Oracle Database Function Buffer Overflows – Oracle Applications Impact
Buffer overflows have been discovered in a number of Oracle Database functions. An attacker can readily exploit these buffer overflows to gain access unauthorized access to the database server or cause a denial of service attack against Oracle Applications. Oracle Application is especially susceptible to these vulnerabilities since they can be exploited using the APPLSYSPUB database account or using a SQL injection attack.
Integrigy Security Advisory
______________________________________________________________________
Oracle Database Function Buffer Overflows – Oracle Applications Impact
February 6, 2004
Revised: February 20, 2004
______________________________________________________________________
Summary:
Buffer overflows have been discovered in a number of Oracle Database functions. An attacker can readily exploit these buffer overflows to gain access unauthorized access to the database server or cause a denial of service attack against Oracle Applications.
Oracle Application is especially susceptible to these vulnerabilities since they can be exploited using the APPLSYSPUB database account or using a SQL injection attack.
Product: Oracle E-Business Suite
Versions: Oracle Applications 11.5.x – all versions
Platforms: All platforms
Risk Level: High
______________________________________________________________________
Description:
Buffer overflows have been discovered in at least 6 standard Oracle database functions. These functions are part of the core database and can not be restricted in anyway. Simple to use exploit code exists for at least 2 of these buffer overflows.
The following standard functions are vulnerable –
BFILENAME (Oracle8i, Oracle9i)
FROM_TZ (Oracle9i)
NUMTODSINTERVAL (Oracle8i, Oracle9i)
NUMTOYMINTERVAL (Oracle8i, Oracle9i)
TO_TIMESTAMP_TZ (Oracle9i)
TZ_OFFSET (Oracle9i)
An attacker can use these buffer overflows to execute commands on the database server or cause a denial of service attack against Oracle Applications.
Impact on Oracle Applications:
Oracle Applications uses a public database account, APPLSYSPUB, for authentication purposes. APPLSYSPUB has a well known password (PUB) and Oracle does not recommended changing the password after installation of Oracle Applications. The APPLSYSPUB account is severely restricted, but has full access to execute the affected database functions.
Many organizations allow direct connections to the database using APPS_READ or similar accounts for reporting purposes. Often the password for these database accounts are well known or easily guessed.
By using the APPLSYSPUB (or an APPS_READ account) to connect to the database using SQL*Net (e.g., via SQL*Plus), anyone can trigger these buffer overflows by executing a simple SQL statement. Exploit code has been released for Windows 2000 Server, thus an attack is a simple cut and paste operation.
These buffer overflows can also be exploited via SQL injection attacks. We have discovered a number of SQL injection vulnerabilities in Oracle Applications, some of which have not yet been patched by Oracle.
Solution:
The affected versions of the database are the currently certified versions for the Oracle E-Business Suite.
Review the following security alerts to determine the patches that need to be applied –
- Oracle Security Alerts 48, 49, and 50 (April 18, 2003)
- Oracle Security Alert 64 (February 18, 2004)
The exact patches required will depend on the database version.
The following additional steps should be reviewed to determine if they are appropriate for your environment –
(1) Restrict direct database access to system administrators using a firewall or restrictions within the database listener.
(2) Review the use and access to any generic database reporting accounts.
(3) Include these function names in the rule sets of Intrusion Detection and prevention systems.
(4) Monitor access to the APPLSYSPUB and other generic database accounts using Oracle session auditing.
(5) Monitor Apache log files for these functions in URLs, an indication of a SQL injection attack.
Appropriate testing and backups should be performed before applying any patches or making configuration changes.
Additional Information:
An Introduction to SQL Injection Attacks for Oracle Developers –
http://www.integrigy.com/resources.htm
Using Database Functions in SQL Injection Attacks (May 2003) –
http://www.integrigy.com/resources.htm
Oracle Security Alert #48 - http://technet.oracle.com/deploy/security/pdf/2003alert48.pdf
Oracle Security Alert #49 - http://technet.oracle.com/deploy/security/pdf/2003alert49.pdf
Oracle Security Alert #50 - http://technet.oracle.com/deploy/security/pdf/2003alert50.pdf
Oracle Security Alert #64 - http://technet.oracle.com/deploy/security/pdf/2003alert64.pdf
FROM_TZ Vulnerability -
http://www.nextgenss.com/advisories/ora_from_tz.txt
NUMTOYMINTERVAL Vulnerability -
http://www.nextgenss.com/advisories/ora_numtoyminterval.txt
NUMTODSINTERVAL Vulnerability –
http://www.nextgenss.com/advisories/ora_numtodsinterval.txt
NUMTODSINTERVAL and NUMTOYMINTERVAL Exploit Code –
http://archives.neohapsis.com/archives/vulnwatch/2004-q1/0031.html
If you require additional information or have questions, please contact us at alerts@integrigy.com.
Revision History:
2/20/04 – Included information on Oracle Security Alert #64
______________________________________________________________________
About Integrigy Corporation (www.integrigy.com)
Integrigy Corporation is a leader in application security for large enterprise, mission critical applications. Our application vulnerability assessment tool, AppSentry, assists companies in securing their largest and most important applications. Integrigy Consulting offers security assessment services for leading ERP and CRM applications.
For more information, visit www.integrigy.com.