ID CVE-2007-0272 Type cve Reporter cve@mitre.org Modified 2018-10-16T16:32:00
Description
Multiple buffer overflows in MDSYS.MD in Oracle Database 8.1.7.4, 9.0.1.5, 9.2.0.7, and 10.1.0.4 allows remote authenticated users to cause a denial of service (crash) or execute arbitrary code via unspecified vectors involving certain public procedures, aka DB05.
{"openvas": [{"lastseen": "2019-05-29T18:39:38", "bulletinFamily": "scanner", "description": "This host is running Oracle database and is prone to a Buffer\n Overflow and Denial of Service vulnerabilities.", "modified": "2019-05-20T00:00:00", "published": "2011-12-07T00:00:00", "id": "OPENVAS:1361412562310802523", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310802523", "title": "Oracle Database Server MDSYS.MD Buffer Overflows and Denial of Service Vulnerabilities", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Oracle Database Server MDSYS.MD Buffer Overflows and Denial of Service Vulnerabilities\n#\n# Authors:\n# Madhuri D <dmadhuri@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:oracle:database_server\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.802523\");\n script_version(\"2019-05-20T06:24:13+0000\");\n script_cve_id(\"CVE-2007-0272\");\n script_bugtraq_id(22083);\n script_tag(name:\"cvss_base\", value:\"8.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:N/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-20 06:24:13 +0000 (Mon, 20 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2011-12-07 12:25:28 +0530 (Wed, 07 Dec 2011)\");\n script_name(\"Oracle Database Server MDSYS.MD Buffer Overflows and Denial of Service Vulnerabilities\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2011 Greenbone Networks GmbH\");\n script_family(\"Databases\");\n script_dependencies(\"oracle_tnslsnr_version.nasl\");\n script_mandatory_keys(\"OracleDatabaseServer/installed\");\n\n script_xref(name:\"URL\", value:\"http://securitytracker.com/id?1017522\");\n script_xref(name:\"URL\", value:\"http://xforce.iss.net/xforce/xfdb/31541\");\n script_xref(name:\"URL\", value:\"http://www.us-cert.gov/cas/techalerts/TA07-017A.html\");\n script_xref(name:\"URL\", value:\"http://www.appsecinc.com/resources/alerts/oracle/2007-05.shtml\");\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/archive/1/archive/1/474047/100/0/threaded\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation allows an attacker to execute arbitrary code. It\n can also be exploited to cause a Denial of Service by crashing the Oracle server process.\");\n\n script_tag(name:\"affected\", value:\"Oracle Database server versions 8.1.7.4, 9.0.1.5, 9.2.0.7, and 10.1.0.4.\");\n\n script_tag(name:\"insight\", value:\"The flaws are due to an error in 'MDSYS.MD' package that is used in the\n Oracle spatial component. The package has EXECUTE permissions set to PUBLIC, so\n any Oracle database user can exploit the vulnerability to execute arbitrary code.\");\n\n script_tag(name:\"summary\", value:\"This host is running Oracle database and is prone to a Buffer\n Overflow and Denial of Service vulnerabilities.\");\n\n script_tag(name:\"solution\", value:\"Apply the patch from the referenced advisory.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_xref(name:\"URL\", value:\"http://www.oracle.com/technetwork/topics/security/cpujan2007-101493.html\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) ) exit( 0 );\nif( ! vers = get_app_version( cpe:CPE, port:port ) ) exit( 0 );\n\nif( version_in_range( version:vers, test_version:\"8.1.0\", test_version2:\"8.1.7.3\" ) ||\n version_in_range( version:vers, test_version:\"10.1.0\", test_version2:\"10.1.0.3\" ) ||\n version_in_range( version:vers, test_version:\"9.0.1\", test_version2:\"9.0.1.4\" ) ||\n version_in_range( version:vers, test_version:\"9.2.0\", test_version2:\"9.2.0.6\" ) ||\n version_is_equal( version:vers, test_version:\"8.1.7.4\" ) ||\n version_is_equal( version:vers, test_version:\"9.0.1.5\" ) ||\n version_is_equal( version:vers, test_version:\"10.1.0.4\" ) ||\n version_is_equal( version:vers, test_version:\"9.2.0.7\" ) ) {\n report = report_fixed_ver( installed_version:vers, fixed_version:\"See references\" );\n security_message( port:port, data:report );\n exit( 0 );\n}\n\nexit( 99 );", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:29", "bulletinFamily": "software", "description": "# No description provided by the source\n\n## References:\n[Vendor Specific Advisory URL](http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html)\nUS-CERT Cyber Security Alert: TA07-017A\nSecurity Tracker: 1017522\n[Secunia Advisory ID:23794](https://secuniaresearch.flexerasoftware.com/advisories/23794/)\n[Related OSVDB ID: 32872](https://vulners.com/osvdb/OSVDB:32872)\n[Related OSVDB ID: 32881](https://vulners.com/osvdb/OSVDB:32881)\n[Related OSVDB ID: 32895](https://vulners.com/osvdb/OSVDB:32895)\n[Related OSVDB ID: 32906](https://vulners.com/osvdb/OSVDB:32906)\n[Related OSVDB ID: 32918](https://vulners.com/osvdb/OSVDB:32918)\n[Related OSVDB ID: 32875](https://vulners.com/osvdb/OSVDB:32875)\n[Related OSVDB ID: 32894](https://vulners.com/osvdb/OSVDB:32894)\n[Related OSVDB ID: 32907](https://vulners.com/osvdb/OSVDB:32907)\n[Related OSVDB ID: 32908](https://vulners.com/osvdb/OSVDB:32908)\n[Related OSVDB ID: 32915](https://vulners.com/osvdb/OSVDB:32915)\n[Related OSVDB ID: 32919](https://vulners.com/osvdb/OSVDB:32919)\n[Related OSVDB ID: 32922](https://vulners.com/osvdb/OSVDB:32922)\n[Related OSVDB ID: 32909](https://vulners.com/osvdb/OSVDB:32909)\n[Related OSVDB ID: 32910](https://vulners.com/osvdb/OSVDB:32910)\n[Related OSVDB ID: 32912](https://vulners.com/osvdb/OSVDB:32912)\n[Related OSVDB ID: 32913](https://vulners.com/osvdb/OSVDB:32913)\n[Related OSVDB ID: 32914](https://vulners.com/osvdb/OSVDB:32914)\n[Related OSVDB ID: 32916](https://vulners.com/osvdb/OSVDB:32916)\n[Related OSVDB ID: 32917](https://vulners.com/osvdb/OSVDB:32917)\n[Related OSVDB ID: 32920](https://vulners.com/osvdb/OSVDB:32920)\n[Related OSVDB ID: 32921](https://vulners.com/osvdb/OSVDB:32921)\nNews Article: http://news.com.com/Oracle+plugs+51+security+flaws/2100-1002_3-6150671.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-01/0567.html\nKeyword: DB05\nISS X-Force ID: 31541\n[CVE-2007-0272](https://vulners.com/cve/CVE-2007-0272)\n", "modified": "2007-01-17T04:18:47", "published": "2007-01-17T04:18:47", "href": "https://vulners.com/osvdb/OSVDB:32911", "id": "OSVDB:32911", "title": "Oracle Database Spatial mdsys.md Multiple Unspecified Overflows", "type": "osvdb", "cvss": {"score": 8.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:NONE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:22", "bulletinFamily": "software", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nTeam SHATTER Security Alert (Update)\r\n\r\nOracle Database Buffer overflows and Denial of service vulnerabilities\r\nin public procedures of MDSYS.MD (DB12)\r\nJan 18, 2007 (Updated July 18th, 2007)\r\n\r\nRisk Level: High\r\n\r\nAffected versions:\r\nOracle Database Server versions 8i, 9i and 10gR1\r\n\r\nRemote exploitable: Yes (Authentication to Database Server is needed)\r\n\r\nCredits:\r\nThis vulnerability was discovered and researched by Esteban Martinez\r\nFayo of Application Security Inc.\r\n\r\nCVE:\r\nCVE-2007-0272\r\n\r\nDetails:\r\nOracle Database Server provides the MDSYS.MD package that is used in the\r\nOracle Spatial component. These packages contain many public procedures\r\nthat are vulnerable to buffer overflow and denial of service attacks.\r\n\r\nImpact:\r\nBy default MDSYS.MD has EXECUTE permission to PUBLIC so any Oracle\r\ndatabase user can exploit this vulnerability. Exploitation of this\r\nvulnerability allows an attacker to execute arbitrary code. It can also\r\nbe exploited to cause DOS (Denial of service) killing Oracle server\r\nprocess.\r\n\r\nVendor Status:\r\nVendor was contacted and a patch was released.\r\n\r\nWorkaround:\r\nRestrict access to the MDSYS.MD package.\r\n\r\nFix:\r\nApply Oracle Critical Patch Update July 2007 available at Oracle Metalink.\r\n\r\nLinks:\r\nhttp://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2007.html\r\nhttp://www.appsecinc.com/resources/alerts/oracle/2007-05.shtml\r\n\r\n\r\n- --\r\n_____________________________________________\r\nApplication Security, Inc.\r\nwww.appsecinc.com\r\nAppSecInc is the leading provider of database security solutions for the\r\nenterprise. AppSecInc products proactively secure enterprise\r\napplications at more than 300 organizations around the world by\r\ndiscovering, assessing, and protecting the database against rapidly\r\nchanging security threats. By securing data at its source, we enable\r\norganizations to more confidently extend their business with customers,\r\npartners and suppliers. Our security experts, combined with our strong\r\nsupport team, deliver up-to-date application safeguards that minimize\r\nrisk and eliminate its impact on business.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.7 (MingW32)\r\n\r\niD8DBQFGnosV9EOAcmTuFN0RAtcqAKC1Gg1gLCxCPgrOGlscSvbOkNBBIgCgmRBe\r\n8oGGrQAOboXDAecdBkEFr0M=\r\n=smqS\r\n-----END PGP SIGNATURE-----", "modified": "2007-07-19T00:00:00", "published": "2007-07-19T00:00:00", "id": "SECURITYVULNS:DOC:17529", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:17529", "title": "Oracle Database Buffer overflows and Denial of service vulnerabilities in public procedures of MDSYS.MD (DB12)", "type": "securityvulns", "cvss": {"score": 8.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:NONE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:26", "bulletinFamily": "software", "description": "DBMS_DRS.GET_PROPERTY and MDSYS.MD buffer overflow, crossite scripting, privilege escalation with views.", "modified": "2007-07-24T00:00:00", "published": "2007-07-24T00:00:00", "id": "SECURITYVULNS:VULN:7942", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:7942", "title": "Oracle multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 8.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:NONE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:22", "bulletinFamily": "software", "description": "Released security update fixes 17 security vulnerabilities for Oracle Database, 9 vulnerabilities in Oracle HTTP Server, 12 security vulnerabilities for Oracle Application Server, 7 vulnerabilities for Oracle E-Business Suite, 6 security bugs in Oracle Enterprise Manager, 3 bugs in Oracle PeopleSoft Enterprise PeopleTools. There is also a large number of different old and new bugs, many are not fixed for years. It makes it useless to talk about Oracle security. Use 3rd party products to protect your Oracle environment.", "modified": "2007-02-01T00:00:00", "published": "2007-02-01T00:00:00", "id": "SECURITYVULNS:VULN:7064", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:7064", "title": "Multiple Orcale security vulnerabilities.... again...", "type": "securityvulns", "cvss": {"score": 8.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:NONE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2019-11-01T03:14:05", "bulletinFamily": "scanner", "description": "The remote Oracle database server is missing the January 2007\nCritical Patch Update (CPU) and therefore is potentially affected by\nsecurity issues in the following components :\n\n - Advanced Queuing\n\n - Advanced Replication\n\n - Advanced Security Option\n\n - Change Data Capture\n\n - Data Guard\n\n - Export\n\n - Log Miner\n\n - NLS Runtime\n\n - Oracle Net Services\n\n - Oracle Spatial\n\n - Oracle Streams\n\n - Oracle Text\n\n - Oracle Workflow Cartridge\n\n - Recovery Manager\n\n - XMLDB", "modified": "2019-11-02T00:00:00", "id": "ORACLE_RDBMS_CPU_JAN_2007.NASL", "href": "https://www.tenable.com/plugins/nessus/56055", "published": "2011-11-16T00:00:00", "title": "Oracle Database Multiple Vulnerabilities (January 2007 CPU)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\nif (!defined_func(\"nasl_level\") || nasl_level() < 5000) exit(0, \"Nessus older than 5.x\");\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(56055);\n script_version(\"1.13\");\n script_cvs_date(\"Date: 2018/11/15 20:50:21\");\n\n script_cve_id(\n \"CVE-2007-0268\",\n \"CVE-2007-0269\",\n \"CVE-2007-0270\",\n \"CVE-2007-0271\",\n \"CVE-2007-0272\",\n \"CVE-2007-0273\",\n \"CVE-2007-0274\",\n \"CVE-2007-0275\",\n \"CVE-2007-0276\",\n \"CVE-2007-0277\",\n \"CVE-2007-0278\"\n );\n script_bugtraq_id(22083);\n\n script_name(english:\"Oracle Database Multiple Vulnerabilities (January 2007 CPU)\");\n script_summary(english:\"Checks installed patch info\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote database server is affected by multiple vulnerabilities.\");\n\n script_set_attribute(attribute:\"description\", value:\n\"The remote Oracle database server is missing the January 2007\nCritical Patch Update (CPU) and therefore is potentially affected by\nsecurity issues in the following components :\n\n - Advanced Queuing\n\n - Advanced Replication\n\n - Advanced Security Option\n\n - Change Data Capture\n\n - Data Guard\n\n - Export\n\n - Log Miner\n\n - NLS Runtime\n\n - Oracle Net Services\n\n - Oracle Spatial\n\n - Oracle Streams\n\n - Oracle Text\n\n - Oracle Workflow Cartridge\n\n - Recovery Manager\n\n - XMLDB\");\n\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?11b7e0a4\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch according to the January 2007 Oracle\nCritical Patch Update advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:N/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"exploithub_sku\", value:\"EH-11-860\");\n script_set_attribute(attribute:\"exploit_framework_exploithub\", value:\"true\");\n script_cwe_id(79, 119);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2007/01/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2007/01/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/11/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:database_server\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Databases\");\n\n script_copyright(english:\"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"oracle_rdbms_query_patch_info.nbin\", \"oracle_rdbms_patch_info.nbin\");\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"oracle_rdbms_cpu_func.inc\");\ninclude(\"misc_func.inc\");\n\n################################################################################\n# JAN2007\npatches = make_nested_array();\n\n# RDBMS 10.1.0.4\npatches[\"10.1.0.4\"][\"db\"][\"nix\"] = make_array(\"patch_level\", \"10.1.0.4.8\", \"CPU\", \"5689894\");\npatches[\"10.1.0.4\"][\"db\"][\"win32\"] = make_array(\"patch_level\", \"10.1.0.4.16\", \"CPU\", \"5695771\");\n# RDBMS 10.1.0.5\npatches[\"10.1.0.5\"][\"db\"][\"nix\"] = make_array(\"patch_level\", \"10.1.0.5.5\", \"CPU\", \"5689908\");\npatches[\"10.1.0.5\"][\"db\"][\"win32\"] = make_array(\"patch_level\", \"10.1.0.5.11\", \"CPU\", \"5716295\");\n# RDBMS 10.2.0.3\npatches[\"10.2.0.3\"][\"db\"][\"nix\"] = make_array(\"patch_level\", \"10.2.0.3.1\", \"CPU\", \"5881721\");\npatches[\"10.2.0.3\"][\"db\"][\"win32\"] = make_array(\"patch_level\", \"10.2.0.3.2\", \"CPU\", \"5846376\");\npatches[\"10.2.0.3\"][\"db\"][\"win64\"] = make_array(\"patch_level\", \"10.2.0.3.2\", \"CPU\", \"5846378\");\n# RDBMS 10.2.0.2\npatches[\"10.2.0.2\"][\"db\"][\"nix\"] = make_array(\"patch_level\", \"10.2.0.2.4\", \"CPU\", \"5689957\");\npatches[\"10.2.0.2\"][\"db\"][\"win32\"] = make_array(\"patch_level\", \"10.2.0.2.6\", \"CPU\", \"5716143\");\npatches[\"10.2.0.2\"][\"db\"][\"win64\"] = make_array(\"patch_level\", \"10.2.0.2.6\", \"CPU\", \"5699839\");\n# RDBMS 10.2.0.1\npatches[\"10.2.0.1\"][\"db\"][\"nix\"] = make_array(\"patch_level\", \"10.2.0.1.5\", \"CPU\", \"5689937\");\npatches[\"10.2.0.1\"][\"db\"][\"win32\"] = make_array(\"patch_level\", \"10.2.0.1.9\", \"CPU\", \"5695784\");\npatches[\"10.2.0.1\"][\"db\"][\"win64\"] = make_array(\"patch_level\", \"10.2.0.1.9\", \"CPU\", \"5695786\");\n# RDBMS 10.1.0.3\npatches[\"10.1.0.3\"][\"db\"][\"nix\"] = make_array(\"patch_level\", \"10.1.0.3.9\", \"CPU\", \"5923277\");\n\ncheck_oracle_database(patches:patches, high_risk:TRUE);\n", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}}]}
