A buffer overflow vulnerability was found in the SYS_CONTEXT procedure in Oracle Database Server allows a valid database user to execute arbitrary code. The vulnerability can be exploited by any valid database user with CONNECT privileges. The buffer overflow can then be exploited by calling the SYS_CONTEXT() function. This module has two uses: One as a Remote Exploit, which needs authentication, and another as an SQL Injection OS Agent installer module, which needs an Oracle SQL Agent as a target.
Thursday, January 28, 2010 - 18:00