NGSSoftware Insight Security Research Advisory

Name  : Multiple Oracle Application Server SQL Injection Vulnerabilities
Systems Affected: All OS platforms; Oracle9i Application Server Release 1
and 2 and RDBMS
Severity : High Risk
Vendor URL : http://www.oracle.com/
Author  : David Litchfield (david@ngssoftware.com)
Date  : 5th November 2003
Advisory number : #NISR05112003

Description
***********
Oracle's RDBMS, a leading database server package, supports stored packages
and procedures through the use of PL/SQL. These packages and procedures can
be accessed through Oracle's Application Server's Portal module. Oracle
Application Server is a web server designed for Oracle applications. Many of
the PL/SQL packages and procedures are vulnerable to SQL Injection. Using
these vulnerabilities an unauthenticated attacker can gain access to all
data in the database from the Internet.

Details
*******
By default, Oracle Application Server allows unauthenticated users on the
web to access PL/SQL packages and procedures stored in the RDBMS. When a
PL/SQL procedure is executed it either does so with the security rights of
the invoker or the definer. In the latter case, if a PL/SQL procedure
defined by the powerful 'SYS' or 'SYSTEM' login is executed by a low
privileged user that user can access data they would not directly be able to
access. By executing such a procedure via Oracle Application Server and with
these SQL Injection vulnerabilities it is possible for an attacker to gain
access to all data within the database. For example, an attacker could gain
access to account details including database usernames and password hashes.
Whilst there are some vulnerable packages that do allow this level of access
most do not. Those known to be vulnerable include the packages used for
Portal DB Forms, Hierarchy, XML Components and List of Values. All of the
packages are required by the RDBMS so they can't be deleted.


Fix Information
***************
NGSSoftware alerted Oracle to these vulnerabilities between September and
October 2002, last year. Oracle has reviewed the code of the PL/SQL Packages
and procedures and fixed these issues. A patch is available from Metalink.
Please see

http://otn.oracle.com/deploy/security/pdf/2003alert61.pdf

for more details.

NGSSoftware advise Oracle database customers to review and install the patch
as a matter of urgency.

A check for this issue already exists in NGSSQuirreL for Oracle, a
comprehensive automated vulnerability assessment tool for Oracle Database
Servers of which more information is available from the NGSSite.

http://www.ngssoftware.com/software/squirrelfororacle.html


About NGSSoftware
*****************
NGSSoftware design, research and develop intelligent, advanced application
security assessment scanners. Based in the United Kingdom, NGSSoftware have
offices in the South of London and the East Coast of Scotland. NGSSoftware's
sister company NGSConsulting, offers best of breed security consulting
services, specialising in application, host and network security
assessments.

http://www.ngssoftware.com/
http://www.ngsconsulting.com/

Telephone +44 208 401 0070
Fax +44 208 401 0076

enquiries@ngssoftware.com