Services Vulnerabilities Exploits Publications News Blog About DSecRG


Penetration: from application down to OS. Getting OS access using Oracle Database unprivileged user

Penetration: from application down to OS. Getting OS access using Oracle Database unprivileged user This whitepaper is part of series of publications describing various ways of obtaining access to the server operating system, using vulnerabilities in popular business applications which meet in the corporate environment.

Author: Alexandr Polyakov

Once upon a time during a penetration test of corporate network I got a unprivileged account on Oracle Database and my plan was to get administrative shell on server where its database was installed. Server was running Windows 2003 server operation system and Oracle database was running with Administrator privileges (not LOCAL_SYSTEM) account. It is a quite common situation, though. Default way is to escalate privileges on database using one of the latest SQL Injection vulnerabilities and then using DBA privileges to gain access to OS using one of the popular methods such as ExtProc, Java, extjob etc. So it seems to be quite simple and I thought about other ways.
What if database is patched with latest CPU updates and additionally it has some kind of Intrusion Detection System which can find 0-day vulnerabilities or something like this and it is impossible to escalate privileges using SQL Injections? Of course, there are some methods of escalating privileges without exploits. For example: find clear-text passwords in the database or connect to listener internally and rewrite log file or escalate privileges using some dangerous roles such as ‘SELECT ANY DICTIONARY’, ‘CREATE ANY TRIGGER’ or something like this. But this methods can’t give you 100% success. I guess there must be another way, maybe it's not all-applicable but better than the described one.

In short, this paper describes investigations to get administrative shell on server having unprivileged rights on Oracle Database.

Penetration_from_application_down_to_OS_(Oracle database).pdf, 609 KB

Publications RSS RSS
06.06.2012
Presentation "Light and Dark side of Code Instrumentation" from CONFidence Krakow 2012

26.04.2012
Whitepaper "Python arsenal for Reverse Engineering" version 1.1

12.08.2011
Whitepaper "Architecture and program vulnerabilities in SAP’s J2EE engine" from BlackHat USA 2011

06.07.2011
Whitepaper "Python arsenal for Reverse Engineering" version 1.0

Publications list


© 2002—2014, ERPScan
For quoting or using materials from this site
link is obligatory

+44 (20) 81334493    e-mail: research@dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary
Search