Exploit Code Released for Oracle Hole
Database
SHARE
Facebook X Pinterest WhatsApp

Exploit Code Released for Oracle Hole

Written By
Lisa Vaas
Lisa Vaas
Nov 9, 2005
2 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

Exploit code is being circulated that can crash Oracle 10g databases.

The code was posted on the Full Disclosure mailing list on Thursday.

David Litchfield, a security researcher with Next Generation Security Software Ltd., said that the code is relatively benign in that the exploit crashes servers but doesnt run arbitrary code that might issue malicious commands.

/zimages/4/28571.gifClick hereto read more about Oracles flawed patch set, according to a researcher.

“The [circulating code] is just a pointer to how to exploit the code,” he said. “Whilst it will launch a DoS [denial of service] attack, this exploit doesnt allow you to run arbitrary code. Its benign in the fact that it does nothing but crash the server—if that can be considered benign.”

The code exploits a buffer overflow vulnerability in the sys.pbsde.init procedure. It uses the term “Mary Ann Davidson”—the name of Oracles chief security officer—as a long string thats simply repeated until it fills out the buffer to create an overflow.

It can be exploited by either an internal user with the proper credentials or by a remote attacker who gains access through the PL/SQL Apache module in Oracles Application Server, Litchfield said. As such, it can be exploited without credentials via SQL injection.

Using the PL/SQL Apache module as a proxy server to the back-end database server, PL/SQL packages and procedures can be executed without the need for SQL injection, Litchfield said.

Even servers that have been patched with Oracles latest patch set, released last week, are vulnerable through the public access in Application Server, according to Litchfield.

To patch the hole, Litchfield recommended adding a PL/SQL exclusion that denies requests to execute the exploit through the Application Server.

/zimages/4/28571.gifClick hereto read more about how Oracle may want to help, not hurt, MySQLs growth.

The code was submitted to Full Disclosure by oracle_secalert at hushmail.com. The submitting party gave neither instructions on how to mitigate the risks nor an indication of motivation.

Editors Note: This story was updated to remove a reference to vulnerability of patched Oracle servers.

/zimages/4/28571.gifCheck out eWEEK.coms for the latest database news, reviews and analysis.
Lisa Vaas
eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

facebook
linkedin
youtube
rss
x

Company

About us Contact us Advertise with us

Categories

Latest News Resources Artificial Intelligence Video Big Data & Analytics Cloud Networking

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

Terms of Service Privacy Policy California - Do Not Sell My Information