cbcvebase.
CVE-2006-2081
published 2006-04-27

CVE-2006-2081: Oracle Database Server 10g Release 2 allows local users to execute arbitrary SQL queries via the GET_DOMAIN_INDEX_METADATA function in the…

PriorityP339medium4.6CVSS 2.0
AVLACLAuNCPIPAP
EXPLOIT
EPSS
21.56%
97.3th percentile
Oracle Database Server 10g Release 2 allows local users to execute arbitrary SQL queries via the GET_DOMAIN_INDEX_METADATA function in the DBMS_EXPORT_EXTENSION package. NOTE: this issue was originally linked to DB05 (CVE-2006-1870), but a reliable third party has claimed that it is not the same issue. Based on details of the problem, the primary issue appears to be insecure privileges that facilitate the introduction of SQL in a way that is not related to special characters, so this is not "SQL injection" per se.

Affected

5 ranges
VendorProductVersion rangeFixed in
oracledatabase_server
oracledatabase_server
oracledatabase_server
oracledatabase_server
oracledatabase_server

Detection & IOCsextracted from sources · hover to see the quote

commandSYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_METADATA
commandEXECUTE IMMEDIATE 'GRANT DBA TO HACKER'
commandCREATE OR REPLACE PACKAGE MYBADPACKAGE AUTHID CURRENT_USER
commandCREATE OR REPLACE PACKAGE BUNKERPKG AUTHID CURRENT_USER IS FUNCTION ODCIIndexGetMetadata
commandpragma autonomous_transaction
  • Monitor Oracle DB audit logs for calls to SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_METADATA by non-privileged or unexpected users, especially when INDEX_SCHEMA or TYPE_SCHEMA reference user-controlled packages.
  • Detect creation of Oracle packages with AUTHID CURRENT_USER that implement the ODCIIndexGetMetadata function — this is the exploit's mechanism for injecting privileged SQL execution.
  • Alert on GRANT DBA statements executed via EXECUTE IMMEDIATE inside an autonomous transaction block, which is the privilege escalation payload used by this exploit.
  • Flag Oracle sessions where a low-privileged user creates a package named MYBADPACKAGE or BUNKERPKG (or any package implementing ODCIIndexGetMetadata with autonomous_transaction) followed by a call to DBMS_EXPORT_EXTENSION.
  • The Metasploit auxiliary module path modules/auxiliary/sqli/oracle/dbms_export_extension.rb can be used to test for this vulnerability; detect its characteristic SQL patterns in Oracle network traffic or audit logs.
  • ·The vulnerability affects Oracle 9i and 10g (including 10gR1 and 10gR2); exploitation requires a valid low-privileged database account — it is not remotely exploitable without credentials.
  • ·The root cause is insecure privileges on the DBMS_EXPORT_EXTENSION package rather than classic SQL injection via special characters; detection rules targeting SQL metacharacter injection will not catch this attack.
  • ·This CVE was originally linked to DB05 (CVE-2006-1870) but is confirmed to be a distinct issue; do not conflate detection signatures for the two vulnerabilities.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.