Oracle Database Server DACL Multiple Insecure Permissions Vulnerabilities
BID:22905
Info
Oracle Database Server DACL Multiple Insecure Permissions Vulnerabilities
| Bugtraq ID: | 22905 |
| Class: | Design Error |
| CVE: |
CVE-2007-1442 |
| Remote: | No |
| Local: | Yes |
| Published: | Mar 10 2007 12:00AM |
| Updated: | May 12 2015 07:29PM |
| Credit: | Cesar Cerrudo is credited with discovering these vulnerabilities. |
| Vulnerable: |
Oracle Oracle10g Standard Edition 10.2 .3 Oracle Oracle10g Standard Edition 10.2 .2 Oracle Oracle10g Standard Edition 10.2 .1 Oracle Oracle10g Personal Edition 10.2 .3 Oracle Oracle10g Personal Edition 10.2 .2 Oracle Oracle10g Personal Edition 10.2 .1 Oracle Oracle10g Enterprise Edition 10.2 .3 Oracle Oracle10g Enterprise Edition 10.2 .2 Oracle Oracle10g Enterprise Edition 10.2 .1 |
| Not Vulnerable: | |
Discussion
Oracle Database Server DACL Multiple Insecure Permissions Vulnerabilities
Oracle Database Server is prone to multiple insecure-permissions vulnerabilities because the application fails to properly secure the individual processes of the application.
A local attacker can exploit these issues to trigger denial-of-service conditions and potentially execute arbitrary code with the privileges of the affected application. This may aid in a complete system compromise.
These issues affect Oracle Database Server version 10gR2 for Windows; other versions may also be vulnerable.
Oracle Database Server is prone to multiple insecure-permissions vulnerabilities because the application fails to properly secure the individual processes of the application.
A local attacker can exploit these issues to trigger denial-of-service conditions and potentially execute arbitrary code with the privileges of the affected application. This may aid in a complete system compromise.
These issues affect Oracle Database Server version 10gR2 for Windows; other versions may also be vulnerable.
Exploit / POC
Oracle Database Server DACL Multiple Insecure Permissions Vulnerabilities
An attacker can use readily available process-monitoring tools to exploit these issues.
The following proof-of-concept exploit demonstrating arbitrary code execution with elevated privileges is available:
An attacker can use readily available process-monitoring tools to exploit these issues.
The following proof-of-concept exploit demonstrating arbitrary code execution with elevated privileges is available:
Solution / Fix
Oracle Database Server DACL Multiple Insecure Permissions Vulnerabilities
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
References
Oracle Database Server DACL Multiple Insecure Permissions Vulnerabilities
References:
References:
- Oracle Homepage (Oracle)
- [Argeniss] Practical 10 minutes security audit: Oracle Case (Paper) (Cesar Cerrudo)