CVE-2018-3004 – Oracle Database Privilege Escalation via XML Deserialization

Oracle Database Privilege Escalation via XML Deserialization

Since this is a privilege escalation, lets assume you have access to oracle database with atleast the following roles:
CONNECT and RESOURCE

In this example the user tom has been granted connect and resource roles

e3753f4e-ac12-4b98-8295-9b97b98a4f73.png

XML Deserialization

Java.beans library has two classes XMLEncoder to serialize a Java object into XML format and XMLDecoder to deserialize the object.

Lets create a class DecodeMe that uses the XMLDecoder class to deserialize xml encoded java code, followed by a stored procedure that invokes the class DecodeMe

DecodeMe.sql file contains the DecodeMe class and the decodeme stored procedure. The decodeme stored procedure accepts XML encoded java code. Within the XML code, we use the java.io.FileWriter to write the string ‘hello world’ to /tmp/test.txt

2.png

If we can remotely connect to the database, we can run the DecodeMe.sql by using the following command:
sqlplus64 user/password@server/service_name @<sqlfilename>.sql

3.png

When we check the /tmp directory there is a file created by user oracle. This means we can write to the OS with privileges of user oracle.

4.png

We can exploit this by copying our ssh public key to /home/oracle/.ssh/authorized_keys. Lets modify the xml code like the following. The rest remains the same.

5.png

Run the decodeme_ssh.sql file using the following command:
sqlplus64 user/password@server/service_name @<sqlfilename>.sql

6.png

Lets use our private key to login with the oracle user and connect to the database. Note we have sys level access to the database.

7.png

Reference: http://obtruse.syfrtext.com/2018/07/oracle-privilege-escalation-via.html

Leave a comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: