Security News

Oracle RollbackWorkspace SQL Injection (May 22, 2009)

By

The Oracle Database Server is an enterprise-level relational database application suite. To extend the functionality of the Oracle Database Server, extra packages are included in the suite such as procedures, constants, cursors, and exceptions, in order to ease data management. The included stored procedures and functions are essentially sets of SQL statements that are stored on the server. One such bundled package is the Oracle Workspace Manager.

The Oracle Workspace Manager enables application developers and DBAs to manage current, proposed and historical versions of data in the same database. Interface to the Oracle Workspace Manager tools is provided by the DBMS_WM package. Among the functions supplied by this package is RollbackWorkspace. This function takes two arguments: 

 WORKSPACE   - VARCHAR2 AUTO_COMMIT - BOOLEAN

An SQL injection vulnerability exists in the aforementioned function. The flaw is created due to a lack of proper sanitization of user supplied arguments. The function is vulnerable to an SQL injection attack in the WORKSPACE argument. Injecting a single quote inside the data passed in this argument will cause the internally generated script to treat a portion of the passed argument as a separate SQL statement.

The code that may be injected through the vulnerable function is limited in scope, length and functionality. Because of these constraints, execution of any complex SQL commands may only be performed through user created functions. Thus, exploitation of the flaw would require an attacker not only to have valid credentials to log into the vulnerable server, but also to have privileges to create SQL functions.

It should be noted that by default, all database users have permissions to execute the vulnerable function. Thus, a database user with normal privileges may inject SQL statements which will be executed with system privileges on the target database server.

Any injected SQL commands will be executed within the security privileges of the database administrator, SYSDBA, effectively compromising the database server. Exploitation of the vulnerability is considered to be an easy task, given that the attacker has privileges to create functions.

SonicWALL has created and released an IPS signature that detects and blocks generic attack attempts targeting this vulnerability. The following signature addresses this issue:

  • 1471 – Oracle LT.ROLLBACKWORKSPACE SQL Injection Attempt
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.
Recommended Cyber Security Stories
Microsoft Security Bulletin Coverage (Mar 12, 2013)
AndroidLocker ransomware targeting android phones (May 15, 2014))
Cybersecurity News & Trends - 12-18-20
Microsoft Exchange Server zero day vulnerabilities
Artemis.A, New InfoStealer in the Wild. (January 26, 2017)
TinyPOS a new multi-component POS family actively spreading in the wild.
Ransomware possibly being used to teach "Ethical" hacking
OpenSSL Heartbleed: 3 Months Later (July 3, 2014)