Oracle MD2 Package Multiple Procedure Overflow

2004-08-31T19:15:18
ID OSVDB:9867
Type osvdb
Reporter Esteban Martinez Fayo(info@appsecinc.com)
Modified 2004-08-31T19:15:18

Description

Vulnerability Description

A remote overflow exists in Oracle Database Server MD2 package. The package fails to properly sanitize user input supplied to the LAYER parameter which is passed to the SDO_CODE_SIZE procedure or VALIDATE_GEOM procedure resulting in a buffer overflow. With a specially crafted request, an attacker can cause the execution of arbitrary code or crash the server resulting in a loss of integrity or availability.

Technical Description

A valid database account with any privilege level is required to exploit this vulnerability.

Solution Description

Currently, there are no known workarounds or upgrades to correct this issue. However, Oracle has released a patch to address this vulnerability:

9i Patchset 4 (9.2.0.5) 10g (10.1.0.2) Patch 2

Short Description

A remote overflow exists in Oracle Database Server MD2 package. The package fails to properly sanitize user input supplied to the LAYER parameter which is passed to the SDO_CODE_SIZE procedure or VALIDATE_GEOM procedure resulting in a buffer overflow. With a specially crafted request, an attacker can cause the execution of arbitrary code or crash the server resulting in a loss of integrity or availability.

References:

Vendor URL: http://www.oracle.com/ Vendor Specific Advisory URL US-CERT Cyber Security Alert: TA04-245A Secunia Advisory ID:12409 Other Advisory URL: http://www.appsecinc.com/resources/alerts/oracle/2004-0001/ Other Advisory URL: http://www.appsecinc.com/resources/alerts/oracle/2004-0001/41.html Other Advisory URL: http://www.appsecinc.com/resources/alerts/oracle/2004-0001/42.html Mail List Post: http://archives.neohapsis.com/archives/vulnwatch/2004-q3/0041.html Keyword: AppSec Issue 41/42 Generic Informational URL: http://www.computerworld.com/securitytopics/security/story/0,10801,95013,00.html CVE-2004-1774 CIAC Advisory: o-209 Bugtraq ID: 10871