Vulnerability in Oracle 11gR2 allows system privileges for all
2010-02-06 15:10
405 查看
At the recent Black Hat DC 2010 conference
, British security expert David Litchfield
demonstrated vulnerabilities in Oracle's latest 11gR2 database release.
Overgenerous privileges for Java procedures allow users to escalate
their own privileges, up to the point of gaining complete control over
the database.
This is due to the fact that any user can execute the procedures contained in the
package, which is aimed at making it easier to update Oracle installations. In particular, users can use the
procedure to change their privileges in the Java policy table so that
the JVM allows them to execute operating system commands and to read
and write files.
This vulnerability alone does not allow a user lacking the relevant
privileges to carry out these operations – this is prevented by
Oracle's own system of privileges and roles. A second bug, however,
allows users to adapt these privileges as required. The guilty
procedure is
. This launches
a new Java VM with the privileges of the SYS user and starts by
executing any SQL code passed to it with said privileges. Litchfield
has demonstrated how, by using appropriate parameters when calling
,
an unprivileged user is able to escalate to a fully-privileged DBA
user. Thanks to the changes previously made to the Java policy table,
he is now able to execute operating system commands. Litchfield
illustrated this under Windows 7 by creating a new user to which he
then assigned administrator privileges.
He also demonstrated that it is possible to circumvent the
database's Label Security, for which Oracle has received EAL4
certification under Common Criteria. Label Security is intended to
ensure that users are only able to see information intended for them.
He demonstrated that vulnerabilities in the Java implementation allow
arbitrary dynamic libraries to be loaded into the Oracle process. This
gives them access to data which should be strictly locked down by Label
Security.
Litchfield reports that he informed Oracle of the vulnerabilities
back in November. No patch has yet been forthcoming. As a workaround,
he recommends removing the generous execution privileges of
from the
,
and
packages.
Although video of Litchfield's talk was available from the Black Hat DC 2010
site, The H found that the video has since been removed.
, British security expert David Litchfield
demonstrated vulnerabilities in Oracle's latest 11gR2 database release.
Overgenerous privileges for Java procedures allow users to escalate
their own privileges, up to the point of gaining complete control over
the database.
This is due to the fact that any user can execute the procedures contained in the
DBMS_JVM_EXP_PERMS
package, which is aimed at making it easier to update Oracle installations. In particular, users can use the
IMPORT_JVM_PERMS
procedure to change their privileges in the Java policy table so that
the JVM allows them to execute operating system commands and to read
and write files.
This vulnerability alone does not allow a user lacking the relevant
privileges to carry out these operations – this is prevented by
Oracle's own system of privileges and roles. A second bug, however,
allows users to adapt these privileges as required. The guilty
procedure is
DBMS_JAVA.SET_OUTPUT_TO_JAVA
. This launches
a new Java VM with the privileges of the SYS user and starts by
executing any SQL code passed to it with said privileges. Litchfield
has demonstrated how, by using appropriate parameters when calling
DBMS_JAVA.SET_OUTPUT_TO_JAVA
,
an unprivileged user is able to escalate to a fully-privileged DBA
user. Thanks to the changes previously made to the Java policy table,
he is now able to execute operating system commands. Litchfield
illustrated this under Windows 7 by creating a new user to which he
then assigned administrator privileges.
He also demonstrated that it is possible to circumvent the
database's Label Security, for which Oracle has received EAL4
certification under Common Criteria. Label Security is intended to
ensure that users are only able to see information intended for them.
He demonstrated that vulnerabilities in the Java implementation allow
arbitrary dynamic libraries to be loaded into the Oracle process. This
gives them access to data which should be strictly locked down by Label
Security.
Litchfield reports that he informed Oracle of the vulnerabilities
back in November. No patch has yet been forthcoming. As a workaround,
he recommends removing the generous execution privileges of
PUBLIC
from the
DBMS_JAVA
,
DBMS_JAVA_TEST
and
DBMS_JVM_EXP_PERMS
packages.
Although video of Litchfield's talk was available from the Black Hat DC 2010
site, The H found that the video has since been removed.
相关文章推荐
- ALL about SYSDBA and SYSOPER Privileges in Oracle [ID 50507.1]
- Important parameters For Oracle BRM Application in 11gR2
- ORA-01078: failure in processing system parameters(oracle 11g for Asianux3 ORA-01078 and LRM-00109 )
- RCU-6107:DB Init Param Prerequisite failure for:OPEN_CURSORS in Oracle Identity Management 11gR2 RCU Utility
- Oracle 10g 异常:ORA-01658:unable to create INITIAL extent for segmnet in tablespace SYSTEM
- Find out all currenct connections in for Oracle SQL
- Oracle 10g 异常:ORA-01658:unable to create INITIAL extent for segmnet in tablespace SYSTEM
- Important parameters For Oracle BRM Application in 11gR2
- ALL about SYSDBA and SYSOPER Privileges in Oracle [ID 50507.1]
- Linux - Sysstat [ All-in-One System Performance and Usage Activity Monitoring Tool For Linux]
- How to Use Oracle Restart in Oracle 11gR2
- Research on GIS Using in Verification System for State-invested Geological Exploration
- Display names of all constraints for a table in Or
- ABAP "FOR ALL ENTRIES IN" 使用指南
- ABAP "FOR ALL ENTRIES IN"
- How to Use Oracle Restart in Oracle 11gR2
- Oracle by Example - Oracle Database 10g Release 2 on a Single Database Instance (All In One CHM)
- matlab运行出现错误For floats all values in I must be smaller than 1.解决方法