[Previous entry: "Latest Oracle CPU is out"] [Next entry: "Pete Finnigan webinar "The right way to secure Oracle""]
Escalate privileges to SYSDBA with CREATE USER
July 16th, 2009 by Pete
Post to del.icio.us
Post to Furl
Paul emailed me the other day to send his new paper that shows how he was able to exploit a problem with Oracles namespace resolution. The idea is that because a user may have the CREATE USER privilege so he can create a database user with the same name as a SYS owned package. In the example Paul creates a user called DBMS_FLASHBACK. The namespace resolution and the fact that SYS ignores definer rights code means that the creation of a function from a package (the same name as a real function) can be used to call code to grant SYSDBA to the attackers user through his function.
Its a nice idea but the execution is really a trojan as its still necessary for a DBA logged in as SYSDBA to execute the "doppleganger" function. Nice idea though.
