Vulnerability in Oracle 11gR2 allows system privileges for all
来源:互联网 发布:win10配置java环境变量 编辑:程序博客网 时间:2024/06/07 01:35
At the recent Black Hat DC 2010 conference, British security expert David Litchfielddemonstrated vulnerabilities in Oracle's latest 11gR2 database release.Overgenerous privileges for Java procedures allow users to escalatetheir own privileges, up to the point of gaining complete control overthe database.
This is due to the fact that any user can execute the procedures contained in the DBMS_JVM_EXP_PERMS
package, which is aimed at making it easier to update Oracle installations. In particular, users can use the IMPORT_JVM_PERMS
procedure to change their privileges in the Java policy table so thatthe JVM allows them to execute operating system commands and to readand write files.
This vulnerability alone does not allow a user lacking the relevantprivileges to carry out these operations – this is prevented byOracle's own system of privileges and roles. A second bug, however,allows users to adapt these privileges as required. The guiltyprocedure is DBMS_JAVA.SET_OUTPUT_TO_JAVA
. This launchesa new Java VM with the privileges of the SYS user and starts byexecuting any SQL code passed to it with said privileges. Litchfieldhas demonstrated how, by using appropriate parameters when calling DBMS_JAVA.SET_OUTPUT_TO_JAVA
,an unprivileged user is able to escalate to a fully-privileged DBAuser. Thanks to the changes previously made to the Java policy table,he is now able to execute operating system commands. Litchfieldillustrated this under Windows 7 by creating a new user to which hethen assigned administrator privileges.
He also demonstrated that it is possible to circumvent thedatabase's Label Security, for which Oracle has received EAL4certification under Common Criteria. Label Security is intended toensure that users are only able to see information intended for them.He demonstrated that vulnerabilities in the Java implementation allowarbitrary dynamic libraries to be loaded into the Oracle process. Thisgives them access to data which should be strictly locked down by LabelSecurity.
Litchfield reports that he informed Oracle of the vulnerabilitiesback in November. No patch has yet been forthcoming. As a workaround,he recommends removing the generous execution privileges of PUBLIC
from the DBMS_JAVA
, DBMS_JAVA_TEST
and DBMS_JVM_EXP_PERMS
packages.
Although video of Litchfield's talk was available from the Black Hat DC 2010 site, The H found that the video has since been removed.
- Vulnerability in Oracle 11gR2 allows system privileges for all
- Ptrace Vulnerability Allows Gaining of Elevated Privileges under Linux
- ALL about SYSDBA and SYSOPER Privileges in Oracle [ID 50507.1]
- oracle system privileges
- Vulnerability in Graphics Rendering Engine Allows Remote Code Execution
- Oracle 11g R2 for Windows All in One 下载
- Oracle 11g R2 for Linux All in One 下载
- Oracle 11gR2 For Centos6.3
- Oracle 11gR2 installation for CentOS 7
- Install procob for Oracle 11gR2
- How to Use Oracle Restart in Oracle 11gR2
- How to Use Oracle Restart in Oracle 11gR2
- Users, roles and privileges in Oracle
- FOR ALL ENTRIES IN
- FOR ALL ENTRIES IN
- Find out all currenct connections in for Oracle SQL
- for aix oracle 11gr2 RAC 安装总结
- GuestStealer allows for the stealing of VMware guests from vulnerable hosts based on the Directory Traversal Vulnerability
- Linux Kernel 'kernel/signal.c' Local Information Disclosure Vulnerability
- Linux Kernel 'fasync_helper()' Local Privilege Escalation Vulnerability
- Samba Symlink Directory Traversal Vulnerability
- JPA技术简单介绍
- 马化腾在腾讯产品峰会上关于产品设计和开发的内部讲座
- Vulnerability in Oracle 11gR2 allows system privileges for all
- wince 调用输入面板
- Ipswitch IMail Server Multiple Local Privilege Escalation Vulnerabilities
- IBM AIX 'rpc.cmsd' Calendar Daemon Remote Stack Buffer Overflow Vulnerability
- 设置密码
- SQL Server 2005 许可证 license
- 软件性能设计:先做个风洞吧
- JUint学习笔记12---对servlet和filter进行单元测试1
- 软件性能设计:异步神话?