Oracle RollbackWorkspace SQL Injection (May 22, 2009)
The Oracle Database Server is an enterprise-level relational database application suite. To extend the functionality of the Oracle Database Server, extra packages are included in the suite such as procedures, constants, cursors, and exceptions, in order to ease data management. The included stored procedures and functions are essentially sets of SQL statements that are stored on the server. One such bundled package is the Oracle Workspace Manager.
The Oracle Workspace Manager enables application developers and DBAs to manage current, proposed and historical versions of data in the same database. Interface to the Oracle Workspace Manager tools is provided by the DBMS_WM package. Among the functions supplied by this package is RollbackWorkspace. This function takes two arguments:
WORKSPACE - VARCHAR2 AUTO_COMMIT - BOOLEAN
An SQL injection vulnerability exists in the aforementioned function. The flaw is created due to a lack of proper sanitization of user supplied arguments. The function is vulnerable to an SQL injection attack in the WORKSPACE argument. Injecting a single quote inside the data passed in this argument will cause the internally generated script to treat a portion of the passed argument as a separate SQL statement.
The code that may be injected through the vulnerable function is limited in scope, length and functionality. Because of these constraints, execution of any complex SQL commands may only be performed through user created functions. Thus, exploitation of the flaw would require an attacker not only to have valid credentials to log into the vulnerable server, but also to have privileges to create SQL functions.
It should be noted that by default, all database users have permissions to execute the vulnerable function. Thus, a database user with normal privileges may inject SQL statements which will be executed with system privileges on the target database server.
Any injected SQL commands will be executed within the security privileges of the database administrator, SYSDBA, effectively compromising the database server. Exploitation of the vulnerability is considered to be an easy task, given that the attacker has privileges to create functions.
SonicWALL has created and released an IPS signature that detects and blocks generic attack attempts targeting this vulnerability. The following signature addresses this issue:
- 1471 – Oracle LT.ROLLBACKWORKSPACE SQL Injection Attempt