SQL Injection in package DBMS_AQIN

Name 	            SQL Injection in package DBMS_AQIN [CVE-2009-0992]
Systems Affected    Oracle 10.1.0.5 - 11.1.0.7
Severity            High Risk
Category            SQL Injection
Vendor URL          http://www.oracle.com/
Author              Alexander Kornbrust (ak at red-database-security.com)
CVE                 CVE-2009-0992
Advisory            14 April 2009 (V 1.00)


Details
The package DBMS_AQIN contains a SQL injection vulnerability.

PROCEDURE DEQ_EXEJOB( LOOPVAR OUT BOOLEAN)


[...]

BEGIN

SYS.DBMS_AQIN.AQ$_DEQUEUE_IN(
QUEUE_NAME => 'SYS.AQ_SRVNTF_TABLE_Q',
WAIT => DBMS_AQ.NO_WAIT,
ENQUEUE_TIME => ENQUEUE_TIME,
STATE => STATE,
OUT_MSGID => OUT_MSGID,
OUT_CORRELATION => OUT_CORRELATION,
PRIORITY => PRIORITY,
DELAY => DELAY,
EXPIRATION => EXPIRATION,
ATTEMPTS => ATTEMPTS,
EXCEPTION_QUEUE => EXCEPTION_QUEUE,
REMOTE_RECIPIENTS => REMOTE_RECIPIENT,
SENDER_NAME => SENDER_NAME,
SENDER_ADDR => SENDER_ADDR,
SENDER_PROTOCOL => SENDER_PROTOCOL,
ORIGINAL_MSGID => ORIGINAL_MSGID,
RAW_USER_DATA => RAW_USER_DATA,
OBJECT_USER_DATA => PAYL,
OUT_SIGN => OUT_SIGN);

[...]

PROCSTR := 'begin ' || PAYL.SUB_CALLBACK || '(context => :1,';
PROCSTR := PROCSTR ||'reginfo => sys.aq$_reg_info(:2, :3, :4, :5, :6, :7),';
PROCSTR := PROCSTR ||'descr => sys.aq$_descriptor(:8, :9, :10, sys.msg_prop_t';
PROCSTR := PROCSTR ||'(:11, :12, :13, :14, :15, :16, :17, :18, sys.aq$_agent';
PROCSTR := PROCSTR || '(:19, :20, :21), :22, :23),';
PROCSTR := PROCSTR || ' sys.aq$_ntfn_descriptor(:24))';


Patch Information
Apply the patches for Oracle CPU April 2009.


History
14-apr-2009 Oracle published CPU April 2009 [CVE-2009-0992]
14-apr-2009 Advisory published