Proof of concept code that demonstrates how an Oracle DB user which has been granted CREATE ANY DIRECTORY can use that system privilege to grant themselves the SYSDBA system privilege by creating a DIRECTORY pointing to the password file location on the OS and then overwriting it with a previously prepared known binary password file using UTL_FILE.PUT_RAW from within the DB.
e5b9d81d9e3e453e88ecc084ad1516012f5e333ec7dcdbb2dbe569b1350618e0
An Oracle DB user which has been granted CREATE ANY DIRECTORY can use that system privilege to grant themselves the SYSDBA system privilege by creating a DIRECTORY pointing to the password file location on the OS and then overwriting it with a previously prepared known binary password file using UTL_FILE.PUT_RAW from within the DB. This paper will show how the issue can be exploited and most importantly how to secure against it.
d831e6ebd8c7df2437915b869b9d31a97fd007d4363bebebfe908afab3c60f97
New Oracle Security Paper - How to secure Oracle passwords from rainbow tables and new password cracking patches. Also includes a free audit tool called OraBrute to brute force SYS AS SYSDBA in order to check that it has been secured. Unfortunately by default it is not but can be secured by following this papers recommendations.
d01676e8a88e2d6cb26473a80fe847d360a18ce0fbd1a995aafac93055168522