Full Disclosure mailing list archives
Oracle 10g DBMS_SCHEDULER SESSION_USER issue
From: "Kornbrust, Alexander" <ak () red-database-security com>
Date: Thu, 5 May 2005 13:06:22 +0200
Red-Database-Security GmbH Oracle Security Advisory Name Oracle 10g DBMS_SCHEDULER SESSION_USER issue Systems Affected Oracle Database 10g Severity Medium Risk Category Switch SESSION_USER to SYS Vendor URL http://www.oracle.com Author Alexander Kornbrust (ak at red-database-security.com) Date 03 May 2005 (V 1.00) VU# 176909 Description ########### Every user with CREATE JOB privilege can switch the SESSION_USER to SYS by executing a database job via dbms_scheduler. This could cause problems with VPD (virtual private database) or OLS (Oracle label security) and could allow privilege escalation. This issue is not related to the Oracle Critical Patch Update 2005. More details including test case available: ########################################## http://www.red-database-security.com/exploits/oracle_exploit_dbms_schedu ler_select_user.html Patch Information ################# This information has been public for months but Oracle never released a security alert for this issue. Applying patchset 10.1.0.4 is fixing this issue. History: ######## 07 October 2004 Published at the Oracle Enterprise Server Forum in Metalink About Red-Database-Security GmbH ################################# Red-Database-Security GmbH is a specialist in Oracle Security. http://www.red-database-security.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Oracle 10g DBMS_SCHEDULER SESSION_USER issue Kornbrust, Alexander (May 05)