Tanel Poder has made an excellent post to his blog titled Oracle Security: All your DBAs are SYSDBAs and can have full OS access
. This post details Tanel's recent discovery that a user who has the DBA role or IMP_FULL_DATABASE can become a SYSDBA and access the operating system, alter audit trails, alter the Oracle binary after setting _disable_image_check = true or also be able to set a dedicated server process to run as SYSDBA through the debugger by flipping the bit that signifies that the process is running as a SYSDBA one. This is all based on the BECOME USER privilege that I have spoken about on this site in the past. A UPI call is available from the client side to utilize the BECOME USER priviege used by import or the Oracle data pump to change users. A new package KUPP$PROC.CHANGE_USER can also be used to change users and use the BECOME USER privilege.
Tanels post shows how someone with BECOME USER and CREATE SESSION could change schemas/user to SYS and grant DBA. Unfortunately this does not give you the right to grant SYSDBA but Tanel has a great way to do that, he uses ALTER SESSION to change the _oradbg_pathname hidden parameter to a command to flip the SYSDBA bit in the PGA for a dedicated server process and then uses the debug event to run it. He can then grant SYSDBA to another user, shutdown the database or more. Tanel provides examples for Solaris with mdb and Linux with gdb.
Nice post, very detailed and very internal and clever.