Penetration: from application down to OS. Getting OS access using Oracle Database unprivileged user
This whitepaper is part of series of publications describing various ways of obtaining access to the server operating system, using vulnerabilities in popular business applications which meet in the corporate environment.
Author: Alexandr Polyakov
Once upon a time during a penetration test of corporate network I got a unprivileged account on Oracle Database and my plan was to get administrative shell on server where its database was installed. Server was running Windows 2003 server operation system and Oracle database was running with Administrator privileges (not
LOCAL_SYSTEM) account. It is a quite common situation, though. Default way is to escalate privileges on database using one of the latest SQL Injection vulnerabilities and then using DBA privileges to gain access to OS using one of the popular methods such as ExtProc, Java, extjob etc. So it seems to be quite simple and I thought about other ways.
What if database is patched with latest CPU updates and additionally it has some kind of Intrusion Detection System which can find 0-day vulnerabilities or something like this and it is impossible to escalate privileges using SQL Injections? Of course, there are some methods of escalating privileges without exploits. For example: find clear-text passwords in the database or connect to listener internally and rewrite log file or escalate privileges using some dangerous roles such as ‘
SELECT ANY DICTIONARY’, ‘
CREATE ANY TRIGGER’ or something like this. But this methods can’t give you 100% success. I guess there must be another way, maybe it’s not all-applicable but better than the described one.
In short, this paper describes investigations to get administrative shell on server having unprivileged rights on Oracle Database.[styled_link link=’/wp-content/uploads/pub/Penetration%20from%20application%20down%20to%20OS%20(Oracle%20database).pdf’ type=’attachment’]Penetration from application down to OS (Oracle database).pdf[/styled_link]