[VIM] Team SHATTER Security Advisory: Oracle Database Buffer Overflow in SYS.KUPF$FILE_INT.GET_FULL_FILENAME (DB11) (fwd)
security curmudgeon
jericho at attrition.org
Thu Jan 15 01:05:22 UTC 2009
---------- Forwarded message ----------
From: security curmudgeon <jericho at attrition.org>
To: Team SHATTER <shatter at appsecinc.com>
Cc: bugtraq at securityfocus.com, secalert_us at oracle.com
Date: Sat, 10 Jan 2009 11:11:41 +0000 (UTC)
Subject: Re: Team SHATTER Security Advisory: Oracle Database Buffer Overflow in
SYS.KUPF$FILE_INT.GET_FULL_FILENAME (DB11)
Hi Team SHATTER,
Apologies for the very late reply, but I had a question regarding your
advisory. I am CC'ing Oracle's security contact in hopes they can also
reply with clarification.
: Oracle Database Buffer Overflow in SYS.KUPF$FILE_INT.GET_FULL_FILENAME (DB11)
: Details:
: Oracle Database Server provides the SYS.KUPF$FILE_INT package. This
: package contains the procedure GET_FULL_FILENAME which is vulnerable to
: buffer overflow attacks.
:
: Impact:
: Any Oracle database user with EXECUTE privilege on the package
: SYS.KUPF$FILE_INT can exploit this vulnerability. By default, users
: granted EXECUTE_CATALOG_ROLE have the required privilege. Exploitation
: of this vulnerability allows an attacker to execute arbitrary code. It
: can also be exploited to cause DoS (Denial of service) killing the
: Oracle server process.
Cliff notes: SYS.KUPF$FILE_INT.GET_FULL_FILENAME remote overflow, "execute
arbitrary code .. also .. cause DoS". CVE-2008-1820
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2008.html
>From the Oracle advisory:
DB11 Data Pump Oracle Net Execute on KUPF$FILE_INT No 4.0 Network Low Single None None Partial
Cliff notes: Confidentiality = None. Integrity = None. Availability =
Partial.
Summary: Team SHATTER says this is a remote overflow that allows for the
execution of arbitrary code (CVSS2 9.0). Oracle says this is a limited
DoS condition (CVSS2 4.0). That is a big discrepancy.
Based on disclosure history, Team SHATTER has a higher confidence rating
and is generally considered more trustworthy than Oracle. As a responsible
security professional, I have to assume their research is accurate and
their advisory should be taken more seriously than Oracle's.
Any input from either side to help clarify?
- security curmudgeon
p.s. Same exact question and CVSS2 scores for SYS.DBMS_AQJMS_INTERNAL
(DB15), CVE-2008-1821, same Oracle CPU.
More information about the VIM
mailing list