Oracle DBMS_AQADM_SYS SQL Injection (April 23, 2009)

By

Oracle Database is a relational database management system (RDBMS). It provides comprehensive database applications to enterprise-level users. To extend the functionality of the Oracle Database Server, Oracle provides multiple packages of related program objects. The DBMS_AQADM_SYS package is one of them. The package provides subprograms to manage the administration of Oracle Streams Advanced Queueing (AQ).

An SQL injection vulnerability exists in DBMS_AQADM_SYS package. To be specific, a procedure GRANT_TYPE_ACCESS included in this package doesn’t sanitize its parameter correctly, the profile of the procedure is listed as bellow:

 Argument Name Type In/Out? ------------------------------ USER_NAME VARCHAR2 IN 

The parameter user_name of the procedure is later used in the following SQL sentences:

 EXECUTE_STMT( 'grant execute on sys.aq$_agent      to '|| USER_NAME||GRANT_OPT); EXECUTE_STMT('grant execute on sys.aq$_dequeue_history      to '|| USER_NAME||GRANT_OPT); 

A remote attacker could exploit this vulnerability by embedding malicious SQL code as part of the vulnerable parameter user_name. Successful exploitation would result in modification or manipulation of the user permissions in the underlying database.

SonicWALL UTM team has released an IPS signature to detect/prevent generic attacks addressing this vulnerability. The signature is listed as bellow:

  • 1438 Oracle DB GRANT_TYPE_ACCESS Procedure SQL Injection

This vulnerability has been assigned the CVE identifier CVE-2009-0977.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.