-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 afaik, no one cares about oracle.
retarded blind scavengers make careers selling fallen, rotten, previously low hanging fruit. <3 2 n3td3v > Tue, 13 Jan 2009 15:52:02 -0800 David Litchfield <[email protected]> wrote: >NGSSoftware Insight Security Research Advisory > >Name: Trigger abuse of MDSYS.SDO_TOPO_DROP_FTBL >Systems Affected: Oracle 10g R1 and R2 (10.1.0.5 and 10.2.0.2) >Severity: High >Vendor URL: http://www.oracle.com/ >Author: David Litchfield [ [email protected] ] >Reported: 23rd July 2008 >Date of Public Advisory: 13th January 2009 >Advisory number: #NISR13012009 >CVE: CVE-2008-3979 > >Overview >******** >Oracle has just released a fix for a flaw that, when exploited, >allows a low >privileged authenticated database user to gain MDSYS privileges. >This can be >abused by an attacker to perform actions as the MDSYS user. > >Details >******* >MDSYS.SDO_TOPO_DROP_FTBL is one of the triggers that forms part of >the >Oracle Spatial Application. It is vulnerable to SQL injection. >When a user >drops a table the trigger fires. The name of the table is embedded >in a >dynamic SQL query which is then executed by the trigger. Note that >the >Oracle advisory states that the attacker requires the DROP TABLE >and CREATE >PROCEDURE privileges. This is not the case and only CREATE SESSION > >privileges are required. > >Fix Information >*************** >Oracle was alerted to this flaw on the 23rd July 2008. A patch has >now been >made available: > >http://www.oracle.com/technology/deploy/security/critical-patch- >updates/cpujan2009.html > >NGSSQuirreL for Oracle, an advanced vulnerability assessment >scanner >designed specifically for Oracle, can be used to accurately >determine >whether your servers are vulnerable to these flaws. More >information about >NGSSQuirreL for Oracle can be found here: > >http://www.ngssoftware.com/products/database-security/ngs-squirrel- >oraclephp > >About NGSSoftware >***************** >NGSSoftware, an NCC Group Company, develops vulnerability >assessment and >compliancy tools for database servers including Oracle, Microsoft >SQL >Server, DB2, Sybase and Informix. Headquartered in the United >Kingdom NGS >has offices in London, St. Andrews (UK), Brisbane, and Perth >(Australia) and >Seattle in the United States; NGS provide services to some of the >largest >and most demanding organizations around the globe. > >http://www.ngssoftware.com/ >Telephone +44 208 401 0070 >Fax +44 208 401 0076 > >-- >E-MAIL DISCLAIMER > >The information contained in this email and any subsequent >correspondence is private, is solely for the intended recipient(s) >and >may contain confidential or privileged information. For those >other than >the intended recipient(s), any disclosure, copying, distribution, >or any >other action taken, or omitted to be taken, in reliance on such >information is prohibited and may be unlawful. If you are not the >intended recipient and have received this message in error, please >inform the sender and delete this mail and any attachments. > >The views expressed in this email do not necessarily reflect NGS >policy. >NGS accepts no liability or responsibility for any onward >transmission >or use of emails and attachments having left the NGS domain. > >NGS and NGSSoftware are trading names of Next Generation Security >Software Ltd. Registered office address: Manchester Technology >Centre, >Oxford Road, Manchester, M1 7EF with Company Number 04225835 and >VAT Number 783096402 > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ -----BEGIN PGP SIGNATURE----- Charset: UTF8 Version: Hush 3.0 Note: This signature can be verified at https://www.hushtools.com/verify wpwEAQMCAAYFAkltMpcACgkQynWwk3/AtyOsbgP+LVLiKWqeGvuu/kFnm7sQXic8l5k1 9RYQ902ygOS4Nt67IkUgFgZBeTsN25d0mkH0hZDHulhTJOPNFGxwLuRVbXBF89JwjCO7 faHEhS73TGVmm3TnUTm1ZGEg1dto36LomtrR/H1YMmMnY41RCoK1ycj8QeEFfOFiuK/v AKEkLFw= =Y0II -----END PGP SIGNATURE----- -- Dreaming of a career in Medical Administration? Click here to make your dream career a reality. http://tagline.hushmail.com/fc/PnY6qxukq5RffaxISSWG6OsKAmNS1Ot26fn4GDJCCtUikCP599Qla/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
