Oracle Warehouse Builder SQL Injection (July 22, 2011)

By

Oracle Warehouse Builder (OWB) is an Extract, Transform, and Load (ETL) tool for managing data for business intelligence systems. Every Oracle 11g database product includes OWB as a bundled component. The Oracle Database supports querying and programming with the Structured Query Language (SQL), PL/SQL (Procedural Language / SQL), and Java. PL/SQL is Oracle’s procedural extension to SQL allowing the use of variables, conditional and loop constructs, functions, as well as some object-oriented features. PL/SQL program units can be pre-compiled and stored in the database. The Java runtime is also integrated with the SQL and PL/SQL database engines and enables the use of Java in stored procedures.
An example of a PL/SQL procedure which includes Java code is shown:

create or replace and resolve java source named "TESTING" as import java.lang.*; import java.io.*; public class Hello {   public static void HelloWorld() {     System.out.println("This is a test");   } }

The OWB by default includes a database user OWBREPOS_OWNER. This user has a number of critical roles and privileges which enable it to read all data in the database (including user hashes). The user OWBREPOS_OWNER can also execute OS commands and can therefore obtain SYSDBA right.

A privilege escalation vulnerability has been found in Oracle Warehouse Builder. A specific stored procedure in the OWBREPOS_OWNER package performs insufficient input validation on all of its parameters. The said procedure has execute permissions granted to PUBLIC by default. By inserting escaped single quotes (denoted by two single quotes) into one of the parameter strings, SQL, PL/SQL, and Java code can be injected to be executed as OWBREPOS_OWNER.

An attacker with limited user privileges could use this vulnerability to read arbitrary data including password hashes from the database, and execute arbitrary SQL, PL/SQL and Java code, and operating system commands in the security context under which the database is running, effectively compromising the database server completely.

SonicWALL has multiple generic IPS signatures which address SQL injection attempts. The following IPS signatures are proactively addressing attacks targeting this vulnerability.

  • 1421 – SQL-INJECTION Generic SQL Injection Attempt 7
  • 1661 – SQL-INJECTION Generic SQL Injection Attempt 8
  • 4161 – SQL-INJECTION Generic SQL Injection Attempt 16

This vulnerability has been assigned the identifier CVE-2011-0799 by mitre.
The vendor has released an advisory addressing this issue.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.