This Metasploit module exploits the Oracle Job Scheduler to execute arbitrary commands. The Job Scheduler is implemented via the component extjob.exe which listens on a named pipe called "orcljsex<SID>" and execute arbitrary commands received throw this channel via CreateProcess(). In order to connect to the Named Pipe remotely SMB access is required. This Metasploit module has been tested on Oracle 10g Release 1 where the Oracle Job Scheduler runs as SYSTEM on Windows but it's disabled by default.
b4e7d842beab7ffc75f28b136eb9d163Whitepaper called Exploiting PL/SQL Injection With Only CREATE SESSION Privileges In Oracle 11g.
75a7e84bbe63d77df2de7c8c3987df1aWhitepaper called Hacking Aurora In Oracle 11g.
1e813b206c2dc9804a2af5ad762bb878By passing an overly long token to the UNLOCK command, a stack based buffer overflow occurs.
7d14265dbae5952c543d354d372ba779Oracle 11g has an issue where password history is broken if it is set to use 11g passwords exclusively.
13f4128d513cc05f176c2b393b392aefWhitepaper called Bypassing Oracle DBMS_ASSERT (in certain situations). Originally written in July of 2008 but is just being released now.
2ebf0727b0106460bbbc700063cb4301Oracle suffers from a PL/SQL injection vulnerability in REPCAT_RPC.VALIDATE_REMOTE_RC.
4b3c2d9430fa71e97390bb95e4d59f40NGSSoftware Insight Security Research Advisory - Oracle has just released a fix for a flaw that, when exploited, allows a low privileged authenticated database user to gain MDSYS privileges. This can be abused by an attacker to perform actions as the MDSYS user. MDSYS.SDO_TOPO_DROP_FTBL is one of the triggers that forms part of the Oracle Spatial Application. It is vulnerable to SQL injection. When a user drops a table the trigger fires. The name of the table is embedded in a dynamic SQL query which is then executed by the trigger. Note that the Oracle advisory states that the attacker requires the DROP TABLE and CREATE PROCEDURE privileges. This is not the case and only CREATE SESSION privileges are required.
67ec9b9c82ddbbfab1ed69612d3792ecOrablock allows a forensic investigator the ability to dump data from a "cold" Oracle data file.There is no need to load up the data file in the database which would cause the data file to be modified, so using orablock preserves the evidence.Orablock can also be used to locate "stale" data - data that has been deleted or updated.
3b8a142db61bbcadd2e8d08bc5d69e14Oracle Forensics Part 7: Using the Oracle System Change Number in Forensic Examinations.
10ed66d02ac64d20b0056b527c371b5aFollow up information regarding a whitepaper about lateral SQL injection and how ALTER SESSION privileges are not needed.
18e62d117823ca0a5a0b55a02c6b4c8fNGSSoftware Insight Security Research Advisory - Oracle Application Server installs a number of PLSQL packages in the backend database server. One of these is the WWV_RENDER_REPORT package and it is vulnerable to PLSQL injection. This package uses definer rights execution and therefore executes with the privileges of the owner, in this case the highly privileged PORTAL user.
c6bc69f8abb9b4ec0ab0dfecf8149c3dLateral SQL Injection: A New Class of Vulnerability in Oracle.
d7b2c8e9e07fd070e5775af0e397dd1bOracle 11g and 10g have a default password vulnerability during the install process.
6877588c15ae734aed258e5039993c83NGSSoftware Insight Security Research Advisory - The Oracle XML DB ftp service contains problems with auditing logins.
03a2b4d2ce1e0e61066c4236c2f3932cNGSSoftware Insight Security Research Advisory - The Oracle RDBMS on receiving an invalid TNS data packet will use 100% of the CPU's time introducing a denial of service condition.
a370f981cb7f34a8094c806a8b0dfddfNGSSoftware Insight Security Research Advisory - The Oracle TNS Listener suffers from denial of service and/or remote memory inspection vulnerabilities. Systems affected include Oracle 8.1.7.4, 10g Release 2 and 1, Oracle 9.
4b1d5b9c9a68052baf1d1b81653d3661NGSSoftware Insight Security Research Advisory - The Workspace Manager in Oracle 10g release 1 and 2 and Oracle 9i is vulnerable to SQL injection. The Workspace Manager, owned by SYS, contains a package called LT. This package is owned and defined by the SYS user and can be executed by PUBLIC. LT contains a procedure called FINDRICSET which calls the FINDRICSET package in the LTRIC package. This is vulnerable to SQL injection and can be abused by an attacker to gain SYS privileges.
69edd82fa8cac473f288d4f330ee5ac6NGSSoftware Insight Security Research Advisory - The Intermedia application, owned by CTXSYS, contains a package called CTX_DOC. This package contains multiple SQL injection flaws.
6391108725892efacb180aa8e5d0112bWhitepaper: Oracle Forensics Part 6 - Examining Undo Segments, Flashback and the Oracle Recycle Bin.
9fd78e525fa001399046542dc5896853Whitepaper: Oracle Forensics Part 5 - Finding Evidence of Data Theft in the Absence of Auditing.
f9c4c5af0c0bea22e2f5edd36f43c604Dissection of an Oracle Attack in the Absence of Auditing. Presentation slides from Black Hat 2007 as presented by David Litchfield.
e225252d82c76279d7942bb0a47624dcWhitepaper: Oracle Forensics Part 4 - What an incident responder should do during a Live Response on a compromised Oracle server.
7eccdc9df70ccf0c0128e03e09ffc4b1Database Security Brief: The Oracle Critical Patch Update for April 2007.
f22e5f3f5b28ed56e2ff7f780db7f44cWhitepaper: Oracle Forensics Part 3 - Isolating Evidence of Attacks Against the Authentication Mechanism.
4a40d448619ec26b11e06132405bb58c
© 2012 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed