Exploit Code Released for Oracle Hole

By Lisa Vaas  |  Posted 2005-11-09 Print this article Print

Updated: This code, posted on the Full Discloure mailing list, can crash Oracle 10g databases.

Exploit code is being circulated that can crash Oracle 10g databases.

The code was posted on the Full Disclosure mailing list on Thursday.
David Litchfield, a security researcher with Next Generation Security Software Ltd., said that the code is relatively benign in that the exploit crashes servers but doesnt run arbitrary code that might issue malicious commands.
Click here to read more about Oracles flawed patch set, according to a researcher. "The [circulating code] is just a pointer to how to exploit the code," he said. "Whilst it will launch a DoS [denial of service] attack, this exploit doesnt allow you to run arbitrary code. Its benign in the fact that it does nothing but crash the server—if that can be considered benign." The code exploits a buffer overflow vulnerability in the sys.pbsde.init procedure. It uses the term "Mary Ann Davidson"—the name of Oracles chief security officer—as a long string thats simply repeated until it fills out the buffer to create an overflow. It can be exploited by either an internal user with the proper credentials or by a remote attacker who gains access through the PL/SQL Apache module in Oracles Application Server, Litchfield said. As such, it can be exploited without credentials via SQL injection. Using the PL/SQL Apache module as a proxy server to the back-end database server, PL/SQL packages and procedures can be executed without the need for SQL injection, Litchfield said. Even servers that have been patched with Oracles latest patch set, released last week, are vulnerable through the public access in Application Server, according to Litchfield. To patch the hole, Litchfield recommended adding a PL/SQL exclusion that denies requests to execute the exploit through the Application Server. Click here to read more about how Oracle may want to help, not hurt, MySQLs growth. The code was submitted to Full Disclosure by oracle_secalert at hushmail.com. The submitting party gave neither instructions on how to mitigate the risks nor an indication of motivation. Editors Note: This story was updated to remove a reference to vulnerability of patched Oracle servers. Check out eWEEK.coms for the latest database news, reviews and analysis.
Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel