Archive for the ‘Exploit’ Category

Paul Wright Released Whitepaper About „Create Table to OSDBA“ (Preprocessor Exploit)

Dienstag, Oktober 20th, 2009

Paul Wright wrote an interesting whitepaper „Create table to OSDBA“ about the new preprocessor feature in and higher to run OS commands via tables. This whitepaper shows how to escalate privileges by running operating system commands using create table together with utl_file. In the future Oracle plans to backport the functionality to Oracle

I already talked about the danger of running OS commands via „Create Table“ in February 2009 „Trends 2009“ (German slides, slide 20) and released in April 2009 a tutorial how to run OS commands via Create table, dbms_scheduler,extproc,plsql native 9, plsql native 10/11, Oracle text and alter systems.Paul added the idea executing files created with utl_file.

Oracle changed the preprocessor handling in Oracle  In it is necessary to have the EXECUTE privileges  on a directory objects („Execute a preprocessor program that resides in the directory. A preprocessor program converts data to a supported format when loading data records from an external table with the ORACLE_LOADER access driver. Refer to Oracle Database Utilities for more information. This privilege does not implicitly allow READ access on the external table data.“).

Paul wrote a recommendation how to mitigate the preprocessor risk. He recommends to revoke utl_file from public. This is a good idea but keep in mind that there are multiple ways to create (text) files on OS level (e.g. Sample Exploit using dbms_advisor).

I would also recommend to grant read,write instead of granting ALL on directory objects (which includes EXECUTE in And granting to PUBLIC is also always a bad idea. Grant privileges always to a role and/or user only.

Defcon Presentation about an Oracle Worm, oap_hacker and bsqlbf

Mittwoch, August 5th, 2009

Sumit Siddharth has published his Defcon presentation about „The Making of Second SQL Injection Worm (Oracle Edition)„.

Sumit describes the differences between SQL Injection and PL/SQL Injection and presents his tool „“ which allows to run OS commands via Java. and Bsqlbf v.2.3 are using a PL/SQL Injection bug in dbms_export_extension (the old one and not the new one which was fixed with the CPU July 2009).

BTW, the (underground) tool to dump data from Oracle databases is also using the dbms_export_extension vulnerability to run OS command.

A demo of his Oracle worm is available on YouTube.

Here are some screenshots how to overtake a client PC accessing an (via worm) infected Oracle System:

Oracle Worm 1

Oracle Worm 2

Oracle Worm 3

Oracle Worm 4

Very interesting work. Thanks Sumit for this presentation.

Oracle Hacking with Metasploit Videos

Sonntag, August 2nd, 2009

Chris Gates has uploaded some of the videos how to hack Oracle with Metasploit:

  • Metasploit Oracle TNSCMD SMBRelay Demo
  • Metasploit Oracle Extproc Backdoor Demo
  • Metasploit Oracle Login Brute and Privilege Check Demo
  • Metasploit Oracle CGI Scanner and SID enumeration

Perl – Script to run OS commands via Oracle based Web Apps released

Freitag, Mai 1st, 2009

Sumit Siddarth from has released a small perl script to run OS commands via Oracle based Web Apps. Sumit is using the bug in dbms_export_extension. This problem was fixed with CPU July 2006 but all databases without this (or higher CPU or patchset) are affected (Oracle, –, –,, XE) . More details are available in my updated tutorial.

I tested the script together with him against several of my test database.

Run OS Commands via webapps via perl script

The script is easy to use. Under MacOS I had to install p5-libwww-perl to run it.

At the moment the script does not work against Oracle databases without java but I am sure sooner or later this will be changed. In my opinion the most generic way to run OS commands (as user Oracle) is PL/SQL native (Oracle 9i, Oracle 10g/11g).

Listener Exploit (April 2009) from Dennis Yurichev published

Dienstag, April 21st, 2009

Dennis Yurichev has posted a proof of concept code for Oracle TNS listener . This issue was fixed with patches from the April 2009 CPU.