Nexpose Vulnerability Database

A buffer overflow vulnerability exists in the CREATE_CAPTURE, ALTER_CAPTURE, and ABORT_TABLE_INSTANTIATION functions of the DBMS_CAPTURE_ADM_INTERNAL package in the SYS schema. An attacker could construct a malicious SQL statement using one of the aformentioned functions to execute arbitrary code under the context of the user associated with the Oracle process.

• CERT: http://www.cert.org/advisories/TA07-017A.html
• CVE: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0274
• SECTRACK: http://securitytracker.com/id?1017522
• SECUNIA: http://secunia.com/advisories/23794/
• URL: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html
• URL: http://www.securityfocus.com/archive/1/archive/1/458037/100/0/threaded
• URL: http://www.securityfocus.com/archive/1/archive/1/458041/100/0/threaded
• URL: http://www.securityfocus.com/archive/1/archive/1/458112/100/100/threaded
• URL: http://www.securityfocus.com/archive/1/archive/1/458126/100/0/threaded
• URL: http://www.securityfocus.com/archive/1/archive/1/458475/100/100/threaded
• XF: http://xforce.iss.net/xforce/xfdb/31541

• Apply the January 2007 Critical Patch Update (CPU) for Oracle

  The January 2007 CPU should be applied to the Oracle database. A table containing the list of available CPUs and patch sets is listed on the Oracle security alert website. Oracle does not make patch sets available to the public. A metalink account is required to access patch downloads. The specific download link for this patch set may be located on MetaLink, with doc id 403325.1.

• Revoke permissions on vulnerable packages to mitigate impact

  Execute permissions for specific packages may be revoked from untrusted users by running the following command on the Oracle server as a DBA.

  REVOKE EXECUTE ON <SCHEMA>.<PACKAGENAME> FROM <USER|GROUP> FORCE;

  Where PACKAGENAME is the name of a vulnerable package, SCHEMA is the schema which the package resides in, and USER|GROUP is a user or group (role). If the package is owned by a different user, Oracle DBMS may respond with an error resembling "cannot REVOKE privileges you did not grant." In such a case, the revoke statement needs to be executed as the owner (schema) of the package. The owner of the package may be discovered via:

  SELECT OWNER FROM TABLE_PRIVILEGES WHERE TABLE_NAME='<PACKAGENAME>'

  The result of this command may then be used in a subsequent ALTER SESSION statement to switch to that schema/user:

  ALTER SESSION SET CURRENT_SCHEMA='<OWNER>'

  Where OWNER was the value retrieved in the previous statement. It should then be possible to reissue the revoke statement above to secure the vulnerable package(s).

  For example, to revoke the execute privilege on the DBMS_SYS_SQL package group PUBLIC, which typically contains all users, one may execute:

  REVOKE EXECUTE ON SYS.DBMS_SYS_SQL FROM PUBLIC FORCE;

  Likewise, to revoke the execute privilege on the same package from user SCOTT, one may execute:

  REVOKE EXECUTE ON SYS.DBMS_SYS_SQL FROM SCOTT FORCE;

  The current permissions granted for users and groups (roles) can be observed by executing the following as a DBA:

  SELECT * FROM DBA_TAB_PRIVS WHERE TABLE_NAME='<PACKAGENAME>'

  Where PACKAGENAME is the name of a package (like DBMS_SYS_SQL, above).

  Privilege tests can be performed on a per-user basis as well by executing the following as a logged in user:

  SELECT * FROM TABLE_PRIVILEGES WHERE TABLE_NAME='<PACKAGENAME>'

  Each row returned describes a grant role for the current user.