specifically for Oracle, can be used to accurately
>determine
>whether your servers are vulnerable to these flaws. More
>information about
>NGSSQuirreL for Oracle can be found here:
>
>http://www.ngssoftware.com/products/database-security/ngs-squirrel-

>oraclephp
>
>About NGSSoftware
>*****************
>NGSSoftware, an NCC Group Company, develops vulnerability
>assessment and
>compliancy tools for database servers including Oracle, Microsoft
>SQL
>Server, DB2, Sybase and Informix. Headquartered in the United
>Kingdom NGS
>has offices in London, St. Andrews (UK), Brisbane, and Perth
>(Australia) and
>Seattle in the United States; NGS provide services to some of the
>largest
>and most demanding organizations around the globe.
>
>http://www.ngssoftware.com/
>Telephone +44 208 401 0070
>Fax +44 208 401 0076
>
>--
>E-MAIL DISCLAIMER
>
>The information contained in this email and any subsequent
>correspondence is private, is solely for the intended recipient(s)

>and
>may contain confidential or privileged information. For those
>other than
>the intended recipient(s), any disclosure, copying, distribution,
>or any
>other action taken, or omitted to be taken, in reliance on such
>information is prohibited and may be unlawful. If you are not the
>intended recipient and have received this message in error, please
>inform the sender and delete this mail and any attachments.
>
>The views expressed in this email do not necessarily reflect NGS
>policy.
>NGS accepts no liability or responsibility for any onward
>transmission
>or use of emails and attachments having left the NGS domain.
>
>NGS and NGSSoftware are trading names of Next Generation Security
>Software Ltd. Registered office address: Manchester Technology
>Centre,
>Oxford Road, Manchester, M1 7EF with Company Number 04225835 and
>VAT Number 783096402
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify

wpwEAQMCAAYFAkltMpcACgkQynWwk3/AtyOsbgP+LVLiKWqeGvuu/kFnm7sQXic8l5k1 9RYQ902ygOS4Nt67IkUgFgZBeTsN25d0mkH0hZDHulhTJOPNFGxwLuRVbXBF89JwjCO7 faHEhS73TGVmm3TnUTm1ZGEg1dto36LomtrR/H1YMmMnY41RCoK1ycj8QeEFfOFiuK/v AKEkLFw=
=Y0II
-----END PGP SIGNATURE----- -- Dreaming of a career in Medical Administration? Click here to make your dream career a reality. http://tagline.hushmail.com/fc/PnY6qxukq5RffaxISSWG6OsKAmNS1Ot26fn4GDJCCtUikCP599Qla/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/