Oracle CREATE_TABLES SQL Injection

October 30, 2009

The Oracle Database Server ships preloaded with extra packages to extend its functionality. These packages are in the forms or procedures, functions, variables, etc. The packages are essentially sets of SQL statements stored on the server side as precompiled SQL.

One of the packages included with the database server which is responsible for the configuration and administration of the database is the ConText package. This package contains two predefined users, CTXSYS and CTXDEMO. The CTXSYS user is used for administrative tasks and thus has a wide range of privileges.

An SQL injection vulnerability exists in the DRVXTABC package, owned by the CTXSYS user. The flaw is in the stored procedure DRVXTABC.CREATE_TABLES. The procedure accepts three arguments: owner, name, and id.
During the execution of the vulnerable procedure, the arguments passed to it are not properly sanitized before being directly used to generate an SQL statement. The affected arguments received do not have double quote characters removed from them. In cases where the supplied arguments contain double quotes, they will end up affecting the logic of the generated statement. This vulnerability allows the database user to inject arbitrary SQL to be executed in the context of the CTXSYS user.

A mitigating factor of this threat is that in order to exploit this flaw, an attacker must be successfully logged in and have execute privileges on the CTXSYS.DRVXTABC.CREATE_TABLES procedure. Furthermore, the injected code must result in a well formed SQL statement in order to be committed, as the whole operation is treated as an atomic command. Any successfully injected SQL will be executed within the security privileges of the database administrator, SYSDBA.

SonicWALL has released an IPS signature that detects and blocks generic attack attempts targeting this vulnerability. The following signature has been released:

  • 4632 - Oracle DB CREATE_TABLES SQL Injection Attempt