Oracle XDB.XDB_PITRIG_PKG.PITRIG_DROPMETADATA Procedure

2011.11.11
Credit: David Maman
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-119


CVSS Base Score: 6/10
Impact Subscore: 6.4/10
Exploitability Subscore: 6.8/10
Exploit range: Remote
Attack complexity: Medium
Authentication: Single time
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

# Exploit Title: New exploit to Oracle CVE-2007-4517 vulnerability # Date: 11,2,2011 # Author: David Maman and the GreenSQL Team # Software Link: http://blog.greensql.com/2011/11/02/new-exploit-to-oracle-vulnerability/ # Version: 0.1 # Tested on: Oracle Database 10g Express Edition # CVE : New exploit to CVE-2007-4517 Summary ======= As part of GreenSQL?s Database security research, we?ve been validating and extending coverage of known and unknown vulnerabilities in order to increase GreenSQL product security, at this post we will reveal a full working Prove of Concept for the CVE-2007-4517 vulnerability which executes arbitrary code. The Exploit: PL/SQL/2007-4517 exploit is a PL/SQL procedure that exploits the CVE-2007-4517 vulnerability, also known as Oracle Database XDB.XDB_PITRIG_PKG.PITRIG_DROPMETADATA Procedure Multiple Argument Remote Overflow. The vulnerability is caused due to a boundary error in the XDB.XDB_PITRIG_PKG.PITRIG_DROPMETADATA procedure when processing the OWNER and NAME arguments to create an SQL query. This can be exploited to cause a buffer overflow by passing overly long OWNER and NAME arguments to the affected procedure. Symptoms ======== System Changes: New administrative user account. (Username: GreenSQL, Password:GreenSQL) OracleServiceXE service turns off. Technical Information The exploits has been tested on: ? Windows XP Professional SP3. ? Oracle Database 10g Express Edition. All the known exploits and POC?s developed for this vulnerability so far are Denial-of-Service exploits. This is a New exploit that actually executes arbitrary code and adds a new user account to the database host operating system. The Exploit =========== The PL/SQL procedure calls to the xDb.XDB_PITRIG_PKG.PITRIG_DROPMETADATA() function with two arguments: 1. ?123?. 2. Buffer (2305 bytes) The buffer consists of payload, jmp instructions, arithmetic instructions and garbage. When executing the code, the EBX contains the starting address of the buffer + 0x7A5. In order to execute the payload in the buffer, the following steps needs to be performed: 1. The EIP should point to an address contains the jmp EBX instruction. 2. At the [EBX] address, the exploit needs to jmp -0x7A5 to the start of the buffer. Jumping to EBX In order to jump to the address in the EBX register, the EIP should be set to 0x 095F7160. Jumping to the Payload In order to execute the payload, the following instructions needs to be performed: sub ebx, 0x7a5 jmp ebx The opcodes of the first instruction are: One of the limitations of HEXTORAW() function, is that its not able to deal with 000 characters. Because of that reason, instead of using the sub ebx, 0x7a5 instruction, the following instructions need to be performed: sub bl,0xb0 add bh,0xfa jmp ebx Which are equivalent to: sub ebx, 0x5b0 jmp ebx Which is equivalent to jmp ebx-0x5b0. The opcodes of those instructions are: 080, 0xEB, 0xB0, 080, 0xC7, 0xFA, 0xFF, 0xE3, which are able to be processed by the HEXTORAW() function. The Payload =========== The payload?s size is 308 bytes (of 0x7A5-0x5B0 = 0x1F5 = 501 payload?s space) The payload creates a new user account, called greenSQL, with the password GreenSQL. After creating the user account, it adds the user to the Administrators group.

References:

http://www.vupen.com/english/advisories/2007/3803
http://www.securitytracker.com/id?1018908
http://www.securityfocus.com/bid/26374
http://secunia.com/advisories/27526
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=622
http://xforce.iss.net/xforce/xfdb/38318
http://www.securityfocus.com/archive/1/archive/1/483434/100/0/threaded


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top