Oracle Database Function Buffer Overflows – Additional Information
Buffer overflows have been discovered in a number of Oracle standard database functions. An attacker can readily exploit these buffer overflows to gain access unauthorized access to the database server or cause a denial of service attack against the database. The buffer overflows can be exploited either through a database session or through a web application using a SQL injection attack. Almost all the security advisories related to these buffer overflows miss the fact that these buffer overflows can be exploited via SQL injection attacks.
Integrigy Security Advisory
______________________________________________________________________
Oracle Database Function Buffer Overflows – Additional Information
February 6, 2004
______________________________________________________________________
Summary:
Buffer overflows have been discovered in a number of Oracle standard database functions. An attacker can readily exploit these buffer overflows to gain access unauthorized access to the database server or cause a denial of service attack against the database.
The buffer overflows can be exploited either through a database session or through a web application using a SQL injection attack. Almost all the security advisories related to these buffer overflows miss the fact that these buffer overflows can be exploited via SQL injection attacks.
Product: Oracle Database
Versions: Oracle9i – all versions
Oracle8i – all versions
Platforms: All platforms
Risk Level: Critical
______________________________________________________________________
Description:
Buffer overflows have been discovered in at least 6 standard Oracle database functions. These functions are part of the core database and can not be restricted in anyway. Exploit code exists for at least 2 of these buffer overflows.
The following standard functions are vulnerable –
BFILENAME (Oracle8i, Oracle9i)
FROM_TZ (Oracle9i)
NUMTODSINTERVAL (Oracle8i, Oracle9i)
NUMTOYMINTERVAL (Oracle8i, Oracle9i)
TO_TIMESTAMP_TZ (Oracle9i)
TZ_OFFSET (Oracle9i)
Oracle has not released a public security alert for the functions FROM_TZ, NUMTOYMINTERVAL, and NUMTODSINTERVAL, although a patch exists for these buffer overflows on Windows 2000/NT/XP.
Exploitable via SQL Injection Attacks:
Current security alerts and advisories from Oracle and independent security researchers only state that these buffer overflows can be exploited from a valid database session. However, we have been able to successfully execute SQL injection attacks that exploit these buffer overflows.
We believe the risk from exploitation of these buffer overflows via SQL injection attacks against web applications is greater than from direct database connections.
NUMTOYMINTERVAL and NUMTODSINTERVAL also available in Oracle8i:
The security alerts from independent security researchers do not recognize that these functions exist in Oracle8i and the buffer overflows exist in all Oracle8i version including 8.1.7.4.
Recommended Solution:
Apply patches as described in Security Alerts 48, 49, and 50. Please note that each alert is a different patch and some alerts only apply to certain versions of the Oracle Database. The Patchset 9.2.0.4 includes all these patches.
For Microsoft Windows, additional patches for the FROM_TZ, NUMTOYMINTERVAL, and NUMTODSINTERVAL vulnerabilities are available in Patch 3 on top of Patchset 9.2.0.4.
For Linux and UNIX, patches do not exist for the FROM_TZ, NUMTOYMINTERVAL, and NUMTODSINTERVAL vulnerabilities.
Additional buffer overflows do exist; unfortunately there are no solutions or workarounds to protect from these undisclosed buffer overflows in the standard database functions. We strongly recommend that all non-essential database packages (DBMS_* and UTL_*) be restricted for all web application database users.
Appropriate testing and backups should be performed before applying any patches or making configuration changes.
Additional Information:
An Introduction to SQL Injection Attacks for Oracle Developers –
http://www.integrigy.com/resources.htm
Using Database Functions in SQL Injection Attacks (May 2003) –
http://www.integrigy.com/resources.htm
Oracle Security Alert #48 - http://technet.oracle.com/deploy/security/pdf/2003alert48.pdf
Oracle Security Alert #49 - http://technet.oracle.com/deploy/security/pdf/2003alert49.pdf
Oracle Security Alert #50 - http://technet.oracle.com/deploy/security/pdf/2003alert50.pdf
FROM_TZ Vulnerability -
http://www.nextgenss.com/advisories/ora_from_tz.txt
NUMTOYMINTERVAL Vulnerability -
http://www.nextgenss.com/advisories/ora_numtoyminterval.txt
NUMTODSINTERVAL Vulnerability –
http://www.nextgenss.com/advisories/ora_from_tz.txt
NUMTODSINTERVAL and NUMTOYMINTERVAL Exploit Code –
http://archives.neohapsis.com/archives/vulnwatch/2004-q1/0031.html
If you require additional information or have questions, please contact us at alerts@integrigy.com.
______________________________________________________________________
About Integrigy Corporation (www.integrigy.com)
Integrigy Corporation is a leader in application security for large enterprise, mission critical applications. Our application vulnerability assessment tool, AppSentry, assists companies in securing their largest and most important applications. Integrigy Consulting offers security assessment services for leading ERP and CRM applications.
For more information, visit www.integrigy.com.