Vulnerability Note VU#307835
Oracle9i Application Server OWA_UTIL procedures expose sensitive information
Oracle9i Application Server (iAS) provides a Procedural Language/Structured Query Language (PL/SQL) application (package) called OWA_UTIL that provides web access to a number of stored procedures. These procedures could be used by an attacker to view the source code of PL/SQL applications, obtain credentials and access to other database servers, and run SQL queries on accessible database servers.
David Litchfield of NGSSoftware has released a paper titled Hackproofing Oracle Application Server that describes a number of security issues in Oracle's PL/SQL system. This document addresses a problem in which a number of procedures in the OWA_UTIL PL/SQL application disclose sensitive information.
Quoting from Hackproofing:
OWA_UTIL.signature returns a message containing version information about the PL/SQL module. An attacker could use this procedure to verify access to OWA_UTIL.
OWA_UTIL.showsource returns the source code of the specified PL/SQL application. According to Oracle9i AS v126.96.36.199 documentation, web access to OWA_UTIL.cellsprint is prevented by default.
OWA_UTIL.cellsprint allows an attacker to run arbitrary SQL queries. Litchfield notes that queries could be made to the sys.link$ table, which could provide credentials and access to other Oracle database servers. According to Oracle9i AS v188.8.131.52 documentation, web access to OWA_UTIL.cellsprint is prevented by default.
OWA_UTIL.listprint allows an attacker to run arbitrary SQL queries, but only returns specified columns.
OWA_UTIL.show_query_columns returns column names of a database table. This procedure could be used to obtain column names for use with OWA_UTILS.listprint.
The PL/SQL module provides a configuration parameter called exclusion_list. Procedures (as well as applications and schemas) specified in exclusion_list cannot be directly executed over the web. As noted above, Oracle9i AS v184.108.40.206 documentation states that web access to OWA_UTIL.showsource and OWA_UTIL.cellsprint is prevented by default.
The vulnerable PL/SQL module may also be used by Oracle9i Database and Oracle8i Database.
An unauthenticated, remote attacker could use procedures provided by OWA_UTIL to view the source code of PL/SQL applications, obtain access credentials for other database servers, access other database servers, and perform SQL queries on accessible database servers.
Block or Restrict Access
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Oracle||Affected||02 Mar 2002||05 Mar 2002|
CVSS Metrics (Learn More)
The CERT Coordination Center thanks David Litchfield of NGSSoftware for information used in this document.
This document was written by Art Manion.
- CVE IDs: CAN-2002-0560
- CERT Advisory: CA-2002-08
- Date Public: 10 Jan 2002
- Date First Published: 11 Mar 2002
- Date Last Updated: 15 Nov 2002
- Severity Metric: 10.26
- Document Revision: 42
If you have feedback, comments, or additional information about this vulnerability, please send us email.