cbcvebase.
CVE-2008-3979
published 2009-01-14

CVE-2008-3979: Unspecified vulnerability in the Oracle Spatial component in Oracle Database 10.1.0.5 and 10.2.0.2 allows remote authenticated users to affect confidentiality…

PriorityP346medium5.5CVSS 2.0
AVNACLAuSCPIPAN
EXPLOIT
EPSS
32.43%
98.1th percentile
Unspecified vulnerability in the Oracle Spatial component in Oracle Database 10.1.0.5 and 10.2.0.2 allows remote authenticated users to affect confidentiality and integrity via unknown vectors. NOTE: the previous information was obtained from the January 2009 CPU. Oracle has not commented on reliable researcher claims that this issue is a SQL injection vulnerability that allows remote authenticated users to gain MDSYS privileges via the MDSYS.SDO_TOPO_DROP_FTBL trigger.

Affected

2 ranges
VendorProductVersion rangeFixed in
oracledatabase_10g
oracledatabase_10g

Detection & IOCsextracted from sources · hover to see the quote

otherMDSYS.SDO_TOPO_DROP_FTBL
commandcreate table "O' and 1=<USER>.<FUNC>--"(id number)
commanddrop table "O' and 1=<USER>.<FUNC>--"
commandinsert into system.DEF$_TEMP$LOB (TEMP$BLOB) VALUES ('AA')
commandcreate or replace trigger system.evil_trigger before insert on system.DEF$_TEMP$LOB
commandGRANT DBA TO SCOTT
  • Monitor for creation of triggers named 'evil_trigger' in the SYSTEM schema, particularly on the system.DEF$_TEMP$LOB table, as this is the second-stage privilege escalation artifact.
  • Detect SQL injection attempts against the MDSYS.SDO_TOPO_DROP_FTBL trigger by auditing DROP TABLE statements containing the pattern: O' and 1=<identifier>--
  • Alert on GRANT DBA or GRANT EXECUTE TO PUBLIC statements executed by or on behalf of the MDSYS user, indicating successful privilege escalation.
  • Audit creation of stored procedures/functions with AUTHID CURRENT_USER and PRAGMA AUTONOMOUS_TRANSACTION by non-privileged users, as this is the exploit's mechanism for executing arbitrary SQL under elevated context.
  • Monitor for inserts into system.DEF$_TEMP$LOB, which is used to fire the evil_trigger and complete the 2-stage DBA escalation.
  • This is a 2-stage attack: stage 1 exploits SQL injection in MDSYS.SDO_TOPO_DROP_FTBL to gain MDSYS privileges; stage 2 abuses MDSYS's CREATE ANY TRIGGER privilege to install a malicious trigger in the SYSTEM schema.
  • ·Affects Oracle Database versions 10.1.0.5 and 10.2.0.2 only; the Oracle Spatial (MDSYS) component must be installed for the vulnerable trigger to be present.
  • ·Exploitation requires an authenticated Oracle DB user; this is not an unauthenticated/anonymous attack vector.
  • ·The Metasploit module defaults to granting DBA to user SCOTT; in real attacks the target user and SQL payload will vary, so detection should not rely solely on the username SCOTT.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.