Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Database)  >   Oracle Database Vendors:   Oracle
Oracle Database Server UTL_FILE Error Discloses Files to Remote Authenticated Users
SecurityTracker Alert ID:  1013392
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 7 2005
Impact:   Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 8i, 9i
Description:   An input validation vulnerability was reported in Oracle Database Server in the UTL_FILE package. A remote authenticated user can access arbitrary files on the target system.

The software does not properly validate user-supplied input in some Directory Object functions. A remote authenticated user can exploit a flaw in UTL_FILE by supplying directory traversal characters to some Directory Object functions to gain read or write access to files on the target system that are located outside of the intended directory.

The MEDIA_DIR function is affected. Other functions may also be affected.

The vendor was notified in October 2003.

Impact:   A remote authenticated user can gain read and write access to files on the target system.
Solution:   The vendor has issued a fix (Critical Patch Update - January 2005), described at:

Vendor URL: (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), UNIX (Tru64), Windows (NT), Windows (2000)

Message History:   None.

 Source Message Contents

Subject:  [VulnWatch] - Argeniss - Oracle Database Server Directory transversal

Argeniss Security Advisory

Name: Oracle Database Server Directory transversal
Affected Software: Oracle Database Server versions 8i
and 9i
Severity :  Medium
Remote exploitable: Yes (Authentication to Database
Server is needed)
Credits:    Cesar Cerrudo
Date:    03/07/05
Advisory Number:   ARG030501


Oracle Database Server provides many packages
functions to access the OS file system, some of these
functions are not able to access files directly, for
example in order to access files a Directory Object 
must be created and grant to users permissions on the
object, this object references a directory in the 
file system and it can be used by functions to access
files under that directory only. However functions 
don't properly validate the input and by supplying a
especially constructed string the directory can be 
escaped and the parent directories can be accessed,
because of this any file in the same drive
as the directory, can be read, renamed, overwrited,

To reproduce the vulnerability execute the next
(In older Oracle database server versions the same
could work just using "\..\..\")
(This is not a extensive list of vulnerable functions,
other functions that parse files could
also be vulnerable)

--this create a file called Unbreakable.txt in the
same drive as the directory referenced by 
--MEDIA_DIR directory object.
f utl_file.file_type;

--this example can be used to read arbitrary files in
the same drive as the directory referenced by 
--MEDIA_DIR directory object.
f utl_file.file_type;
sBuffer Varchar(8000);
  UTL_FILE.GET_LINE (f,sBuffer);
end loop;
when no_data_found then

--this rename any file in the same drive as the
directory referenced by 
--MEDIA_DIR directory object


By default UTL_FILE package has execute permission to
public role so any Oracle database 
user with permissions on a Directory Object can
exploit this vulnerability.
Explotation of this vulnerability allow an attacker to
overwrite, read, rename, etc. 
arbitrary files.

Vendor Status:

Oracle was contacted on October 2003, after an initial
email interchange i didn't have any
news about when the vulnerability was going to be
patched or when it was patched nor i was credited, 
but this is common when dealing with Oracle on
security issues.


Restrict access to Directory Objects and UTL_FILE

Patch Available:



There are still hundreds of unpatched Oracle Database
Server vulnerabilities affecting 
versions 8i, 9i and 10g some of them have been
reported more than 1 year ago.
If you want to know more about these vulnerabilities
and many others check out our 
AVI (Advanced Vulnerability Information) service at

--Argeniss - Information Security--

Celebrate Yahoo!'s 10th Birthday! 
Yahoo! Netrospective: 100 Moments of the Web


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, LLC