Vigil@nce: Oracle DB, privilege elevation via CREATE ANY DIRECTORY
October 2008 by Vigil@nce
An attacker with the CREATE ANY DIRECTORY privilege can alter the
password file in order to obtain SYSDBA privileges.
– Gravity: 2/4
– Consequences: privileged access/rights
– Provenance: user account
– Means of attack: 1 attack
– Ability of attacker: technician (2/4)
– Confidence: unique source (2/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 14/10/2008
IMPACTED PRODUCTS
– Oracle Database
DESCRIPTION
The CREATE ANY DIRECTORY privilege can be granted to allow
creation of directories by users.
Passwords are stored in following files:
– Unix : $ORACLE_HOME/dbs/orapw$ORACLE_SID
– Windows : %ORACLE_HOME%\database\PWD%ORACLE_SID%.ora
An attacker with the CREATE ANY DIRECTORY privilege can request
the creation of following directories:
– Unix : $ORACLE_HOME/dbs
– Windows : %ORACLE_HOME%\database
He can then use the UTL_FILE.put_raw() method to corrupt the
password file, in order to define a known password.
An attacker with the CREATE ANY DIRECTORY privilege can thus
obtain SYSDBA privileges.
CHARACTERISTICS
– Identifiers: BID-31738, VIGILANCE-VUL-8162
– Url: http://vigilance.aql.fr/vulnerability/8162