Public Exploit Code for an Unpatched Vulnerability in Oracle10g
Wednesday May 3, 2006 at 11:53 am CST
Posted by David Marcus
A new 0-day working exploit code for an unpatched vulnerability in Oracle Export Extensions was posted to Bugtraq last week. US-CERT announces that successful exploitation may allow a remote attacker with some authentication credentials to execute arbitrary SQL statements with elevated privileges. This may allow an attacker to access and modify sensitive information within an Oracle database.
Rare in 2003/2004, 0-day attacks seem to be more and more common. This term applies to distribution of an exploit linked to a vulnerability which has not yet been corrected. In this case, the period between the appearance of the exploit and that of the corrective patch is null or negative : null if the exploit and the patch arrive on the same day, negative if the patch arrives several days after the exploit.
More information about this new vulnerability can be found here:
CERT-US : Public Exploit Code for Unpatched Vulnerability in Oracle
Secunia Advisory: SA19860
On May 2nd, we are not aware of any vendor-supplied patches for this issue.