NGSSoftware Insight Security Research Advisory

Name: Oracle 10g character conversion bug
Systems Affected: Oracle 10g/AS on all operating systems	
Severity: High risk
Vendor URL: http://www.oracle.com/
Author: David Litchfield [ davidl at ngssoftware.com ]
Relates to: http://www.nextgenss.com/advisories/oracle-01.txt
Date of Public Advisory: 23rd December 2004
Advisory number: #NISR2122004G
Advisory URL: http://www.ngssoftware.com/advisories/oracle23122004G.txt

Description
***********
Due to character conversion problems in Oracle 10g with Oracle's Application
server it is possible to bypass pl/sql exclusions and gain access to the
database server as SYS.

Details
*******
There is a character conversion bug in 10g that can lead to a compromised
backend database server. Both Windows and Linux are affected. Consider the
following set up. There's a Oracle HTTP Server (running apache 1.3.22 on
Windows) using the PL/SQL module feeding into a 10g box running on Windows
and a 10g box running on Linux. The character set for both instances is
WE8ISO8859P1. When the app server receives a request of 

http://server/pls/windad/%FF%FF%FF%FF%FF 

the %FFs are converted to the byte 0xFF (as expected) but sniffing the
database response to the app server we get 

"ORA-06550: line 8, column 2: PLS-00201: identifier 'YYYYY' must be
declared....."

10g, when using the WE8ISO8859P1 character set, converts 0xFF to 0x59 - that
is uppercase Y. Due to this conversion an attacker can request

http://server/pls/windad/S%FFS.OWA_UTIL.CELLSPRINT?P_THEQUERY=select+usernam
e+from+all_users 

and gain access to "banned" and dangerous procedures. The character set for
the HTTP server is set to AMERICAN_AMERICA.WE8ISO8859P1.

If, however, we set the character set on the HTTP Server to
ENGLISH_UNITEDKINGDOM.WE8MSWIN1252 not only is the 0xFF still converted to
0x59 but if

http://server/pls/windad/%9F%9F%9F%9F%9F%9F 

is requested

the _app_server_ (note - not 10g) converts the %9F to a Y and again this
allows us to do the following 

http://server/pls/windad/S%9FS.OWA_UTIL.CELLSPRINT?P_THEQUERY=select+usernam
e+from+all_users 

again giving access to the "banned" and dangerous procedures.

Other character sets and scenarios may cause similar problems.



Fix Information
***************
A patch (#68) was released for this problem by Oracle. See
http://metalink.oracle.com/ for more details. NGSSQuirreL for Oracle
(http://www.nextgenss.com/squirrelora.htm), can be used to assess whether
your Oracle servers are vulnerable to this.


About NGSSoftware
*****************
NGSSoftware design, research and develop intelligent, advanced application
security assessment scanners. Based in the United Kingdom, NGSSoftware have
offices in the South of London and the East Coast of Scotland. NGSSoftware's
sister company NGSConsulting, offers best of breed security consulting
services, specialising in application, host and network security
assessments.

http://www.ngssoftware.com/

Telephone +44 208 401 0070
Fax +44 208 401 0076

enquiries@ngssoftware.com