Oracle DBMS_AQADM_SYS SQL Injection (April 23, 2009)
Oracle Database is a relational database management system (RDBMS). It provides comprehensive database applications to enterprise-level users. To extend the functionality of the Oracle Database Server, Oracle provides multiple packages of related program objects. The DBMS_AQADM_SYS package is one of them. The package provides subprograms to manage the administration of Oracle Streams Advanced Queueing (AQ).
An SQL injection vulnerability exists in DBMS_AQADM_SYS package. To be specific, a procedure GRANT_TYPE_ACCESS included in this package doesn’t sanitize its parameter correctly, the profile of the procedure is listed as bellow:
Argument Name Type In/Out? ------------------------------ USER_NAME VARCHAR2 IN
The parameter user_name of the procedure is later used in the following SQL sentences:
EXECUTE_STMT( 'grant execute on sys.aq$_agent to '|| USER_NAME||GRANT_OPT); EXECUTE_STMT('grant execute on sys.aq$_dequeue_history to '|| USER_NAME||GRANT_OPT);
A remote attacker could exploit this vulnerability by embedding malicious SQL code as part of the vulnerable parameter user_name. Successful exploitation would result in modification or manipulation of the user permissions in the underlying database.
SonicWALL UTM team has released an IPS signature to detect/prevent generic attacks addressing this vulnerability. The signature is listed as bellow:
- 1438 Oracle DB GRANT_TYPE_ACCESS Procedure SQL Injection
This vulnerability has been assigned the CVE identifier CVE-2009-0977.