David Litchfield on details of one of the critical vulnerabilities from the latest Oracle patch

More details coming out on the Oracle patches that were released last week, see Ryan Naraine’s write up here. David Litchfield, noted security researcher from NGSSoftware, released details of one of the vulnerabilities on the Full-Disclosure email list today, and the details are staggering. The flaw allows potential unauthenticated remote exploitation resulting in full control of the database server. One thing that I think is key to note here is that this vulnerability was reported in October of 2007 and is just now getting patched in July of 2008. End result is, if you are using Oracle, get patched ASAP.
Read the details below…

Litchfield’s details are provided below:

Name: PLSQL Injection in Oracle Application Server
Systems Affected: Oracle Application Server,,
Severity: Critical
Vendor URL: http://www.oracle.com/
Author: David Litchfield [ davidl@ngssoftware.com ]
Reported: 9th October 2007
Date of Public Advisory: 15th July 2008
Advisory number: #NISR15072008
CVE: CVE-2008-2589

Oracle has just released a fix for a flaw that, when exploited, allows an unauthenticated attacker on the Internet to gain full control of a backend Oracle database server via the front end web server.

Oracle Application Server installs a number of PLSQL packages in the backend
database server. One of these is the WWV_RENDER_REPORT package and it is vulnerable to PLSQL injection. This package uses definer rights execution and therefore executes with the privileges of the owner, in this case the highly privileged PORTAL user.

Specifically, the SHOW procedure takes as its 2nd argument the name of a function to execute and this is embedded with a dynamically executed anonymous block of PLSQL without first being sanitized. Because it is a block of anonymous PLSQL, an attacker can exploit this flaw to run any SQL statement, for example, create new users, grant dba privileges, delete or
modify data. This is achieved by wrapping the statement(s) within an “execute immediate” statement and specifying the autonomous_transaction pragma.

[Source: zdnet]