Re: Perl / Oracle Vuln. New or Not?

[Simon Kenton <simon_k () MAILANDNEWS COM>]

Thanks for all of the responses.  I am trying to compile some of the
information I received before submitting some information to the people
working on the Perl DBI / DBD modules.  Let me know if it sounds reasonable.
I am also including a quote from a response I recieved from Ian Stoba which
was very informative.

---------------
System:
Solaris 2.6 running Netscape Enterprise Server, Perl5, and Oracle.

Symptoms:
Inputting 40,001 or more characters into any form field causes an application
error.


Inputting 80,001 or more characters causes additional errors.

Output From Web server:
DBD::Oracle::db prepare failed: ORA-01704: string literal too long (DBD ERROR:
OCIStmtExecute/Describe) at /usr/local/lib/perl5/site_perl/5.005/DBIx.pm line
183.
DBD::Oracle::db prepare failed: ORA-01704: string literal too long (DBD
ERROR: OCIStmtExecute/Describe) at
/usr/local/lib/perl5/site_perl/5.005/DBIx.pm line 183. DBD::Oracle::db prepare
failed: ORA-01704: string literal too long (DBD ERROR:
OCIStmtExecute/Describe) at /usr/local/lib/perl5/site_perl/5.005/DBIx.pm line
183.

Impact:
When  40,001+ characters, are entered into a textbox field and submitted via
the form, the web server displays the directory structure of the server, the
version of Perl running, and divulges the fact that Oracle is installed on the
system.  This gives an attacker information about a system that only system
administrators have a legitimate need to know.  This information could help an
attacker craft a successful attack against a server with this vulnerability.
When 80,001+ characters are submitted through the form, the Perl script dies,
and the web server displays a ‘page unavailable’ error.  Either of these
conditions may be causing a buffer overflow condition giving a further
opportunity for an attacker to compromise the server.

Cause:
The HTML form linked to foo.pl does not limit the number of character that it
passes to the foo.pl.  The Perl script does not does not limit the size of
data it will accept by automatically truncating data input through the form
before submitting the string to the DBI module, which does some sanity
checking of the SQL string before the string is sent to oracle for processing.
 DBI is a module for perl that is used provide connectivity between perl and
databases (such as Oracle).  This does prevent corruption of the database as
the DBIx module seems to be dying while it is preparing the SQL statement
before the statement is passed to oracle, which causes an error in Perl as
opposed to potentially causing an error in Oracle.

------------------------------


> > ===== Original Message From Ian Stoba <ian () babcockbrown com> =====
> > You may be inundated with responses already, so I apologize if this is
> redundant.
> > Based on the error message, it appears that the perl script is using the
very
> > popular DBI kit to connect to Oracle. The way DBI works (with its database
> > specific DBD drivers) is that SQL statements are first prepared (i.e.
sanity
> > checked and preprocessed) and then executed.
> >
> > The good news, if there is any, is that the error is thrown *before* any
> attempt
> > is made to send data to the Oracle database. This means that the buffer
> overrun
> > (if that is what it is) should affect only the perl process and not the
> Oracle
> > application or the database integrity.
> >
> > You might want to bring this up with the maintainers of DBI:
> >
> > http://www.symbolstone.org/technology/perl/DBI
> >
> > I hope this is useful for you,
> >
> > --Ian

------------------------------
   Simon Kenton
   Folk Hero To The Stars
------------------------------