5.5. Investigating Flaws

Sometimes a flaw doesn't immediately look like it's exploitable and a bit of investigating needs to be done. We'll use the July 2006 Critical Patch Update version of DBMS_EXPORT_EXTENSION as our test case. Remember that previous versions of this package executed anonymous blocks of PL/SQL with the privileges of the SYS user and that an attacker could inject into this block. Oracle fixed this in the July 2006 patch by ensuring that the anonymous block of code executes with the privileges of the invoker. They did this by passing the block to DBMS_SYS_SQL.PARSE_ AS_USER before execution. Unfortunately, they missed a bit. The TABACT function is internal to the package (you need an unwrapper to see it) but it is called by the PRE_TABLE function. The TABACT function SELECTs from the SYS.EXPACT$ table the name of a schema and package. It then implants this package into a block of anonymous PL/SQL and parses it using DBMS_SQL.PARSE. As such, when it comes to executing the block, it executes with the privileges of the SYS user. Oracle missed this one. That said, what is the risk? To exploit this you would need to be able to insert your own package name into the EXPACT$ table. Let's check who can do what to it:

SQL> SELECT GRANTEE,PRIVILEGE FROM DBA_TAB_PRIVS WHERE TABLE_NAME = 'EXPACT$';


no rows selected

Looks like no one can other than SYS. Maybe, however, there's a package that we can execute that inserts into the table. We can check this by querying the DBA_DEPENDENCIES ...

Get The Oracle® Hacker's Handbook: Hacking and Defending Oracle now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.