Database - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Database


Exploit Code Released for Oracle Hole



 By: Lisa Vaas
2005-11-09
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Database story.


Rate This Article:
Poor Best
Updated: This code, posted on the Full Discloure mailing list, can crash Oracle 10g databases.

Exploit code is being circulated that can crash Oracle 10g databases.

The code was posted on the Full Disclosure mailing list on Thursday.

David Litchfield, a security researcher with Next Generation Security Software Ltd., said that the code is relatively benign in that the exploit crashes servers but doesnt run arbitrary code that might issue malicious commands.

Resource Library:
Click here to read more about Oracles flawed patch set, according to a researcher.

"The [circulating code] is just a pointer to how to exploit the code," he said. "Whilst it will launch a DoS [denial of service] attack, this exploit doesnt allow you to run arbitrary code. Its benign in the fact that it does nothing but crash the server—if that can be considered benign."

The code exploits a buffer overflow vulnerability in the sys.pbsde.init procedure. It uses the term "Mary Ann Davidson"—the name of Oracles chief security officer—as a long string thats simply repeated until it fills out the buffer to create an overflow.

It can be exploited by either an internal user with the proper credentials or by a remote attacker who gains access through the PL/SQL Apache module in Oracles Application Server, Litchfield said. As such, it can be exploited without credentials via SQL injection.

Using the PL/SQL Apache module as a proxy server to the back-end database server, PL/SQL packages and procedures can be executed without the need for SQL injection, Litchfield said.

Even servers that have been patched with Oracles latest patch set, released last week, are vulnerable through the public access in Application Server, according to Litchfield.

To patch the hole, Litchfield recommended adding a PL/SQL exclusion that denies requests to execute the exploit through the Application Server.

Click here to read more about how Oracle may want to help, not hurt, MySQLs growth.

The code was submitted to Full Disclosure by oracle_secalert at hushmail.com. The submitting party gave neither instructions on how to mitigate the risks nor an indication of motivation.

Editors Note: This story was updated to remove a reference to vulnerability of patched Oracle servers.

Check out eWEEK.coms for the latest database news, reviews and analysis.



  Reader Comments: Exploit Code Released for Oracle Hole
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Database Articles          >>> More By Lisa Vaas
 


x}ks8q8cH)ٖcmlk)fV(8H.I1sO/vKZ8["h4Iș3!9)ٝ0Oo-zIjûPAefAUM7 JԶO7RM3i /vGlJ~x'AT{j! xL5MΚMH]ٚ7'x2)X$8kNմnI>شY$)O@.O~Vh= \2HTߦuB)~{Te䆡;g? CxKt/"(?c&cZ8;x'fw^B(ƻFՉziZgdd vu=yͨKQf3r=BM*-M DƞHC d#̒JKN`:rm3G^C]õ]Z.R͌eCwt=POMҷB($g >v?&K68VRk0~b[4Ip\.* }= :ҍs}4 .j.9a&ԃ)}(p}=\'BL}:n/EӝÌfؖqSth(́V* (ZPʍxxg9{ؖ3p*s_gJU4Ei/~pd v4򺮕 y Es3^_wD߀j0QEVKY/ ZH9~^wE;G>w:Qڟ+̪ok*Cp='{:$lrK,.iTWZxqhC!u{D ,_dxpLq:8?# | ,-˝)Tt</Rzhf5 t @CX&%m":u P|sNFZRĿ"G/]uIwNЁ)WIC EhYf7-vIqM}sQU ,PߢW, FKP̶#ؠe)u?g 6aϨ>|鎓z>:AGAtišwhNP7h`Cҋ;Lڠ~N;ݧn]=&tno/*AbG& ahh5 ZLH#AтMtT8n]`2Z9ܹ L& zVtc` VGPC!nH }P(Vr`{nȲc@|j JG@i0xzEاH.B$(ZȻ"!Alu [$t XV0(VNFvGBj+6ODs@PGҙ;qjr_)̄rZ z)2ٜʬ$3Mf힟 X*ȉ#o"0%X -gZ Xk5Ʋ fhZZO4Mǖa1A.ϼs6I`0EX$%\Ew, fzn4 Iߵo)y@la} / a@-]7mSr`8) 0:|Ch2i{M?g[,:L:%qCz]:0s k2'y='.Q1j7uϙ_O#kۖsM ߄T 9u# \ă r}͚X 4ؐ9|&Bw7cnS^ʚtUU.FiJ W318 FLyK ('SwFFJ V !zh'>eg HlYWo%,~k%fcPouJiO_%9&ےx A-ʘŗZZG"JP>V "CɧqHLl-76pȞZcnP jrI))KbW4E%sXf&`ܰ &P wS~8;[0P!k^G'Vu<]|>'}=r=C68y<2M 1ҧ[BSjj33-F  o _׆K ȁUzq3ҝlia?, {E[IZq>O: V!2GD+ه0`-E|ݛZA_a V&H~1:2.eX \kOa3<(yR+r!'ֈI4U$]g ĕQNjް~Pk6'wpH} [ܑ \wbSIBOKRM]'Xk5E}c*OIVt@CF ‘"}yj9 3}!T0|"V$D6pl)5tl*Fuixm!8+I%$]'uX2}j}tǜ}h32 yΓE^JZB qjhUUjV͎^{}|8=edLQp1< _WAqf -6/|QCzMp`>sn.,|pZEN[O`cV av05;>UJ?#2ByQYhw\rR2 S#<~Ɋ0 ClW͵[1pWGPVLuO##cYd:w@ݐ늦 uz7VE@ Gz#x؝N HuҞ1 n:+@lr ?֊N[Ss?@ťQ 4133b_@7U֨TҞw"XͿ8KCbQTh^;p 1J;pLjg %Jk欩x+sJbOW2EXEhkC鳨 |dsHNpDL+ 30RsIl x@̬k!@:f۴s:i&2106Y-0P>O\մJ ,09>|6Œu8Y[`gs7*u08. LB7!lܓa*r1=_?J} [Lߴ@V1`{7=;#(4OQX9)6y_7)~(zC9+muA>qRTS*.?J6#U\+ԊR?YTAtE︤CEZdЯdL5AKl!/`.P(S/F fTmZ/)+iQ/ ~ dwm! PG c[,] y>1ag 3~w]fr~8yzŻRiiԽ8cTZ>~}8~61zˁNIMw$(XMp,Is^i{{>>^|; YdEp0Z^ <!hao0 8 %Y; g݋uoлo= r@p'Bju?\$'d0 sti_E'6b `xѤĢ&B}XyC0Ť3DJ^KkhVˮu^N4~x=Na.CLU'EQ,wuϏFMb׽cscD1uwR;2x;yZ1ݾpne9r0jw;t=z;Ojw]!3LرDݘ~zNh53 \cALuvp߁؉H*Ero5 W8{J-cAɼ># ᛷ 6n2'|2JO$ho~QϜƭovVSYF=f/ݷvcW};Ǎ>--8tǠY#Ҁ#I1M&ZQH**sᔤvȌWNH&Xd1Ws0d&'q=K}#uooo=إ '֛%t7w6BfX AV1a; }k՛3.B)@Siqp~vƔI ic$H)Zs4 M _56DN X W+OiƿJկ&qFL>9bkΒcrtU@iThϣQsŁm@DY=PlG춾0 rt?[N`CYr-`*w3jLJJCk( 9ץ~Fnr5K !ƽ# Tw[[TF ;ynwQQ/T0%nUg"wvvRn TXpc|2~War?Lj;s F. 1QiT 0,vH]0Mfg\'AA/i!'렳-TO;i.yMh4q s'CxׅӔ׆.H\X8X=zg[qtS?w:'IMl@T F_p'*|,5AY%; Oʴ.ɼnv1$= V0:6ΎS- cxN*k*f)w>IZ @x 8`q[XH9JҔ\zEHl aU˻7 ߦ0 =;Y uF:@үwQdЗjUUX5M"$M"aKd2.}>b|MZxy{Jre饸2^Nq􁆁$Rs`J*#uO&Ƥ'M3ssP*UĨYm яA9# >a '&UDgRMt&G~<KwG:&@mϴ b^,O.N0b V"]t=?-|I,0ȷ}c+&H ύM,a931`N7?[i\Gt i Tr {L}b<?(=AkW` V7KْrK\?L>@AW{#\Tk&W^ϢÒ}ڭ?6\N])KA uMdbo.Q4# êHFVIY7,kgǽ+Dݽݽݽݽ_[ݽJzyo+";X$3DꇠgԊM/̂W3A @ )πif>|Zdڢ }mI=%UH+2"uN8$! z` ^9lG[M 彞Vy%DF@}0d DY8J~S#qjo8x^<Iu sZ]3pQT>_yJFlyi~T^\uQb7\^!@:AO'|ڨ״5D D$P^> } [ސ'/@.I]+zxBBy7Om;E?H} C8B$Q̀HԜoے!|aCx1ՙ%1G <~ƔJaQjS I+MYƣh;釴?G4~w(}w(}w(}w(Z^-nRo_0x@rǘD0m VCS#B ~ "`xswsc7ŵio(Vsl1-nK&ݓXc?g.1ū%oAݹr_|k Nl?]uӫ֠BNk?0 \$xmn$v?h`+@M$6-0V'Eq2f{ [1+tҥtXoJYn(VC}__,mAmAɼ#Ь%5:&;RJD:`WFSXL2J63vj` n/> ztowwv]gSl)5ֵ7 xg|-^/Em/ ?oIeWmۋ@{4I%1Y~GjOP5FO.OFC!>L9͂o4n[*ze ][G?LƞPo|֊OZڕYΞCuėrLXBI#$R9 PAgXt~D)&RTfStc f0P :&MΟSڒG~RJq'dEwGV$؛ ~#;qga- < c=ZF]A/ԮEF 94~W&Dm#i!'[,ml6w3|NLUtMЭT2^@/ cD3B[w1/7WG +K+c_~9Ud[h, ¨FJMaTwtc2ς=jX:N#RF¯^fFd#nϪ5 VrE,^zZ#ZMIxe5J7[Di=fPxQFW'nyVmIz .kx>aORkueAj+;Y!kj]e;ҡQ+qܑufYly~!}]MM .OFoJ^j$'Fp ?< Pm¼ϴDRSx&ׄd.41qn50we~t6&Y!&x5KfltQQ({b8Mt?؃3,ȏ]WHmݜ(8z1I)t#K/HzsFim΄taPX{SdO (  @Ka1c~Po֔J$2 >*%>gٕa)걊i$ʷͪg2QqJV!J`xfs W{}K1+ t0 c3brLufcվsʿ@g,>v9s?y9=?Crs~~sw y9{ _ wNr!(oYNoR89B0_*Uy@a uqSހ}VU<_`k9t _s ̭L_GBX\jvr+^vfe5vkYA {} yW /"yeo2? AQFgG6+.ȭ-'Hl]=g%%x=0?Mu{1پWߕ\*ܢ}:qOXE9 8G#iMPA9g` Ӯ@D1KAF0_w9ݧ,e;HߪẽxĿ-NÙ'ݞރ轊r mv+}a\ća^{M0A:WeC=tf}Y JÙ#ш&Zbgޣ8 a箨-g諡j:HÅMH3q 94l cGGRiejR~ܑJ0lFGDP1-&Q5YUdN*jUQ)&K<# .M3^e&MȡN!3pA&J Dk(x>Xxc6E|_ƌmBRH6T<gu~o'2Pd SEe Z;+Llb@|JP Vq 9͚W.>&]\ŠMCao/aKZöpZG;l=2dG?MqkI%B[Po6@mE{ N-#x u1<X!鞠WsK'Dr&ߢjF U*A[`"fx¡D:X~ sn70aŘSkCMHn_!g]x@٣Erby060OH  NZcV}ޣ# Ⱦ8ty9e"fneKS1s8*+cm,'~x$""H "s{B|%؄ZsJdB2,'KYД2nXkQ#{xH𵭦^̀ԛZd%\7Ay&} f&}#Ϙm^'z>ΐR8K9H%)~xjA߮ed#W B㑸x ,* Ŋ] 9v=L籽$(\d~\g;rv 7RǙ,`+]b$[VTp|"$7ΌLU"zʴu{DqKNޒۍƾ8 ;>>=ub<#U:.~=NT~7)JҍHIh/>~ElC~%Og ϿaHO(t&Iw`R1|j;;1TeΝ[QYɶy ZS~n_O(#oݒ珸6x}ư҆ ]@1SpY Ыv>cx GL}>2~ l|_Oexƪ~Qxh='з57b8Q| xÿˍtf_d%\"d< l[ !ˍ Kmˬ9s¥"UXHNRX,8. kl=S;>Ba2\Pxkyf#%3WnJP/jFo.^S6+ȀHY[D5RI|Ð!goh=~-!wS׆!y0Ǖ2D1F(g,1f& wAx =`#hxj"nRhkQ`;X+ N*t&vж?8هl&~&TH'Yl{ۺНTntI&'\9ƕE)@Xqɩ8Tou)ZByһH'ٗ}RI>S}v4:yvډ1Jbq')t?WzW XٺqKG?\>]KQEe遢%!;Y B*;w>>^|HW{zvC&ȕ/-F#oUA,jU z' l5mEgl3W' \/mt;Ǎo=F駰a9RU>\JBS+4Z/WgЧLN&ˎ㇅ wE&l)vsmb-6C-[;}#P(