Oracle Database DBMS_JVM_EXP_PERMS IMPORT_JVM_PERMS privilege elevation

Added: 02/26/2010
BID: 38115
OSVDB: 62184

Background

Oracle Database embeds a Java runtime environment called OracleJVM. The DBMS_JVM_EXP_PERMS package is included in Oracle Database and is used for importing and exporting Java permissions between database servers.

Problem

A privilege elevation vulnerability exists in the DBMS_JVM_EXP_PERMS package. A database user can use the IMPORT_JVM_PERMS function to grant himself EXECUTE permissions on all files. Then the user can execute arbitrary operating system commands by passing the commands to the Wrapper class using the RUNJAVA function.

Resolution

Install vendor patches when available. Until then, revoke access to the DBMS_JVM_EXP_PERMSpackage from untrusted users.

References

http://secunia.com/advisories/38353/

Limitations

Exploit works on Oracle Database Server 11g 11.1.0.6 and requires the credentials of a valid Oracle Database user who has CREATE SESSION privileges.

Since this exploit uses TFTP, SAINTexploit must be able to bind to port 69/UDP.

Platforms

Windows 2000

Back to exploit index