April 29, 2010

The Oracle Database (commonly referred to as Oracle RDBMS or simply as Oracle) is a relational database management system (RDBMS) produced and marketed by Oracle Corporation. Oracle Database Server is the server-side implementation of the Database System which contains multiple modules and functionalities. To extend the functionality, extra packages of related program objects such as procedures, functions, variables, constants are provided to improve the products.

One package which is included with the Oracle Database product is the DBMS_CDC_PUBLISH package. This package is used by a publisher to set up an Oracle Change Data Capture system for capturing and publishing change data from one or more Oracle relational source tables. Two of the procedures included in DBMS_CDC_PUBLISH are DROP_CHANGE_SOURCE and ALTER_CHANGE_SOURCE. These procedures drop or modify an existing AutoLog change source that was created with the CREATE_AUTOLOG_CHANGE_SOURCE procedure or an existing Distributed HotLog change source that was created with the CREATE_HOTLOG_CHANGE_SOURCE procedure. These two procedures have the following SQL method:

 DBMS_CDC_PUBLISH.DROP_CHANGE_SOURCE(         change_source_name IN VARCHAR2); 
 DBMS_CDC_PUBLISH.ALTER_CHANGE_SOURCE(         change_source_name IN VARCHAR2,         source_description IN VARCHAR2,         logfile_suffix IN VARCHAR2,         logfile_location IN VARCHAR2); 

An SQL Injection vulnerability exists in the Oracle Database server. Specifically, the vulnerability is caused due to a lack of proper sanitization of user supplied arguments to DROP_CHANGE_SOURCE and ALTER_CHANGE_SOURCE procedures. By exploiting this vulnerability, an attacker can inject and execute SQL commands within the security privileges of the database administrator SYSDBA, effectively compromising the database server.

SonicWALL UTM team has researched this vulnerability and created the following IPS signature to detect/prevent the attacks addressing this issue.

  • 5214 Oracle DB ALTER_CHANGE_SOURCE SQL Injection Attempt
  • 5212 Oracle DB DROP_CHANGE_SOURCE SQL Injection Attempt

This vulnerability is referred by CVE as CVE-2010-0870.