Vulnerabilities > CVE-2005-4832 - Remote SQL Injection vulnerability in Oracle 10g Database SUBSCRIPTION_NAME

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
oracle
nessus
exploit available
metasploit

Summary

SQL injection vulnerability in the Oracle Database Server 10g allows remote authenticated users to execute arbitrary SQL commands with elevated privileges via the SUBSCRIPTION_NAME parameter in the (1) SYS.DBMS_CDC_SUBSCRIBE and (2) SYS.DBMS_CDC_ISUBSCRIBE packages, a different vector than CVE-2005-1197.

Exploit-Db

  • descriptionOracle 10g Database SUBSCRIPTION_NAME Remote SQL Injection Vulnerability (1). CVE-2005-4832 . Remote exploits for multiple platform
    idEDB-ID:25452
    last seen2016-02-03
    modified2007-02-23
    published2007-02-23
    reporterbunker
    sourcehttps://www.exploit-db.com/download/25452/
    titleOracle 10g Database SUBSCRIPTION_NAME Remote SQL Injection Vulnerability 1
  • descriptionOracle 10g Database SUBSCRIPTION_NAME Remote SQL Injection Vulnerability (2). CVE-2005-4832 . Remote exploits for multiple platform
    idEDB-ID:25453
    last seen2016-02-03
    modified2007-02-26
    published2007-02-26
    reporterbunker
    sourcehttps://www.exploit-db.com/download/25453/
    titleOracle 10g Database SUBSCRIPTION_NAME Remote SQL Injection Vulnerability 2

Metasploit

descriptionThis module will escalate an Oracle DB user to DBA by exploiting a sql injection bug in the SYS.DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION package/function. This vulnerability affects to Oracle Database Server 9i up to 9.2.0.5 and 10g up to 10.1.0.4.
idMSF:AUXILIARY/SQLI/ORACLE/DBMS_CDC_SUBSCRIBE_ACTIVATE_SUBSCRIPTION
last seen2020-06-01
modified2017-08-29
published2011-12-13
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/sqli/oracle/dbms_cdc_subscribe_activate_subscription.rb
titleOracle DB SQL Injection via SYS.DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION

Nessus

NASL familyDatabases
NASL idORACLE_MULTIPLE.NASL
descriptionAccording to its version number, the installation of Oracle on the remote host is reportedly subject to multiple vulnerabilities, some of which don
last seen2020-06-01
modified2020-06-02
plugin id18034
published2005-04-13
reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/18034
titleOracle Database 10g Multiple Remote Vulnerabilities
code
#
# (C) Tenable Network Security, Inc.
#



include("compat.inc");

if (description) {
  script_id(18034);
  script_version("1.32");

  script_cve_id(
    "CVE-2004-1774",
    "CVE-2005-3202",
    "CVE-2005-3203",
    "CVE-2005-4832"
  );
  script_bugtraq_id(
    13145,
    13144,
    13139,
    13238,
    13236,
    13235,
    13234,
    13239,
    15031,
    15033
  );

  script_name(english:"Oracle Database 10g Multiple Remote Vulnerabilities");
 
 script_set_attribute(attribute:"synopsis", value:
"The remote database server suffers from multiple flaws." );
 script_set_attribute(attribute:"description", value:
"According to its version number, the installation of Oracle on the
remote host is reportedly subject to multiple vulnerabilities, some of
which don't require authentication.  They may allow an attacker to
craft SQL queries such that they would be able to retrieve any file on
the system and potentially retrieve and/or modify confidential data on
the target's Oracle server." );
 script_set_attribute(attribute:"solution", value:
"http://www.red-database-security.com/advisory/oracle_htmldb_css.html
http://www.red-database-security.com/advisory/oracle_htmldb_plaintext_password.html
http://www.oracle.com/technetwork/topics/security/cpuapr2005-132777.pdf" );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploithub_sku", value:"EH-11-844");
 script_set_attribute(attribute:"exploit_framework_exploithub", value:"true");
 script_set_attribute(attribute:"plugin_publication_date", value: "2005/04/13");
 script_set_attribute(attribute:"vuln_publication_date", value: "2004/09/01");
 script_set_attribute(attribute:"patch_publication_date", value: "2005/04/12");
 script_cvs_date("Date: 2018/07/18 17:43:55");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:database_server");
script_end_attributes();

 
  script_summary(english:"Checks for multiple remote vulnerabilities in Oracle Database");
  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");
  script_family(english:"Databases");
  script_dependencie("oracle_tnslsnr_version.nasl");
  script_require_ports("Services/oracle_tnslsnr");

  exit(0);
}

#broken
exit (0);

port = get_kb_item("Services/oracle_tnslsnr");
if (isnull(port)) exit(0);


version = get_kb_item(string("oracle_tnslsnr/", port, "/version"));
if (version) {
  if (ereg(pattern:".*Version (8\.(0\.|1\.([0-6]\.|7\.[0-4]))|9\.(0\.(0\.|1\.[0-5]|2\.[0-6]|3\.[0-1]|4\.[0-1])|2\.0\.[0-6])|10\.(0\.|1\.0\.[0-4])|11\.([0-4]\.|5\.[0-9][^0-9]))", string:version)) security_hole(port);
}