Exploit code is being circulated that can crash Oracle 10g databases.
The code was posted on the Full Disclosure mailing list on Thursday.
David Litchfield, a security researcher with Next Generation Security Software Ltd., said that the code is relatively benign in that the exploit crashes servers but doesnt run arbitrary code that might issue malicious commands.
“The [circulating code] is just a pointer to how to exploit the code,” he said. “Whilst it will launch a DoS [denial of service] attack, this exploit doesnt allow you to run arbitrary code. Its benign in the fact that it does nothing but crash the server—if that can be considered benign.”
The code exploits a buffer overflow vulnerability in the sys.pbsde.init procedure. It uses the term “Mary Ann Davidson”—the name of Oracles chief security officer—as a long string thats simply repeated until it fills out the buffer to create an overflow.
It can be exploited by either an internal user with the proper credentials or by a remote attacker who gains access through the PL/SQL Apache module in Oracles Application Server, Litchfield said. As such, it can be exploited without credentials via SQL injection.
Using the PL/SQL Apache module as a proxy server to the back-end database server, PL/SQL packages and procedures can be executed without the need for SQL injection, Litchfield said.
Even servers that have been patched with Oracles latest patch set, released last week, are vulnerable through the public access in Application Server, according to Litchfield.
To patch the hole, Litchfield recommended adding a PL/SQL exclusion that denies requests to execute the exploit through the Application Server.
The code was submitted to Full Disclosure by oracle_secalert at hushmail.com. The submitting party gave neither instructions on how to mitigate the risks nor an indication of motivation.
Editors Note: This story was updated to remove a reference to vulnerability of patched Oracle servers.