The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Oracle 10g R2 PITRIG_DROPMETADATA Buffer Overflow Vulnerability
------------------------------------------------------------------------
SUMMARY
Oracle Database Server is "a family of database products that range from
personal databases to enterprise solutions". Remote exploitation of a
buffer overflow in the XDB.XDB_PITRIG_PKG.PITRIG_DROPMETADATA procedure in
Oracle Corp.'s Database 10gR2 could allow a user with an authenticated
session to execute arbitrary code in the context of the database account.
DETAILS
Vulnerable Systems:
* Oracle Database 10g Release 2 with all Critical Patch Updates as of
February 2007
The XDB_PITRIG_PKG.PITRIG_DROPMETADATA procedure takes two arguments,
OWNER and NAME. The lengths of these arguments are used by an internal
function to construct an SQL query without being adequately sanitized. If
the combined length of the two fields is too large, a buffer overflow
occurs, allowing arbitrary code execution.
Analysis:
Exploitation of this vulnerability allows an authenticated remote user to
execute code on the underlying system in the context of the database
account. Other than access to execute the vulnerable function, this
vulnerability does not require any special privileges. From the database
user account, an attacker can then access or modify the database and files
related to its operation.
Vendor response:
Oracle Corp. has been contacted and stated the following.
" Tracking #: 9219583 Description: BUFFER OVERFLOW IN
XDB.XDB_PITRIG_PKG.PITRIG_DROPMETADATA Status: Issue fixed in main
codeline, scheduled for a future CPU "
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4517>
CVE-2007-4517
Disclosure timeline:
02/01/2007 - Initial vendor notification
02/01/2007 - Initial vendor response
11/07/2007 - Public disclosure
ADDITIONAL INFORMATION
The information has been provided by
<mailto:idlabs-advisories@idefense.com> iDefense Labs Security Advisories.
The original article can be found at:
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=622>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=622
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
