Trustwave's 2024 Retail Report Series Highlights Alarming E-Commerce Threats and Growing Fraud Against Retailers. Learn More
Get access to immediate incident response assistance.
Get access to immediate incident response assistance.
Trustwave's 2024 Retail Report Series Highlights Alarming E-Commerce Threats and Growing Fraud Against Retailers. Learn More
In July, Oracle released a Critical Patch Update for multiple products including Oracle Database and MySQL, which included, among others, patches for two serious vulnerabilities discovered by Trustwave SpiderLabs. Below, I will examine the technical details of these vulnerabilities.
The first vulnerability affects the latest Oracle Database version which is 12.1.0.2 and allows unauthenticated users to probe user accounts. That is anyone with a network connection to the database can confirm whether a given user exists in the database. This is made possible by differing server responses to login attempts for existing and non-existing user accounts. This is the network capture of a login attempt via sqlplus
for a legitimate user:
36 31 38 00 00 00 00 0D-00 00 00 0D 41 55 54 48 618.........AUTH
5F 56 46 52 5F 44 41 54-41 20 00 00 00 20 43 46 _VFR_DATA.....CF
32 46 39 44 34 46 32 35-30 32 41 31 35 44 39 36 2F9D4F2502A15D96
42 37 36 39 35 34 43 38-35 44 43 43 30 33 15 48 B76954C85DCC03.H
As you can see the token length is 16 bytes (32 characters).
Now let's append a character to the username and retry authentication:
30 37 45 00 00 00 00 0D-00 00 00 0D 41 55 54 48 07E.........AUTH
5F 56 46 52 5F 44 41 54-41 14 00 00 00 14 42 45 _VFR_DATA.....BE
32 30 34 39 42 32 36 31-31 33 37 41 30 42 36 41 2049B261137A0B6A
39 31 25 1B 00 00 14 00-00 00 14 41 55 54 48 5F 91%........AUTH_
For a non-existent account, the length of the AUTH_VFR_DATA
token is shorter – only 10 bytes (20 characters). That response tells us whether an account exists on the system or not.
Note that sqlplus
should be version 12.1.0.2 or newer in order to support the latest authentication protocol version.
This vulnerability allows attackers to run arbitrary code on some platforms because it is a classic stack-based buffer overflow. It can also be used to cause a denial of service.
Any authenticated user with CREATE TABLE
privileges can exploit this vulnerability. This happens because there is no length check on one of the parameters to add_keyword_path
function and the parameter is later copied to a stack-allocated buffer.
Here is proof-of-concept code:
CREATE TABLE test.t1 (id INTEGER) PARTITION BY HASH(id) PARTITIONS 1 (PARTITION p1 DATA DIRECTORY = '<600 character string>');
Affected MySQL versions are 5.6.24 and earlier. Here is a quote from the release notes:
Partitioning: When creating a partitioned table, partition-level
DATA DIRECTORY
orINDEX DIRECTORY
option values that contained an excessive number of characters were handled incorrectly. (Bug #20809045)
You will find the related commit in MySQL Server code here: https://github.com/mysql/mysql-server/commit/85d0ef869796ac370ee18b547682c923d16ef022
As we can see Oracle added a length validation step to exit when the path
length is more or equal to 512 bytes and replaced the strcpy
call with strncpy
.
Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.
Copyright © 2024 Trustwave Holdings, Inc. All rights reserved.