Home > Articles > Bypassing Oracle dbms_assert

Bypassing Oracle dbms_assert

December 28th, 2006

By using specially crafted parameters (in double quotes) it is possible to bypass the input validation of the package dbms_assert and inject SQL code. This makes dozens of already

fixed Oracle vulnerabilities exploitable in all versions of Oracle again (8.1.7.4 – 10.2.0.2, fully patched with Oracle CPU July 2006).

To protect the Oracle PL/SQL system packages from the growing number of SQL injection vulnerabilities Oracle introduced a new package called dbms_assert in Oracle 10g Release 2. This package was backported with the Oracle Critical Patch Update (CPU) October 2005 to all supported databases (8.1.7.4 until 10.1.0.5).

To mitigate the risk you should revoke especially the privilege “CREATE PROCEDURE” or “ALTER PROCEDURE” to avoid privilege escalation by injection specially crafted functions or procedures.

Click here to download the full whitepaper

Articles

Comments are closed.