Re: So whats up with the 11.2 java security hole?
Date: Sun, 7 Feb 2010 03:19:11 -0800 (PST)
Message-ID: <c50d0666-f1ff-4f2e-b1a2-84fbd367d462_at_b2g2000yqi.googlegroups.com>
On Feb 7, 2:47 am, John Hurley <johnbhur..._at_sbcglobal.net> wrote:
> Based on David Litchfield ...
>
> http://www.computerworld.com/s/article/9151318/Black_Hat_Zero_day_hac...
Hmm... Off the top of my head: unprivileged user can execute external programs on the server from Java in context of Oracle owner user. If this is so, then it's trivial to create a script with GRANT DBA TO SCOTT in it and then execute 'sqlplus "/ as sysdba" _at_becomedba.sql'. Actually, the possibilities to compromise the system and its neighborhood further are limitless. Combined with some unauthenticated remote PL/SQL code execution exploit (for unpatched mod_plsql/OWA for example,) this hole is very dangerous indeed. You can grab whatever you please from such system or wreak havoc on it, map the internal network and its services, siphon data from nearby Oracle databases by creating DB links to them, etc.
Before posting the above I quickly swept the net about this and found that Alex Kornbrust posted the details in his blog at http://blog.red-database-security.com/ and it's exactly this kind of attack. He also suggests the workaround (revoking EXECUTE from PUBLIC on certain Java-related packages.) Actually, I'd check the privileges on these packages and revoke EXECUTE from everyone else, too. SYS is just enough.
By the way, DBMS_SCHEDULER has the capability to execute external programs, too. Hope default privileges for it are better thought out and it's locked tight out of the box...
Regards,
Vladimir M. Zakharychev
N-Networks, makers of Dynamic PSP(tm)
http://www.dynamicpsp.com
Received on Sun Feb 07 2010 - 05:19:11 CST