Penetration from application down to OS. Getting OS access using Oracle Database unprivileged user
This whitepaper is part of series of publications describing various ways of obtaining access to the server operating system, using vulnerabilities in popular business applications which meet in the corporate environment.
Once, during a penetration test of corporate network I got a unprivileged account on Oracle Database and my plan was to get administrative shell on server where its database was installed. Server was running Windows 2003 server operation system and Oracle database was running with privileges of Administrator (not LOCAL_SYSTEM) account. It is a quite common situation, though. Default way is to escalate privileges on database using one of the latest SQL Injection vulnerabilities and then using DBA privileges to gain access to OS using one of the popular methods such as ExtProc, Java, extjob etc. So it seems to be quite simple and I thought about another ways.
What if database is patched with latest CPU updates and additionally it has some kind of Intrusion Detection System which can find 0-day vulnerabilities or something like this and it is impossible to escalate privileges using SQL Injections. Of course there are some methods of escalating privileges without exploits. For example: find cleartext passwords in database or connect to listener internally and rewrite log file or escalate privileges using some dangerous roles such as ‘SELECT ANY DICTIONARY’, ‘CREATE ANY TRIGGER’ or something like this. But this methods can’t give you 100% success. I guess there must be another way maybe not universal but better then described.
In short, this paper describes investigations to get administrative shell on server having unprivileged rights on Oracle Database.