Signature Detail

DB: Oracle CREATE_TABLES SQL Injection

This signature detects attempts to exploit a known vulnerability against Oracle Database versions 9i Release 2 9.2.0.8DV, 9i Release 2 9.2.0.8, 10g 10.1.0.5; and 10g Release 2 10.2.0.4, and the CTXSYS.DRVXTABC.CREATE_TABLES function. A successful attack can lead to arbitrary SQL command execution.

Extended Description

Oracle Database is prone to an SQL-injection vulnerability in Oracle Text. The vulnerability can be exploited over the 'Oracle Net' protocol. For an exploit to succeed, the attacker must have 'Execute on CTXSYS.DRVXTABC' privileges. Exploiting this issue could allow the attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. This vulnerability affects the following supported versions: 9.2.0.8 9.2.0.8DV 10.1.0.5 10.2.0.4

Affected Products

• Oracle Oracle10g Enterprise Edition 10.1.0 .5
• Oracle Oracle10g Enterprise Edition 10.2.0.4
• Oracle Oracle10g Personal Edition 10.1.0.5
• Oracle Oracle10g Personal Edition 10.2.0.4
• Oracle Oracle10g Standard Edition 10.1.0 .0.5
• Oracle Oracle10g Standard Edition 10.2.0.4
• Oracle Oracle9i Enterprise Edition 9.2.0.8.0
• Oracle Oracle9i Enterprise Edition 9.2.0 .8DV
• Oracle Oracle9i Personal Edition 9.2.0 .8
• Oracle Oracle9i Personal Edition 9.2.0 .8DV
• Oracle Oracle9i Standard Edition 9.2.0.8
• Oracle Oracle9i Standard Edition 9.2.0 .8DV

References

• BugTraq: 36748
• CVE: CVE-2009-1991
• URL: http://dsecrg.com/pages/vul/show.php?id=110
• URL: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2009.html