cbcvebase.
CVE-2007-5511
published 2007-10-17

CVE-2007-5511: SQL injection vulnerability in Workspace Manager for Oracle Database before OWM 10.2.0.4.1, OWM 10.1.0.8.0, and OWM 9.2.0.8.0 allows attackers to execute…

PriorityP348medium6.5CVSS 2.0
AVNACLAuSCPIPAP
EXPLOIT
EPSS
31.76%
98.1th percentile
SQL injection vulnerability in Workspace Manager for Oracle Database before OWM 10.2.0.4.1, OWM 10.1.0.8.0, and OWM 9.2.0.8.0 allows attackers to execute arbitrary SQL commands via the FINDRICSET procedure in the LT package. NOTE: this is probably covered by CVE-2007-5510, but there are insufficient details to be certain.

Detection & IOCsextracted from sources · hover to see the quote

processSYS.LT.FINDRICSET
commandSYS.LT.FINDRICSET('.''||dbms_sql.execute($cursor)||'''')--','x')
commandSYS.LT.FINDRICSET('.''||$user.own||'''')--','x')
commandSYS.LT.FINDRICSET('TGV2ZWwgMSBjb21sZXRlIDop.U2VlLnUubGF0ZXIp''||dbms_sql.execute('||c2gya2Vy||')||''','DEADBEAF')
commandDBMS_SQL.PARSE(MYC,'declare pragma autonomous_transaction; begin execute immediate ''GRANT DBA TO <user>'';commit;end;',0)
filenamesys-lt-findricsetV2.pl
filenamesys-lt-findricset.pl
urlhttp://rawlab.mindcreations.com/codes/exp/oracle/sys-lt-findricsetV2.pl
urlhttp://rawlab.mindcreations.com/codes/exp/oracle/sys-lt-findricset.pl
  • Detect SQL injection attempts targeting SYS.LT.FINDRICSET with cursor injection payload — look for the string 'dbms_sql.execute' concatenated inside the first argument of SYS.LT.FINDRICSET calls in Oracle audit/SQL logs.
  • Alert on creation of a user-owned function named 'OWN' with AUTHID CURRENT_USER and PRAGMA AUTONOMOUS_TRANSACTION containing EXECUTE IMMEDIATE 'GRANT DBA', which is the first-variant exploit technique.
  • Monitor Oracle audit trails for unprivileged users receiving GRANT DBA immediately following execution of SYS.LT.FINDRICSET, as the exploit's goal is privilege escalation to DBA.
  • The Metasploit auxiliary module 'auxiliary/sqli/oracle/lt_findricset_cursor' can be used to test for this vulnerability; presence of this module in use against Oracle 10.1.0.3.0–10.1.0.5.0 and 11g should be flagged.
  • ·The exploit requires the attacker to already have a valid Oracle database account (unprivileged user); it does not provide unauthenticated access — it is a privilege escalation from any DB user to DBA.
  • ·The vulnerability was fixed in Oracle Critical Patch Update October 2007; affected versions are OWM 10.2.0 before 10.2.0.4.1, OWM 10.1.0 before 10.1.0.8.0, and OWM 9.2.0 before 9.2.0.8.0.
  • ·The IDS-evasion variant (4572) uses UTL_ENCODE BASE64 decoding to hide the GRANT DBA payload from signature-based detection; plain-text string matching on 'GRANT DBA' will miss this variant.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.