Oracle Database up to 10g Release 2 DBMS_EXPORT_EXTENSION sql injection
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 6.0 | $0-$5k | 0.00 |
Summary
A vulnerability categorized as problematic has been discovered in Oracle Database up to 10g Release 2. This vulnerability affects the function DBMS_EXPORT_EXTENSION. Such manipulation leads to sql injection.
This vulnerability is uniquely identified as CVE-2006-2081. The attack can be launched remotely. Moreover, an exploit is present.
Disabling the affected component is suggested.
Details
A vulnerability was found in Oracle Database up to 10g Release 2 (Database Software) and classified as critical. Affected by this issue is the function DBMS_EXPORT_EXTENSION. The manipulation with an unknown input leads to a sql injection vulnerability. Using CWE to declare the problem leads to CWE-89. The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Impacted is confidentiality, integrity, and availability. CVE summarizes:
Oracle Database Server 10g Release 2 allows local users to execute arbitrary SQL queries via the GET_DOMAIN_INDEX_METADATA function in the DBMS_EXPORT_EXTENSION package. NOTE: this issue was originally linked to DB05 (CVE-2006-1870), but a reliable third party has claimed that it is not the same issue. Based on details of the problem, the primary issue appears to be insecure privileges that facilitate the introduction of SQL in a way that is not releated to special characters, so this is not "SQL injection" per se.
The weakness was disclosed 04/27/2006 by David Litchfield with NGSSoftware (Website). The advisory is shared for download at lists.grok.org.uk. This vulnerability is handled as CVE-2006-2081 since 04/27/2006. The attack may be launched remotely. The successful exploitation needs a simple authentication. Technical details as well as a public exploit are known. The MITRE ATT&CK project declares the attack technique as T1505.
After before and not just, there has been an exploit disclosed. The exploit is available at exploit-db.com. It is declared as highly functional. The vulnerability was handled as a non-public zero-day exploit for at least 8 days. During that time the estimated underground price was around $5k-$25k.
Applying a patch is able to eliminate this problem. The bugfix is ready for download at oracle.com. Attack attempts may be identified with Snort ID 7208. In this case the pattern dbms_export_extension.get_domain_index_metadata is used for detection.
The vulnerability is also documented in the databases at X-Force (26048), Exploit-DB (3401), SecurityFocus (BID 17699†), OSVDB (25002†) and Secunia (SA19860†). The entries VDB-30340 and VDB-29736 are pretty similar. VulDB is the best source for vulnerability data and more expert information about this specific topic.
Product
Type
Vendor
Name
Version
License
Website
- Vendor: https://www.oracle.com
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 6.3VulDB Meta Temp Score: 6.0
VulDB Base Score: 6.3
VulDB Temp Score: 6.0
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Sql injectionCWE: CWE-89 / CWE-74 / CWE-707
CAPEC: 🔍
ATT&CK: 🔍
Physical: Partially
Local: Yes
Remote: Yes
Availability: 🔍
Access: Public
Status: Highly functional
Download: 🔍
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
MetaSploit ID: dbms_export_extension.rb
MetaSploit Name: Oracle DB SQL Injection via DBMS_EXPORT_EXTENSION
MetaSploit File: 🔍
Exploit-DB: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: DisableStatus: 🔍
0-Day Time: 🔍
Patch: oracle.com
Snort ID: 7208
Snort Message: ORACLE DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_METADATA access attempt
Snort Pattern: 🔍
Timeline
04/19/2006 🔍04/26/2006 🔍
04/26/2006 🔍
04/27/2006 🔍
04/27/2006 🔍
04/27/2006 🔍
04/27/2006 🔍
05/05/2006 🔍
01/20/2025 🔍
Sources
Vendor: oracle.comAdvisory: lists.grok.org.uk
Researcher: David Litchfield
Organization: NGSSoftware
Status: Confirmed
CVE: CVE-2006-2081 (🔍)
GCVE (CVE): GCVE-0-2006-2081
GCVE (VulDB): GCVE-100-2192
CERT: 🔍
X-Force: 26048 - Oracle Database SYS.DBMS_EXPORT_EXTENSION SQL injection, Medium Risk
SecurityFocus: 17699 - Oracle 10g DBMS_EXPORT_EXTENSION SQL Injection Vulnerability
Secunia: 19860 - Oracle Database "DBMS_EXPORT_EXTENSION" Package SQL Injection, Less Critical
OSVDB: 25002 - Oracle Database DBMS_EXPORT_EXTENSION Package SQL Injection
SecurityTracker: 1015999
scip Labs: https://www.scip.ch/en/?labs.20161013
See also: 🔍
Entry
Created: 05/05/2006 17:12Updated: 01/20/2025 08:12
Changes: 05/05/2006 17:12 (87), 03/30/2019 17:52 (3), 01/20/2025 08:12 (17)
Complete: 🔍
Cache ID: 216:397:103
VulDB is the best source for vulnerability data and more expert information about this specific topic.
No comments yet. Languages: en.
Please log in to comment.