Oracle Database Two Security Issues

Secunia ID	SA38353
Release Date	08 Feb 2010
Last Change	11 Feb 2010
Criticality	Less Critical Typically used for cross-site scripting vulnerabilities and privilege escalation vulnerabilities. This rating is also used for vulnerabilities allowing exposure of sensitive data to local users.
Solution Status	Unpatched
Software	Oracle Database 10.x Oracle Database 11.x
Where	From local network "From local network" describes vulnerabilities where the attack vector requires that an attacker is situated on the same network as a vulnerable system (not necessarily a LAN). This category covers vulnerabilities in certain services (e.g. DHCP, RPC, administrative services) that should not be accessible from the Internet, but only from a local network and optionally a restricted set of external systems.
Impact	System access This covers vulnerabilities where malicious people are able to gain system access and execute arbitrary code with the privileges of a local user. Privilege escalation This covers vulnerabilities where a user is able to conduct certain tasks with the privileges of other users or administrative users. This typically includes cases where a local user on a client or server system can gain access to the administrator or root account thus taking full control of the system.
Description	David Litchfield has reported two security issues in Oracle Database, which can be exploited by malicious users to gain escalated privileges and compromise a vulnerable system. 1) Access to procedures within the "DBMS_JVM_EXP_PERMS" package is not restricted, which can be exploited to modify the Java policy table via the "IMPORT_JVM_PERMS" procedure. This can be exploited to e.g. execute arbitrary operating system commands. 2) An error in the argument handling of the "DBMS_JAVA.SET_OUTPUT_TO_JAVA" procedure can be exploited to execute SQL commands as the SYS user. This can be exploited to gain DBA user privileges. NOTE: Successful exploitation allows bypassing Oracle Label Security.
Solution	Grant only trusted users access to the application.
Reported by	David Litchfield
Original Advisory	https://media.blackhat.com/bh-dc-10/video/Litchfield_David/BlackHat-DC-2010-Litchfield-Oracle11g-video.m4v http://www.databasesecurity.com/HackingAurora.pdf http://www.databasesecurity.com/bh-DC2010.pdf