We are happy to announce that 3 new Oracle Database vulnerability exploits were found (CPU April 2008). Advisory about those vulnerabilities was published by Esteban Martinez Fayo from Application Security.
Brief text from advisory:
“Oracle Database provides the “LT” PL/SQL package that is part of the Oracle Workspace Manager component. This package has multiple instances of SQL Injection in COMPRESSWORKSPACETREE, MERGEWORKSPACE and REMOVEWORKSPACE procedures. Depending on what Oracle Workspace Manager release is installed, this PL/SQL package is owned by SYS (on older releases) or by WMSYS (on newer releases). A malicious user can call the vulnerable procedures of this package with specially crafted parameters and execute SQL statements with the elevated privileges of the package owner, depending on the system configuration it can be SYS or WMSYS”
Our exploits not only give DBA rights to unprivileged user but also execute Operation System commands (creates new user) using 3 different methods.
- SYS.LT.REMOVEWORKSPACE SQL Injection ExploitGrant DBA and create new OS user using advanced extproc method which working in new database versions with updates.
- SYS.LT.MERGEWORKSPACE SQL Injection Exploit Grant DBA and create new OS user using java procedures.
- SYS.LT.COMPRESSWORKSPACE SQL Injection Exploit Grant DBA and create new OS user using database scheduler.
Exploits can be downloaded from our site or from milw0rm.com