From: Shatter <shatter@appsecinc.com.>
To: Bugtraq <bugtraq@securityfocus.com.>,
Date: Tue, 3 Feb 2009 12:55:11 -0500
Subject: Team SHATTER Security Advisory: SQL Injection in Oracle Enterprise
Manager (TARGET Parameter)
Thread-Topic: Team SHATTER Security Advisory: SQL Injection in Oracle
Enterprise Manager (TARGET Parameter)
Thread-Index: AcmGKHe1O+D1RPauTKGnLchO6G/OPQ==
Message-ID: <BB184445F393D244AEB0312F069BAAB105BC9D75C8@mxe1.nycapt35k.com.>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Virus-Scanned: antivirus-gw at tyumen.ru
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Team SHATTER Security Advisory
SQL Injection in Oracle Enterprise Manager (TARGET Parameter)
January 29, 2009
Risk Level:
Medium
Affected versions:
Oracle Enterprise Manager 10g Grid Control 10.2.0.4 and previous patchsets
Remote exploitable:
Yes (Authentication is needed)
Credits:=20
This vulnerability was discovered and researched by Esteban Mart=EDnez Fay=
=F3 of Application Security Inc.=20
Details:=20
SQL Injection works by attempting to modify the parameters passed to an app=
lication to change the SQL statements that are passed to a database. SQL in=
jection can be used to insert additional SQL statements to be executed.
The "TARGET" parameter used in web page /em/console/reports/admin of Oracle=
Enterprise Manager web application is vulnerable to SQL Injection attacks.=
It may be possible for a malicious user to execute a function with the ele=
vated privileges of the SYSMAN database user in the repository database. Th=
is user has the DBA role granted.
Impact:
This vulnerability allow a Oracle Enterprise Manager user with VIEW (or mor=
e) privileges to execute a function call with the elevated privileges of th=
e SYSMAN database user.
Vendor Status:
Vendor was contacted and a patch was released.
Workaround:
There is no workaround for this issue.
Fix:
Apply Oracle Critical Patch Update January 2009 available at Oracle Metalin=
k.
CVE:
CVE-2008-5447
Links:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpu=
jan2009.html
Timeline:
Vendor Notification - 7/11/2008
Vendor Response - 7/14/2008
Fix - 1/13/2009
Public Disclosure - 1/29/2009
Application Security, Inc's database security solutions have helped over 10=
00 organizations secure their databases from all internal and external thre=
ats while also ensuring that those organizations meet or exceed regulatory =
compliance and audit requirements.=20
Disclaimer: The information in the advisory is believed to be accurate at t=
he time of publishing based on currently available information. Use of the =
information constitutes acceptance for use in an AS IS condition. There are=
no warranties with regard to this information. Neither the author nor the =
publisher accepts any liability for any direct, indirect, or consequential =
loss or damage arising from use of, or reliance on, this information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32) - WinPT 1.2.0
iD8DBQFJiIST9EOAcmTuFN0RAm6pAKDHp1EHjVu0lxzzNK2ANJJLzMNrvQCgxplB
KsqKYUSlrpMTg9Bc7lKqy+Y=3D
=3DbSNt
-----END PGP SIGNATURE-----
