Buffer Overflow in Oracle Database Server
A vulnerability in Oracle Database Server allows authenticated users to execute arbitrary code on a system with the privileges of the database. Among other things, the flaw can be exploited to manipulate content or conduct further attacks on the underlying operating system. According to iDefense, the cause is a buffer overflow in the procedure XDB.XDB_PITRIG_PKG.PITRIG_DROPMETADATA, which can be provoked by means of specially crafted OWNER and NAME parameters. When the procedure uses these two parameters to create a SQL query, it unfortunately does not verify their length.
According to the security advisory, attackers do not need any special database privileges to be able to exploit the flaw. On the other hand, a successful attack from a normal account would probably only be possible within a LAN. Version 10 Release 2 is affected, as probably are previous versions. Oracle has been informed of the problem and says it plans to remedy the flaw in an upcoming Critical Patch Update (CPU). There is no workaround. iDefense does not say whether the flaw also affects the latest version 11g.
Update:
Database security specialist Alexander Kornbrust writes that an exploit that crashes Oracle 10.2.0.1/10.2.0.2 is already in circulation. According to his description, only "Create Session" privileges are required for the attack to succeed. However, the security patches from the April 2007 CPU reportedly remedied the problem, so users apparently do not need to wait for the next CPU as iDefense claimed.
- Oracle 10g R2 PITRIG_DROPMETADATA Buffer Overflow Vulnerability, iDefense security advisory
(mba)