Bugtraq mailing list archives

Re: SQL Smuggling

From: Marco Ivaldi <raptor () mediaservice net>
Date: Wed, 10 Sep 2008 13:03:24 +0200 (ora solare Europa occidentale)

Avi,

On Tue, 9 Sep 2008, douglen () hotmail com wrote:

[snip]

Of course, I'm looking forward to hearing about other instances ofthis...


Interesting reasearch.

It looks like Oracle DBMS may be vulnerable to the "Unicode Smuggling"attack exploiting homoglyphic translation. As outlined by David Litchfieldin an old full-disclosure post [1]:

"It didn't take long to discover that this patch could be bypassed usingthe following techinque: due to internationalization, an Oracle databaseserver will convert the ? character (value 0xFF) to a capital Y. The PLSQLGateway will not. Thus, if we request:


http://www.example.com/pls/dad/S%FFS.PACKAGE.PROCEDURE

the gateway will happily pass it over to the database server where the ?is conveted to a Y and we can gain access again".


Cheers,

[1]. See http://seclists.org/fulldisclosure/2006/Feb/0011.html

--
Marco Ivaldi, OPST
Red Team Coordinator      Data Security Division
@ Mediaservice.net Srl    http://mediaservice.net/

Current thread:

SQL Smuggling douglen (Sep 09)
- Re: SQL Smuggling Marco Ivaldi (Sep 10)
- Re: SQL Smuggling Tim (Sep 10)
  - RE: SQL Smuggling Gary Oleary-Steele (Sep 11)