Exploit for January CPU 2009 published

Alexandr Polyakov, an Oracle security expert from Russia (reported findings in CPUJan2008, CPUJul2008 ), has posted details from one of his Oracle 11g findings on the webpage of dsecrg.com

By using the following PLSQL fragment

exec EXFSYS.DBMS_EXPFIL_DR.GET_EXPRSET_STATS(‚EXFSYS‘,’EXF$VERSION‘,’EXFVER
SION‘,’YYYYYYY“ and 1=EVILPROC()–‚)

it is possible to  escalate privileges via SQL Injection. More details (e.g. extract from v$sql) can be found in their advisory.

Other advisories for the January 2009 CPU cover other Oracle Products like BEA Application Server, Oracle E-Business Suite and

Leave a Reply

You must be logged in to post a comment.