Team SHATTER Security Advisory: SQL Injection in Oracle Database (DBMS_DEFER_SYS.DELETE_TRAN)

SQL Injection exploitable users privileges versions vulnerable package Vendor Response Vendor Status Vendor Notification patch Public Disclosure execute Risk Level Security Advisory Oracle Database Server Application Security Inc

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Team SHATTER Security Advisory

SQL Injection in Oracle Database (DBMS_DEFER_SYS.DELETE_TRAN)

August 4, 2008

Risk Level:
Medium

Affected versions:
Oracle Database Server versions 9iR1, 9iR2, 10gR1, 10gR2 and 11gR1

Remote exploitable:
Yes (Authentication to Database Server is needed)

Credits:
This vulnerability was discovered and researched by Esteban Martnez
Fay of Application Security Inc.

Details:
The PL/SQL package DBMS_DEFER_SYS owned by SYS has an instance of SQL
Injection in the DELETE_TRAN procedure. A malicious user can call the
vulnerable procedure of this package with specially crafted parameters
and execute SQL statements with the elevated privileges of SYS user.

Impact:
Any Oracle database user with EXECUTE privilege on the package
SYS.DBMS_DEFER_SYS can exploit this vulnerability. By default, users
granted DBA have the required privilege. Exploitation of this
vulnerability allows an attacker to execute SQL commands with SYS
privileges.

Vendor Status:
Vendor was contacted and a patch was released.

Workaround:
Restrict access to the SYS.DBMS_DEFER_SYS package.

Fix:
Apply Oracle Critical Patch Update July 2008 available at Oracle Metalink.

Links:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2008.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2592

Timeline:
Vendor Notification - 9/24/2007
Vendor Response - 9/28/2007
Fix - 7/15/2008
Public Disclosure - 7/23/2008
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iEYEARECAAYFAkiXMToACgkQ9EOAcmTuFN3LGQCeK6pvkshjrIqiw8rdmE8tWIdK
O9sAnjeSiwasj2U7SpoPhQVvYKyYvUMI
=X2Bp
-----END PGP SIGNATURE-----