Back to search

Oracle DBMS_CAPTURE_ADM_INTERNAL Buffer Overflow

Severity CVSS Published Added Modified
7 (AV:N/AC:L/Au:S/C:P/I:P/A:P) January 24, 2007 May 15, 2007 August 22, 2013

Description

Multiple unspecified vulnerabilities in Oracle Database 9.2.0.7 and 10.1.0.5 have unknown impact and attack vectors related to (1) Export and sys.dbms_logrep_util (DB08), and (2) Oracle Streams and sys.dbms_capture_adm_internal privileges (DB09). NOTE: Oracle has not disputed reliable researcher claims that DB08 is for a buffer overflow in the GET_OBJECT_NAME procedure in the DBMS_LOGREP_UTIL package, and DB09 is for buffer overflows in the CREATE_CAPTURE, ALTER_CAPTURE, and ABORT_TABLE_INSTANTIATION procedures in SYS.DBMS_CAPTURE_ADM_INTERNAL.

Free Nexpose Download

Discover, prioritize, and remediate security risks today!

 Download now

References

Solution

  • Apply the January 2007 Critical Patch Update (CPU) for Oracle

    The January 2007 CPU should be applied to the Oracle database. A table containing the list of available CPUs and patch sets is listed on the Oracle security alert website. Oracle does not make patch sets available to the public. A metalink account is required to access patch downloads. The specific download link for this patch set may be located on MetaLink, with doc id 403325.1.

  • Revoke permissions on vulnerable packages to mitigate impact

    Execute permissions for specific packages may be revoked from untrusted users by running the following command on the Oracle server as a DBA.

    REVOKE EXECUTE ON <SCHEMA>.<PACKAGENAME> FROM <USER|GROUP> FORCE;
    Where PACKAGENAME is the name of a vulnerable package, SCHEMA is the schema which the package resides in, and USER|GROUP is a user or group (role). If the package is owned by a different user, Oracle DBMS may respond with an error resembling "cannot REVOKE privileges you did not grant." In such a case, the revoke statement needs to be executed as the owner (schema) of the package. The owner of the package may be discovered via:
    SELECT OWNER FROM TABLE_PRIVILEGES WHERE TABLE_NAME='<PACKAGENAME>'
    The result of this command may then be used in a subsequent ALTER SESSION statement to switch to that schema/user:
    ALTER SESSION SET CURRENT_SCHEMA='<OWNER>'
    Where OWNER was the value retrieved in the previous statement. It should then be possible to reissue the revoke statement above to secure the vulnerable package(s).

    For example, to revoke the execute privilege on the DBMS_SYS_SQL package group PUBLIC, which typically contains all users, one may execute:

    REVOKE EXECUTE ON SYS.DBMS_SYS_SQL FROM PUBLIC FORCE;

    Likewise, to revoke the execute privilege on the same package from user SCOTT, one may execute:

    REVOKE EXECUTE ON SYS.DBMS_SYS_SQL FROM SCOTT FORCE;

    The current permissions granted for users and groups (roles) can be observed by executing the following as a DBA:

    SELECT * FROM DBA_TAB_PRIVS WHERE TABLE_NAME='<PACKAGENAME>'
    Where PACKAGENAME is the name of a package (like DBMS_SYS_SQL, above).

    Privilege tests can be performed on a per-user basis as well by executing the following as a logged in user:

    SELECT * FROM TABLE_PRIVILEGES WHERE TABLE_NAME='<PACKAGENAME>'
    Each row returned describes a grant role for the current user.

Related Vulnerabilities