Exploit Code Released for Oracle Hole

Updated: This code, posted on the Full Discloure mailing list, can crash Oracle 10g databases.

Exploit code is being circulated that can crash Oracle 10g databases.

The code was posted on the Full Disclosure mailing list on Thursday.

David Litchfield, a security researcher with Next Generation Security Software Ltd., said that the code is relatively benign in that the exploit crashes servers but doesnt run arbitrary code that might issue malicious commands.

/zimages/4/28571.gifClick here to read more about Oracles flawed patch set, according to a researcher.

"The [circulating code] is just a pointer to how to exploit the code," he said. "Whilst it will launch a DoS [denial of service] attack, this exploit doesnt allow you to run arbitrary code. Its benign in the fact that it does nothing but crash the server—if that can be considered benign."

The code exploits a buffer overflow vulnerability in the sys.pbsde.init procedure. It uses the term "Mary Ann Davidson"—the name of Oracles chief security officer—as a long string thats simply repeated until it fills out the buffer to create an overflow.

It can be exploited by either an internal user with the proper credentials or by a remote attacker who gains access through the PL/SQL Apache module in Oracles Application Server, Litchfield said. As such, it can be exploited without credentials via SQL injection.

Using the PL/SQL Apache module as a proxy server to the back-end database server, PL/SQL packages and procedures can be executed without the need for SQL injection, Litchfield said.

Even servers that have been patched with Oracles latest patch set, released last week, are vulnerable through the public access in Application Server, according to Litchfield.

To patch the hole, Litchfield recommended adding a PL/SQL exclusion that denies requests to execute the exploit through the Application Server.

/zimages/4/28571.gifClick here to read more about how Oracle may want to help, not hurt, MySQLs growth.

The code was submitted to Full Disclosure by oracle_secalert at hushmail.com. The submitting party gave neither instructions on how to mitigate the risks nor an indication of motivation.

Editors Note: This story was updated to remove a reference to vulnerability of patched Oracle servers.

/zimages/4/28571.gifCheck out eWEEK.coms for the latest database news, reviews and analysis.