Integrigy Security Advisory

______________________________________________________________________

Oracle Database Function Buffer Overflows and SQL Injection Attacks

February 17, 2004

______________________________________________________________________

Summary:

The short-term future of SQL injection attacks is exploitation of the numerous buffer overflows in standard Oracle database functions.  These buffer overflows greatly reduce the complexity of finding and executing SQL injection attacks against web applications.  The new attack paradigm will be to simply test repeatedly a few attack strings and wait for a hung web page or session lost error message.

Almost all the security advisories related to these buffer overflows miss the fact that these buffer overflows can be exploited via SQL injection attacks. 

______________________________________________________________________

Function Buffer Overflows:

Buffer overflows have been discovered in at least 6 standard Oracle database functions.  These functions are part of the core database and can not be restricted in anyway.  Exploit code exists for at least 2 of these buffer overflows.

The following standard functions are vulnerable –

  BFILENAME (Oracle8i, Oracle9i)

FROM_TZ (Oracle9i)

  NUMTODSINTERVAL (Oracle8i, Oracle9i)

  NUMTOYMINTERVAL (Oracle8i, Oracle9i)

  TO_TIMESTAMP_TZ (Oracle9i)

  TZ_OFFSET (Oracle9i)

Oracle has not released a public security alert for the functions FROM_TZ, NUMTOYMINTERVAL, and NUMTODSINTERVAL, although a patch exists for these buffer overflows on Windows 2000/NT/XP.

SQL Injection Attack:

Previously, an attacker usually had to decipher cryptic SQL or ODBC error messages in order to learn the SQL statement and database structure for an attack.  Exploiting the buffer overflows makes finding vulnerable SQL statements a matter of perseverance rather than of technical prowess.

Using a few standard attack strings, most variations of SQL injection vulnerabilities can be found simply by inserting these attack strings into every field of a web application.  The attacker just has to find a web page that hangs or session lost error message – indicating a successful buffer overflow result.

We have found that only 4 unique attack strings will exploit virtually any SQL injection vulnerability.  The main difference in the attack strings is the data type anticipated by the application (numeric, character, etc.).

By inserting the attack string in the POST payload, an attacker may be able to evade intrusion detection and prevention systems.  Also, the attack will be hidden from the web server log files.

The risk to open-source and commercial software is greatest since a SQL injection vulnerability can be identified ahead of time and an attack can be executed with a single HTTP request.  

We do not believe this type of attack will be leveraged by worm or virus writers since the prevalence of any single web application is very low.  However, targeted attacks against 50 to 100 deployments of an application can be readily accomplished and most likely will be very successful.

Attack Result:

The desired result of these buffer overflow attacks is the execution of arbitrary commands on the database server.  Even if the buffer overflow can not be exploited in such a manner, a denial of service attack can be achieved. 

Most web application architectures use a pool of database connections and do not recognize or recover from the abnormal termination of a database session.  By repeatedly triggering the buffer overflow, the database connection pool can be easily depleted and block normal application processing.

Recommended Action:

Apply patches as described in Security Alerts 48, 49, and 50.  Please note that each alert is a different patch and some alerts only apply to certain versions of the Oracle Database.  The Patchset 9.2.0.4 includes all these patches.

For Microsoft Windows, additional patches for the FROM_TZ, NUMTOYMINTERVAL, and NUMTODSINTERVAL vulnerabilities are available in Patch 3 on top of Patchset 9.2.0.4.   

For Linux and UNIX, patches do not exist for the FROM_TZ, NUMTOYMINTERVAL, and NUMTODSINTERVAL vulnerabilities.

Additional buffer overflows do exist; unfortunately there are no solutions or workarounds to protect from these undisclosed buffer overflows in the standard database functions.  We strongly recommend that all non-essential database packages (DBMS_* and UTL_*) be restricted for all web application database users.

Appropriate testing and backups should be performed before applying any patches or making configuration changes.

Additional Information:

An Introduction to SQL Injection Attacks for Oracle Developers –

http://www.integrigy.com/resources.htm

Using Database Functions in SQL Injection Attacks (May 2003) –

http://www.integrigy.com/resources.htm

Oracle Security Alert #48 - http://technet.oracle.com/deploy/security/pdf/2003alert48.pdf

Oracle Security Alert #49 - http://technet.oracle.com/deploy/security/pdf/2003alert49.pdf

Oracle Security Alert #50 - http://technet.oracle.com/deploy/security/pdf/2003alert50.pdf

FROM_TZ Vulnerability -

http://www.nextgenss.com/advisories/ora_from_tz.txt

NUMTOYMINTERVAL Vulnerability -

http://www.nextgenss.com/advisories/ora_numtoyminterval.txt

NUMTODSINTERVAL Vulnerability –

http://www.nextgenss.com/advisories/ora_from_tz.txt

NUMTODSINTERVAL and NUMTOYMINTERVAL Exploit Code –

http://archives.neohapsis.com/archives/vulnwatch/2004-q1/0031.html

If you require additional information or have questions, please contact us at alerts@integrigy.com.

______________________________________________________________________

About Integrigy Corporation (www.integrigy.com)

Integrigy Corporation is a leader in application security for large enterprise, mission critical applications. Our application vulnerability assessment tool, AppSentry, assists companies in securing their largest and most important applications. Integrigy Consulting offers security assessment services for leading ERP and CRM applications.

For more information, visit www.integrigy.com.