Advisory: SQL Injection in Oracle Alter FBA TableTeam Shatter Exclusive

Posted February 20, 2013 by Alex Rothacker in Oracle, Security Advisory, Team Shatter Exclusive with 0 comments

Risk Level:
High

Affected versions:
Oracle Database Enterprise Edition 11.1, 11.2

Remote exploitable:
Yes

Credits:
This vulnerability was discovered and researched by Martin Rakhmanov of Application Security Inc.

Details:
Renaming a table having flashback archive, using specially crafted table name triggers internal SQL injection. This allows users to execute code with elevated privileges.

Impact:
An attacker having control over a flashback-enabled table can get SYSDBA privileges.

Vendor Status:
Vendor was contacted and a patch was released.

Workaround:
Do not grant flashback archive privilege to untrusted users. Limit access to flashback-enabled tables to trusted users only.

Fix:
Apply Oracle Critical Patch Update October 2012 available at Oracle Support.

CVE:
CVE-2012-1751

Links:
http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html
https://www.teamshatter.com/topics/general/team-shatter-exclusive/advisory-sql-injection-in-oracle-alter-fba-table/

Timeline:
Vendor Notification – 1/23/2012
Vendor Response – 1/26/2012
Fix – 16/10/2012
Public Disclosure – 20/02/2013

Leave a Reply

Name (required)

Mail (will not be published) (required)

Website

Please note: JavaScript is required to post comments.

Powered by