Remote Compromise in Oracle 9i Database Server...and more...
Source: SNP
A large part of Oracle database functionality is provided by PL/SQL packages. PL/SQL, or Procedural Language/ Structured Query Language, extends SQL and allows an "executable" package be created that exports procedures and functions. PL/SQL packages can be extended to call functions exported by operating system libraries or Dynamic Link Libraries. It is possible to create a (PL/SQL) library and PL/SQL package that calls any function in any library on the file system. An attack would probably call system() and pass the name of a program to be executed.
It is apparent that to do this a user must be able to connect to the Oracle database server and login with an account that has the CREATE LIBRARY permission before an attack becomes successful. However, NGSSoftware Insight Security Research has discovered a way to fool the Oracle database server into loading arbitrary libraries and executing arbitrary functions without ever having to authenticate.
There were several reports related to Oracle posted today at BugTraq :
JSP translation file access under Oracle 9iAS
Multiple Buffer Overflows in Oracle 9iAS
Remote Compromise in Oracle 9i Database Server