Team SHATTER Security Advisory: Buffer Overflow in Resource Manager of Oracle Database - Plan name parameter

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Team SHATTER Security Advisory

Buffer Overflow in Resource Manager of Oracle Database - Plan name paramete=
r

August 27, 2009

Risk Level:
Medium

Affected versions:
Oracle Database Server version 9iR1 and 9iR2

Remote exploitable:
Yes (Authentication to Database Server is needed)

Credits:
This vulnerability was discovered and researched by Esteban Mart=EDnez Fay=
=F3 of Application Security Inc.

Details:
The plan name parameter used in ALTER SYSTEM SET RESOURCE_MANAGER_PLAN stat=
ement and in SYS.DBMS_RESOURCE_MANAGER.SWITCH_PLAN procedure is vulnerable =
to buffer overflow attacks. When passing an overly long plan name string a =
buffer can be overflowed.

Impact:
To exploit this vulnerability it is required to have ALTER SYSTEM privilege=
. Exploitation of this vulnerability allows an attacker to execute arbitrar=
y code. It can also be exploited to cause DoS (Denial of service) killing t=
he Oracle server process.

Vendor Status:
Vendor was contacted and a patch was released.

Workaround:
Restrict ALTER SYSTEM privilege.

Fix:
Apply Oracle Critical Patch Update July 2009 available at Oracle Metalink.

CVE:
CVE-2009-0979

Links:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpu=
apr2009.html
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpu=
jul2009.html

Timeline:
Vendor Notification - 8/15/2007
Fix - 07/14/2009
Public Disclosure - 08/07/2009

Application Security, Incs database security solutions have helped over 1,=
600 organizations secure their databases from all internal and external thr=
eats while also ensuring that those organizations meet or exceed regulatory=
 compliance and audit requirements.

Disclaimer: The information in the advisory is believed to be accurate at t=
he time of publishing based on currently available information. Use of the =
information constitutes acceptance for use in an AS IS condition. There are=
 no warranties with regard to this information. Neither the author nor the =
publisher accepts any liability for any direct, indirect, or consequential =
loss or damage arising from use of, or reliance on, this information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32) - WinPT 1.2.0

iD8DBQFKl/WO9EOAcmTuFN0RAsAOAJ0cy+JPiZ0vZ2YyMeEpq539Gmu3/gCfVH6N
yK2AcG2SQHNh90hQgkAAgv8=3D
=3DalV+
-----END PGP SIGNATURE-----