CVE-2008-3979
published 2009-01-14CVE-2008-3979: Unspecified vulnerability in the Oracle Spatial component in Oracle Database 10.1.0.5 and 10.2.0.2 allows remote authenticated users to affect confidentiality…
PriorityP346medium5.5CVSS 2.0
AVNACLAuSCPIPAN
EXPLOIT
EPSS
32.43%
98.1th percentile
Unspecified vulnerability in the Oracle Spatial component in Oracle Database 10.1.0.5 and 10.2.0.2 allows remote authenticated users to affect confidentiality and integrity via unknown vectors. NOTE: the previous information was obtained from the January 2009 CPU. Oracle has not commented on reliable researcher claims that this issue is a SQL injection vulnerability that allows remote authenticated users to gain MDSYS privileges via the MDSYS.SDO_TOPO_DROP_FTBL trigger.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| oracle | database_10g | — | — |
| oracle | database_10g | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for creation of triggers named 'evil_trigger' in the SYSTEM schema, particularly on the system.DEF$_TEMP$LOB table, as this is the second-stage privilege escalation artifact. ↗
- →Detect SQL injection attempts against the MDSYS.SDO_TOPO_DROP_FTBL trigger by auditing DROP TABLE statements containing the pattern: O' and 1=<identifier>-- ↗
- →Alert on GRANT DBA or GRANT EXECUTE TO PUBLIC statements executed by or on behalf of the MDSYS user, indicating successful privilege escalation. ↗
- →Audit creation of stored procedures/functions with AUTHID CURRENT_USER and PRAGMA AUTONOMOUS_TRANSACTION by non-privileged users, as this is the exploit's mechanism for executing arbitrary SQL under elevated context. ↗
- →Monitor for inserts into system.DEF$_TEMP$LOB, which is used to fire the evil_trigger and complete the 2-stage DBA escalation. ↗
- →This is a 2-stage attack: stage 1 exploits SQL injection in MDSYS.SDO_TOPO_DROP_FTBL to gain MDSYS privileges; stage 2 abuses MDSYS's CREATE ANY TRIGGER privilege to install a malicious trigger in the SYSTEM schema. ↗
- ·Affects Oracle Database versions 10.1.0.5 and 10.2.0.2 only; the Oracle Spatial (MDSYS) component must be installed for the vulnerable trigger to be present. ↗
- ·Exploitation requires an authenticated Oracle DB user; this is not an unauthenticated/anonymous attack vector. ↗
- ·The Metasploit module defaults to granting DBA to user SCOTT; in real attacks the target user and SQL payload will vary, so detection should not rely solely on the username SCOTT. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Oracle 10g - MDSYS.SDO_TOPO_DROP_FTBL SQL Injection (Metasploit)
exploitdb·2009-02-18
CVE-2008-3979 Oracle 10g - MDSYS.SDO_TOPO_DROP_FTBL SQL Injection (Metasploit)
Oracle 10g - MDSYS.SDO_TOPO_DROP_FTBL SQL Injection (Metasploit)
---
##
# $Id: droptable_trigger.rb
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##
require 'msf/core'
class Metasploit3 'SQL Injection in MDSYS.SDO_TOPO_DROP_FTBL Trigger.',
'Description' => %q{
This module will escalate a Oracle DB user to MDSYS by exploiting an sql injection bug in
the MDSYS.SDO_TOPO_DROP_FTBL trigger. After that exploit escalate user to DBA using "CREATE ANY TRIGGER" privilege
given to MDSYS user by creating evil trigger in system scheme (2-stage attack).
},
'Author' => [ 'Sh2kerr ' ]
Metasploit
Oracle DB SQL Injection in MDSYS.SDO_TOPO_DROP_FTBL Trigger
metasploit
Oracle DB SQL Injection in MDSYS.SDO_TOPO_DROP_FTBL Trigger
Oracle DB SQL Injection in MDSYS.SDO_TOPO_DROP_FTBL Trigger
This module will escalate an Oracle DB user to MDSYS by exploiting a sql injection bug in the MDSYS.SDO_TOPO_DROP_FTBL trigger. After that exploit escalate user to DBA using "CREATE ANY TRIGGER" privilege given to MDSYS user by creating evil trigger in system scheme (2-stage attack).
No writeups or analysis indexed.
http://osvdb.org/51354http://secunia.com/advisories/33525http://www.oracle.com/technetwork/topics/security/cpujan2009-097901.htmlhttp://www.securityfocus.com/archive/1/500061/100/0/threadedhttp://www.securityfocus.com/bid/33177http://www.securitytracker.com/id?1021561http://www.vupen.com/english/advisories/2009/0115https://www.exploit-db.com/exploits/8074http://osvdb.org/51354http://secunia.com/advisories/33525http://www.oracle.com/technetwork/topics/security/cpujan2009-097901.htmlhttp://www.securityfocus.com/archive/1/500061/100/0/threadedhttp://www.securityfocus.com/bid/33177http://www.securitytracker.com/id?1021561http://www.vupen.com/english/advisories/2009/0115https://www.exploit-db.com/exploits/8074
2009-01-14
Published