Oracle DBMS_AQADM_SYS SQL Injection

April 23, 2009

Oracle Database is a relational database management system (RDBMS). It provides comprehensive database applications to enterprise-level users. To extend the functionality of the Oracle Database Server, Oracle provides multiple packages of related program objects. The DBMS_AQADM_SYS package is one of them. The package provides subprograms to manage the administration of Oracle Streams Advanced Queueing (AQ).

An SQL injection vulnerability exists in DBMS_AQADM_SYS package. To be specific, a procedure GRANT_TYPE_ACCESS included in this package doesn't sanitize its parameter correctly, the profile of the procedure is listed as bellow:

 Argument Name Type In/Out? ------------------------------ USER_NAME VARCHAR2 IN 

The parameter user_name of the procedure is later used in the following SQL sentences:

 EXECUTE_STMT( 'grant execute on$_agent      to '|| USER_NAME||GRANT_OPT); EXECUTE_STMT('grant execute on$_dequeue_history      to '|| USER_NAME||GRANT_OPT); 

A remote attacker could exploit this vulnerability by embedding malicious SQL code as part of the vulnerable parameter user_name. Successful exploitation would result in modification or manipulation of the user permissions in the underlying database.

SonicWALL UTM team has released an IPS signature to detect/prevent generic attacks addressing this vulnerability. The signature is listed as bellow:

  • 1438 Oracle DB GRANT_TYPE_ACCESS Procedure SQL Injection

This vulnerability has been assigned the CVE identifier CVE-2009-0977.