CREATE ANY DIRECTORY to SYSDBA

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: CREATE ANY DIRECTORY to SYSDBA
From: paul.wright@xxxxxxxxxxxxxxxxxxx
Date: Sat, 11 Oct 2008 03:39:46 -0600
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

I have found a serious privilege escalation in the Oracle DB that raises a 
lower privileged user with CREATE ANY DIRECTORY to that of SYSDBA by directly 
overwriting the hidden binary password file with a known binary password file 
via UTL_DIR. Full discussion of how to defend and respond to this are included 
and YES Oracle have been forewarned.
All Oracle DB folks should read this ASAP.
http://www.oracleforensics.com/wordpress/index.php/2008/10/10/create-any-directory-to-sysdba/

Prev by Date: [SECURITY] [DSA 1646-2] New squid packages fix array bounds check
Next by Date: İltaweb Alışveriş Sistemi (tr) Sql inj
Previous by thread: [SECURITY] [DSA 1646-2] New squid packages fix array bounds check
Next by thread: İltaweb Alışveriş Sistemi (tr) Sql inj
Index(es):
- Date
- Thread