Oracle DBMS_EXPORT_EXTENSION SQL Injection

Severity	CVSS	Published	Added	Modified
Severe (6)	10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)	Apr 20, 2006	May 15, 2007	Aug 18, 2010

Description:

A sql injection vulnerability exists in the GET_DOMAIN_INDEX_METADATA function of the DBMS_EXPORT_EXTENSION package in the SYS schema. An attacker could construct a malicious SQL statement using one of the aformentioned function to execute arbitrary SQL code under the context of SYS, a DBA.

References:

Solution:

Apply the July 2006 Critical Patch Update (CPU) for Oracle

The July 2006 CPU should be applied to the Oracle database. A table containing the list of available CPUs and patch sets is listed on the Oracle security alert website. Oracle does not make patch sets available to the public. A metalink account is required to access patch downloads. The specific download link for this patch set may be located on MetaLink, with doc id 372930.1.
Revoke permissions on vulnerable packages to mitigate impact

Execute permissions for specific packages may be revoked from untrusted users by running the following command on the Oracle server as a DBA.
```
REVOKE EXECUTE ON <SCHEMA>.<PACKAGENAME> FROM <USER|GROUP> FORCE;
```
Where PACKAGENAME is the name of a vulnerable package, SCHEMA is the schema which the package resides in, and USER|GROUP is a user or group (role). If the package is owned by a different user, Oracle DBMS may respond with an error resembling "cannot REVOKE privileges you did not grant." In such a case, the revoke statement needs to be executed as the owner (schema) of the package. The owner of the package may be discovered via:
```
SELECT OWNER FROM TABLE_PRIVILEGES WHERE TABLE_NAME='<PACKAGENAME>'
```
The result of this command may then be used in a subsequent ALTER SESSION statement to switch to that schema/user:
```
ALTER SESSION SET CURRENT_SCHEMA='<OWNER>'
```
Where OWNER was the value retrieved in the previous statement. It should then be possible to reissue the revoke statement above to secure the vulnerable package(s).

For example, to revoke the execute privilege on the DBMS_SYS_SQL package group PUBLIC, which typically contains all users, one may execute:
```
REVOKE EXECUTE ON SYS.DBMS_SYS_SQL FROM PUBLIC FORCE;
```
Likewise, to revoke the execute privilege on the same package from user SCOTT, one may execute:
```
REVOKE EXECUTE ON SYS.DBMS_SYS_SQL FROM SCOTT FORCE;
```
The current permissions granted for users and groups (roles) can be observed by executing the following as a DBA:
```
SELECT * FROM DBA_TAB_PRIVS WHERE TABLE_NAME='<PACKAGENAME>'
```
Where PACKAGENAME is the name of a package (like DBMS_SYS_SQL, above).

Privilege tests can be performed on a per-user basis as well by executing the following as a logged in user:
```
SELECT * FROM TABLE_PRIVILEGES WHERE TABLE_NAME='<PACKAGENAME>'
```
Each row returned describes a grant role for the current user.

Information on these pages is summary information extracted from the Nexpose Vulnerabilty Assessment system. Full details are provided within the Nexpose product for licensed users.

Oracle DBMS_EXPORT_EXTENSION SQL Injection

Description:

References:

Solution:

Most Read

Most Downloaded

Press Releases