Red-Database-Security GmbH ist Spezialist für Oracle Security

Produkte
Repscan 2.5
Hedgehog Enterprise
Checkpwd (free)

Dienstleistungen
Oracle Audit / Hardening (Härten)
Security Schulungen
Consulting

Informationen
Oracle Sicherheit Blog
Veröffentlichte Alerts RSS Published Alerts
Gemeldete Alerts RSS Upcoming Alerts
Patch Informationen
Whitepaper
Präsentationen
Fakten
Exploits
Tutorials
Videos
Skripte

Neuigkeiten/Termine
Termine
Neuigkeiten

Firma
Kontakt
Mitarbeiter
Partner
Impressum
Sitemap


Search



Search Red-Database-Security
SQL Injection via mod_plsql

Name SQL Injection via mod_plsql
Severity High Risk
Category SQL Injection
Vendor URL http://www.oracle.com/
Author Alexander Kornbrust (ak at red-database-security.com)
Date 26 January 2006 (V 1.00)
Bug reporter David Litchfield, NGSSoftware
Bug Status
Fixed with Oracle CPU April 2006


Analysis
A typical mod_plsql URL is http://192.168.2.22/pls/test/x.helloworld. This sample URL executes the procedure helloworld of the user X. To avoid accessing (mighty) packages which are granted to public, Oracle is blocking the access of procedures / packages containing the following (hardcoded) strings and user defined exclusions (exclusion_list):
 'sys.%'
 'dbms\_%'
 'utl\_%'
 'owa\_%'
 'owa.%'
 'htp.%'
 'htf.%' 
 
Oracle generates an anonymous PL/SQL-block containing the procedure name (e.g. x.helloworld) to compare the procedure name from the URL with the values from the exclusion list. You can see the entire generated PL/SQL source by adding the following strings to the WDBSVR.APP

[WVGATEWAY]
debugModules=all
LoggingLevel=Debug

All debug information will be stored in the $ORACLE_HOME/Apache/modplsql/log/<DAD>/<PORT>

An extract of the generated PL/SQL code is here:
[...]
if (owa_match.match_pattern('x.helloworld', simple_list__, complex_list__, true)) then
  rc__ := 2;
 else
  null;
  null;
  x.helloworld;
[...]
By sending a specially crafted procedure name, containing a ")", it is possible to bypass the package owa_match.
The workaround with URLRewrite blocks all requests containing closed brackets.

Affected Products
All Oracle products running mod_plsql (e.g. Application Server or HTTP/OHS running from the database)

Patch Information
This bug is NOT fixed with Critical Patch Update January 2006.
David Litchfield posted a workaround with URLRewrite with mod_plsql.



Workaround for Oracle mod_plsql Use URLRewrite to block potential dangerous URLs containing a ")".
RewriteEngine  on
RewriteCond %{QUERY_STRING} ^.*\).*|.*%29.*$
RewriteRule ^.*$ http://127.0.0.1/denied.htm?attempted-attack
RewriteRule ^.*\).*|.*%29.*$ http://127.0.0.1/denied.htm?attempted-attack
Problems with this workaround

Integrigy recommends in the Security Analysis of the mod_plsql security bug like Oracle in their press statements NOT to use this workaround. After reading the analysis from Integrigy I agree with their recommendation.


Another Workaround

Vladimir Zakharychev from Webrecruiter informed me about another workaround for the mod_plsql SQL Injection issue. Setting the value "always_describe" (up to 3.0.9.x.x) or "PlsqlAlwaysDescribeProcedure" (higher than 3.0.9.x) to ON in the dads.conf protects from the SQL Injection vulnerability in mod_plsql.

What is PlsqlAlwaysDescribeProcedure?
PlsqlAlwaysDescribeProcedure specifies whether mod_plsql should describe a procedure before trying to execute it. If this is set to "On", then mod_plsql will always describe a procedure before invoking it. Otherwise, mod_plsql will only describe a procedure when its internal heuristics have interpreted a parameter type incorrectly.

If PlsqlAlwaysDescribeProcedure is enabled, Oracle tries to describe every PL/SQL procedure. If a hacker injects pl/sql code, Oracle tries to describe this specially crafted string but fails because this procedure does not exist.

Potential problems with this workaround
Using this switch could have a negative impact on the application performance.


History

26-oct-2005 David Litchfield from NGS informed Oracle
7-nov-2005 David Litchfield informed the NISCC
25-jan-2006 David Litchfield posted a workaround for this unpatched vulnerability
26-jan-2006 Red-Database-Security released this analysis of the vulnerability
27-jan-2006 Info added how to enable the mod_plsql debugging mode
1-feb-2006 Another Workaround via PlsqlAlwaysDescribeProcedure + advisory from Integrigy added
4-feb-2006 Oracle FAQ for this vulnerability added
18-apr-2006 Oracle released CPU April 2006 which contains a fix for this problem


Links



© 2006 by Red-Database-Security GmbH - last update 18-apr-2006

Oracle MOD_PLSQL

MOD_PLSQL is an Apache (Web Server) extension module that allows one to create dynamic web pages from PL/SQL packages and stored procedures. With mod_plsql it is possible to develop fast and flexible applications that can run on the Internet or an Intranet.

MOD_PLSQL was formerly known asOracle PL/SQL Cartridge or OWA (Oracle Web Agent).