Oracle Database OLAP component ODCITABLESTART buffer overflow

Added: 02/06/2009
CVE: CVE-2008-3974
BID: 33177
OSVDB: 51347

Background

The Online Analytical Processing (OLAP) component of Oracle Database is a set of stored procedures used for multi-dimensional analytical queries.

Problem

A buffer overflow vulnerability in the ODCITABLESTART function allows command execution using a specially crafted SQL query.

Resolution

Apply the Oracle Critical Patch Update for January 2009.

References

http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html

Limitations

Exploit works on Oracle Database 9i 9.0.2.1.

This exploit requires the login and password of a database account with EXECUTION privilege on the SYS.OLAPIMPL_T package. The default "scott" user has sufficient privilege.

Platforms

Windows

Back to exploit index