CREATE ANY DIRECTORY to SYSDBA
An Oracle DB user which has been granted CREATE ANY DIRECTORY can use that system privilege to grant themselves the SYSDBA system privilege by creating a DIRECTORY pointing to the password file location on the OS and then overwriting it with a previously prepared known binary password file using UTL_FILE.PUT_RAW from within the DB.
This paper will show how the issue can be exploited and most importantly how to secure against it. This is an original vulnerability affecting current versions of the DB and please note that Oracle Corp’s Security Department have already been informed in accordance with ethical procedures and have given their permission to publish.
Proof of concept code tested on 10.1, 10.2 and 11g on both Linux and Windows and is available below.
The above should only be carried out on test machines and only for the purposes of increasing security. It is still my opinion that Oracle is the best Relational DB available and with additional security expertise it should stay that way for a while yet.
P.S. I have subsequently written a work around to this vulnerability in the form of a safe implementation of CREATE ANY DIRECTORY.