It is possible to call O/S commands or third-party programs from within SQL or PL/SQL with external procedures. This guide describes how to build, install and use such an ExtProc and shows an exploit on how to grant yourself Oracle sysdba rights. Think of an ExtProc as an Oracle root kit.
This guide applies to Oracle 8i, 9i and 10g and applies to both UNIX and WINDOWS. Note that Oracle 10g also offers another way of making calls to external procedures using its DBMS_SCHEDULER package. The exploit shown is for educational purposes only.
Overview
This guide describes how to build and install External Procedures on the Oracle Database. With en expternal procedure, it is possible to perform operating system commands and call other third-party programs from within SQL or PL/SQL.
An example of the commonly-used Host Command, used for making operating system calls from within PL/SQL code is demonstrated
This guide applies to Oracle 8i, 9i and 10g. Note that Oracle 10g. Oracle 01g also offers another way of making calls to external procedures using its DBMS_SCHEDULER package. This guide applies to UNIX and to a lesser extent to WINDOWS.
Building and installing binaries
Pre-conditions
-
Oracle is installed on your server. See the article Oracle server construction guide if you have not done this sort of thing before.
-
The environment variables $ORACLE_SID, $ORACLE_HOME and $ORACLE_BASE are correctly set up. $ORACLE_SID should point to the database that you intent to install this in.
-
For UNIX and Linux: gcc/cc/aCC and gmake/make are on the path For Win32: cl.exe and nmake.exe are on the path
-
You should be able to log on to your Oracle database as user 'oracle' (or whatever your Oracle admin user on your server is called) - at least once to deploy your ExtProc library.
Host Command Code
To illustrate the ExtProc process, we will build a simple little program that allows you to invoke as O/S command from Oracle's SQL or PL/SQL environment. Paste this code into you favourite editor:
-
#ifdef _WIN32
-
#include <windows.h>
-
#define DLL_EXPORT __declspec(dllexport)
-
#else
-
#include <string.h>
-
#define DLL_EXPORT
-
#endif
-
-
#ifdef __cplusplus
-
extern "C" {
-
#endif
-
-
#include <stdlib.h>
-
int DLL_EXPORT hostcmd(const char * cmd)
-
{
-
return system( cmd);
-
}
-
-
#ifdef __cplusplus
-
}
-
#endif
Once this code is installed on the server, it will be executed by the ORACLE DBA user. All forms of malicious command are possible with this command, including the ability to destroy the entire Oracle database using Oracle. There is therefore a great security risk associated with using this strategy.