Vigil@nce: Oracle Database, SQL injection via GET_EXPRSET_STATS
January 2009 by Vigil@nce
A privileged attacker can use the EXFSYS.DBMS_EXPFIL_DR.GET_EXPRSET_STATS
procedure in order to execute code on the system.
– Gravity: 1/4
– Consequences: privileged access/rights
– Provenance: user account
– Means of attack: 1 attack
– Ability of attacker: technician (2/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: low (1/3)
– Creation date: 16/01/2009
IMPACTED PRODUCTS
– Oracle Database
DESCRIPTION OF THE VULNERABILITY
The EXFSYS.DBMS_EXPFIL_DR.GET_EXPRSET_STATS method can be used to
retrieve statistics on Expression Attribute Set. For example:
get_exprset_stats(tab_owner, tab_name, exp_column, aset_nm)
This method runs with privileges of the EXFSYS user. However, the
"aset_nm" parameter is directly used in a SQL query with no check.
A local attacker, allowed to execute this method, can therefore
inject SQL commands in get_exprset_stats(), to be executed with
EXFSYS privileges. The attacker can then create a library to gain
access to the system.
CHARACTERISTICS
– Identifiers: DSECRG-09-003, VIGILANCE-VUL-8399
– Url: http://vigilance.fr/vulnerability/Oracle-Database-SQL-injection-via-GET-EXPRSET-STATS-8399