Updated: This code, posted on the Full Discloure mailing list, can crash Oracle 10g databases.
Exploit code is being circulated that can crash Oracle 10g databases.
The code was posted on the Full Disclosure
mailing list on Thursday.
David Litchfield, a security researcher with Next Generation Security Software Ltd.,
said that the code is relatively benign in that the exploit crashes servers but doesnt run arbitrary code that might issue malicious commands.
Click here to read more about Oracles flawed patch set, according to a researcher.
"The [circulating code] is just a pointer to how to exploit the code," he said. "Whilst it will launch a DoS [denial of service] attack, this exploit doesnt allow you to run arbitrary code. Its benign in the fact that it does nothing but crash the serverif that can be considered benign."
The code exploits a buffer overflow vulnerability in the sys.pbsde.init procedure. It uses the term "Mary Ann Davidson"the name of Oracles chief security officeras a long string thats simply repeated until it fills out the buffer to create an overflow.
It can be exploited by either an internal user with the proper credentials or by a remote attacker who gains access through the PL/SQL Apache module in Oracles Application Server, Litchfield said. As such, it can be exploited without credentials via SQL injection.
Using the PL/SQL Apache module as a proxy server to the back-end database server, PL/SQL packages and procedures can be executed without the need for SQL injection, Litchfield said.
Even servers that have been patched with Oracles latest patch set,
released last week, are vulnerable through the public access in Application Server, according to Litchfield.
To patch the hole, Litchfield recommended adding a PL/SQL exclusion that denies requests to execute the exploit through the Application Server.
Click here to read more about how Oracle may want to help, not hurt, MySQLs growth.
The code was submitted to Full Disclosure by oracle_secalert at hushmail.com. The submitting party gave neither instructions on how to mitigate the risks nor an indication of motivation.
Editors Note: This story was updated to remove a reference to vulnerability of patched Oracle servers.
Check out eWEEK.coms for the latest database news, reviews and analysis.