Become DBA via Oracle DBMS_SYS_SQL in Oracle 8i / 9i / 10g
The following test case is from Oracle itself. A test case is nothing else than an exploit or proof of concept code. This test case allows to become DBA if the permission on DBMS_SYS_SQL are granted . By default only XDB has execute permission. Sometimes PORTAL30, PORTAL30_SSO and OAS_PUBLIC has also execute permission on DBMS_SYS_SQL.
Metalink note 112271.1 gives the following advice:
grant execute privileges on DBMS_SYS_SQL to the (default user) OAS_PUBLIC.
BE CAREFUL DOING THIS...
Never grant DBMS_SYS_SQL to public;
sqltext varchar2(100) := 'alter user system identified by hacker';
select user_id into uid from all_users where username like 'SYSTEM';
No patch required. Never grant DBMS_SYS_SQL to public.
© 2005 by Red-Database-Security GmbH - last update 02-nov-2005