Oracle Warehouse Builder SQL Injection

July 22, 2011

Oracle Warehouse Builder (OWB) is an Extract, Transform, and Load (ETL) tool for managing data for business intelligence systems. Every Oracle 11g database product includes OWB as a bundled component. The Oracle Database supports querying and programming with the Structured Query Language (SQL), PL/SQL (Procedural Language / SQL), and Java. PL/SQL is Oracle's procedural extension to SQL allowing the use of variables, conditional and loop constructs, functions, as well as some object-oriented features. PL/SQL program units can be pre-compiled and stored in the database. The Java runtime is also integrated with the SQL and PL/SQL database engines and enables the use of Java in stored procedures.
An example of a PL/SQL procedure which includes Java code is shown:

create or replace and resolve java source named "TESTING" as import java.lang.*; import*; public class Hello {   public static void HelloWorld() {     System.out.println("This is a test");   } }

The OWB by default includes a database user OWBREPOS_OWNER. This user has a number of critical roles and privileges which enable it to read all data in the database (including user hashes). The user OWBREPOS_OWNER can also execute OS commands and can therefore obtain SYSDBA right.

A privilege escalation vulnerability has been found in Oracle Warehouse Builder. A specific stored procedure in the OWBREPOS_OWNER package performs insufficient input validation on all of its parameters. The said procedure has execute permissions granted to PUBLIC by default. By inserting escaped single quotes (denoted by two single quotes) into one of the parameter strings, SQL, PL/SQL, and Java code can be injected to be executed as OWBREPOS_OWNER.

An attacker with limited user privileges could use this vulnerability to read arbitrary data including password hashes from the database, and execute arbitrary SQL, PL/SQL and Java code, and operating system commands in the security context under which the database is running, effectively compromising the database server completely.

SonicWALL has multiple generic IPS signatures which address SQL injection attempts. The following IPS signatures are proactively addressing attacks targeting this vulnerability.

  • 1421 - SQL-INJECTION Generic SQL Injection Attempt 7
  • 1661 - SQL-INJECTION Generic SQL Injection Attempt 8
  • 4161 - SQL-INJECTION Generic SQL Injection Attempt 16

This vulnerability has been assigned the identifier CVE-2011-0799 by mitre.
The vendor has released an advisory addressing this issue.