Oracle Character Conversion Bugs (#NISR2122004G) Dec 23 2004 04:31PM
NGSSoftware Insight Security Research (nisr nextgenss com)

NGSSoftware Insight Security Research Advisory

Name: Oracle 10g character conversion bug
Systems Affected: Oracle 10g/AS on all operating systems
Severity: High risk
Vendor URL: http://www.oracle.com/
Author: David Litchfield [ davidl at ngssoftware.com ]
Relates to: http://www.nextgenss.com/advisories/oracle-01.txt
Date of Public Advisory: 23rd December 2004
Advisory number: #NISR2122004G
Advisory URL: http://www.ngssoftware.com/advisories/oracle23122004G.txt

Due to character conversion problems in Oracle 10g with Oracle's Application
server it is possible to bypass pl/sql exclusions and gain access to the
database server as SYS.

There is a character conversion bug in 10g that can lead to a compromised
backend database server. Both Windows and Linux are affected. Consider the
following set up. There's a Oracle HTTP Server (running apache 1.3.22 on
Windows) using the PL/SQL module feeding into a 10g box running on Windows
and a 10g box running on Linux. The character set for both instances is
WE8ISO8859P1. When the app server receives a request of


the %FFs are converted to the byte 0xFF (as expected) but sniffing the
database response to the app server we get

"ORA-06550: line 8, column 2: PLS-00201: identifier 'YYYYY' must be

10g, when using the WE8ISO8859P1 character set, converts 0xFF to 0x59 - that
is uppercase Y. Due to this conversion an attacker can request


and gain access to "banned" and dangerous procedures. The character set for
the HTTP server is set to AMERICAN_AMERICA.WE8ISO8859P1.

If, however, we set the character set on the HTTP Server to
ENGLISH_UNITEDKINGDOM.WE8MSWIN1252 not only is the 0xFF still converted to
0x59 but if


is requested

the _app_server_ (note - not 10g) converts the %9F to a Y and again this
allows us to do the following


again giving access to the "banned" and dangerous procedures.

Other character sets and scenarios may cause similar problems.

Fix Information
A patch (#68) was released for this problem by Oracle. See
http://metalink.oracle.com/ for more details. NGSSQuirreL for Oracle
(http://www.nextgenss.com/squirrelora.htm), can be used to assess whether
your Oracle servers are vulnerable to this.

About NGSSoftware
NGSSoftware design, research and develop intelligent, advanced application
security assessment scanners. Based in the United Kingdom, NGSSoftware have
offices in the South of London and the East Coast of Scotland. NGSSoftware's
sister company NGSConsulting, offers best of breed security consulting
services, specialising in application, host and network security


Telephone +44 208 401 0070
Fax +44 208 401 0076

enquiries (at) ngssoftware (dot) com [email concealed]

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus