| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 23 Dec 2004 16:31:16 -0000 From: "NGSSoftware Insight Security Research" <nisr@...tgenss.com> To: <bugtraq@...urityfocus.com>, <ntbugtraq@...tserv.ntbugtraq.com>, <vulnwatch@...nwatch.org> Subject: Oracle Character Conversion Bugs (#NISR2122004G) NGSSoftware Insight Security Research Advisory Name: Oracle 10g character conversion bug Systems Affected: Oracle 10g/AS on all operating systems Severity: High risk Vendor URL: http://www.oracle.com/ Author: David Litchfield [ davidl at ngssoftware.com ] Relates to: http://www.nextgenss.com/advisories/oracle-01.txt Date of Public Advisory: 23rd December 2004 Advisory number: #NISR2122004G Advisory URL: http://www.ngssoftware.com/advisories/oracle23122004G.txt Description *********** Due to character conversion problems in Oracle 10g with Oracle's Application server it is possible to bypass pl/sql exclusions and gain access to the database server as SYS. Details ******* There is a character conversion bug in 10g that can lead to a compromised backend database server. Both Windows and Linux are affected. Consider the following set up. There's a Oracle HTTP Server (running apache 1.3.22 on Windows) using the PL/SQL module feeding into a 10g box running on Windows and a 10g box running on Linux. The character set for both instances is WE8ISO8859P1. When the app server receives a request of http://server/pls/windad/%FF%FF%FF%FF%FF the %FFs are converted to the byte 0xFF (as expected) but sniffing the database response to the app server we get "ORA-06550: line 8, column 2: PLS-00201: identifier 'YYYYY' must be declared....." 10g, when using the WE8ISO8859P1 character set, converts 0xFF to 0x59 - that is uppercase Y. Due to this conversion an attacker can request http://server/pls/windad/S%FFS.OWA_UTIL.CELLSPRINT?P_THEQUERY=select+usernam e+from+all_users and gain access to "banned" and dangerous procedures. The character set for the HTTP server is set to AMERICAN_AMERICA.WE8ISO8859P1. If, however, we set the character set on the HTTP Server to ENGLISH_UNITEDKINGDOM.WE8MSWIN1252 not only is the 0xFF still converted to 0x59 but if http://server/pls/windad/%9F%9F%9F%9F%9F%9F is requested the _app_server_ (note - not 10g) converts the %9F to a Y and again this allows us to do the following http://server/pls/windad/S%9FS.OWA_UTIL.CELLSPRINT?P_THEQUERY=select+usernam e+from+all_users again giving access to the "banned" and dangerous procedures. Other character sets and scenarios may cause similar problems. Fix Information *************** A patch (#68) was released for this problem by Oracle. See http://metalink.oracle.com/ for more details. NGSSQuirreL for Oracle (http://www.nextgenss.com/squirrelora.htm), can be used to assess whether your Oracle servers are vulnerable to this. About NGSSoftware ***************** NGSSoftware design, research and develop intelligent, advanced application security assessment scanners. Based in the United Kingdom, NGSSoftware have offices in the South of London and the East Coast of Scotland. NGSSoftware's sister company NGSConsulting, offers best of breed security consulting services, specialising in application, host and network security assessments. http://www.ngssoftware.com/ Telephone +44 208 401 0070 Fax +44 208 401 0076 enquiries@...software.com
Powered by blists - more mailing lists