full-disclosure-uk January 2009 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: Re: [Full-disclosure] Trigger Abuse of MDSYS

Re: [Full-disclosure] Trigger Abuse of MDSYS.SDO_TOPO_DROP_FTBL in Oracle 10g R1 and R2

From: Pete Licoln <pete.licoln_at_nospam>
Date: Wed Jan 14 2009 - 00:38:39 GMT
To: full-disclosure@lists.grok.org.uk


stfu .

2009/1/13 <sexyazngrl69@mac.hush.com>

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> afaik, no one cares about oracle.
>
> retarded blind scavengers make careers selling fallen, rotten,
> previously low hanging fruit.
>
> <3 2 n3td3v
>
> > Tue, 13 Jan 2009 15:52:02 -0800 David Litchfield
> <davidl@ngssoftware.com> wrote:
> >NGSSoftware Insight Security Research Advisory
> >
> >Name: Trigger abuse of MDSYS.SDO_TOPO_DROP_FTBL
> >Systems Affected: Oracle 10g R1 and R2 (10.1.0.5 and 10.2.0.2)
> >Severity: High
> >Vendor URL: http://www.oracle.com/
> >Author: David Litchfield [ davidl@ngssoftware.com ]
> >Reported: 23rd July 2008
> >Date of Public Advisory: 13th January 2009
> >Advisory number: #NISR13012009
> >CVE: CVE-2008-3979
> >
> >Overview
> >********
> >Oracle has just released a fix for a flaw that, when exploited,
> >allows a low
> >privileged authenticated database user to gain MDSYS privileges.
> >This can be
> >abused by an attacker to perform actions as the MDSYS user.
> >
> >Details
> >*******
> >MDSYS.SDO_TOPO_DROP_FTBL is one of the triggers that forms part of
>
> >the
> >Oracle Spatial Application. It is vulnerable to SQL injection.
> >When a user
> >drops a table the trigger fires. The name of the table is embedded
>
> >in a
> >dynamic SQL query which is then executed by the trigger. Note that
>
> >the
> >Oracle advisory states that the attacker requires the DROP TABLE
> >and CREATE
> >PROCEDURE privileges. This is not the case and only CREATE SESSION
>
> >
> >privileges are required.
> >
> >Fix Information
> >***************
> >Oracle was alerted to this flaw on the 23rd July 2008. A patch has
>
> >now been
> >made available:
> >
> >http://www.oracle.com/technology/deploy/security/critical-patch-
> >updates/cpujan2009.html
> >
> >NGSSQuirreL for Oracle, an advanced vulnerability assessment
> >scanner
> >designed specifically for Oracle, can be used to accurately
> >determine
> >whether your servers are vulnerable to these flaws. More
> >information about
> >NGSSQuirreL for Oracle can be found here:
> >
> >http://www.ngssoftware.com/products/database-security/ngs-squirrel-
>
> >oraclephp
> >
> >About NGSSoftware
> >*****************
> >NGSSoftware, an NCC Group Company, develops vulnerability
> >assessment and
> >compliancy tools for database servers including Oracle, Microsoft
> >SQL
> >Server, DB2, Sybase and Informix. Headquartered in the United
> >Kingdom NGS
> >has offices in London, St. Andrews (UK), Brisbane, and Perth
> >(Australia) and
> >Seattle in the United States; NGS provide services to some of the
> >largest
> >and most demanding organizations around the globe.
> >
> >http://www.ngssoftware.com/
> >Telephone +44 208 401 0070
> >Fax +44 208 401 0076
> >
> >--
> >E-MAIL DISCLAIMER
> >
> >The information contained in this email and any subsequent
> >correspondence is private, is solely for the intended recipient(s)
>
> >and
> >may contain confidential or privileged information. For those
> >other than
> >the intended recipient(s), any disclosure, copying, distribution,
> >or any
> >other action taken, or omitted to be taken, in reliance on such
> >information is prohibited and may be unlawful. If you are not the
> >intended recipient and have received this message in error, please
> >inform the sender and delete this mail and any attachments.
> >
> >The views expressed in this email do not necessarily reflect NGS
> >policy.
> >NGS accepts no liability or responsibility for any onward
> >transmission
> >or use of emails and attachments having left the NGS domain.
> >
> >NGS and NGSSoftware are trading names of Next Generation Security
> >Software Ltd. Registered office address: Manchester Technology
> >Centre,
> >Oxford Road, Manchester, M1 7EF with Company Number 04225835 and
> >VAT Number 783096402
> >
> >_______________________________________________
> >Full-Disclosure - We believe in it.
> >Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >Hosted and sponsored by Secunia - http://secunia.com/
> -----BEGIN PGP SIGNATURE-----
> Charset: UTF8
> Version: Hush 3.0
> Note: This signature can be verified at https://www.hushtools.com/verify
>
> wpwEAQMCAAYFAkltMpcACgkQynWwk3/AtyOsbgP+LVLiKWqeGvuu/kFnm7sQXic8l5k1
> 9RYQ902ygOS4Nt67IkUgFgZBeTsN25d0mkH0hZDHulhTJOPNFGxwLuRVbXBF89JwjCO7
> faHEhS73TGVmm3TnUTm1ZGEg1dto36LomtrR/H1YMmMnY41RCoK1ycj8QeEFfOFiuK/v
> AKEkLFw=
> =Y0II
> -----END PGP SIGNATURE-----
>
> --
> Dreaming of a career in Medical Administration? Click here to make your
> dream career a reality.
>
> http://tagline.hushmail.com/fc/PnY6qxukq5RffaxISSWG6OsKAmNS1Ot26fn4GDJCCtUikCP599Qla/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/