Tutorials to .com

Tutorials to .com » Database » Oracle » Oracle database access restriction bypass vulnerability

Oracle database access restriction bypass vulnerability

Print View , by: iSee ,Total views: 22 ,Word Count: 581 ,Date: Sun, 23 Aug 2009 Time: 9:59 AM

Systems affected: oracle database 9.2.0.0 - 10.2.0.3

Description: BUGTRAQ ID: 17426

Oracle is a large commercial database system. Oracle 9.2.0.0 to 10.2.0.3 version of the base table to allow only the users SELECT permissions to view special insert / update / delete data, the successful use of the loopholes in the low-permissions users can view through the creation of a special lead insert, update and delete data.

This loophole Oracle data dictionary to have less impact, because most of the dictionary table no primary key, and take advantage of this loophole needs to be primary key.

Test Method:

Warning: The following procedures (methods) may carry offensive, for security research and teaching purposes. Users at your own risk!

The assumption that users only dbsnmp privileges SELECT ANY DICTIONARY, can not update the data dictionary table.

C: \> sqlplus dbsnmp / dbsnmp

SQL * Plus: Release 10.1.0.4.0 - Production on Thu Apr 8 19:20:27 2006

Copyright (c) 1982, 2005, Oracle. All rights reserved.

Connected to:

Oracle database 10g Enterprise Edition Release 10.1.0.4.0

- Production With the Partitioning, OLAP and Data Mining options

SQL> select * from v $ version;

BANNER

Oracle Database 10g Enterprise Edition Release 10.1.0.4.0

- Prod PL / SQL Release 10.1.0.4.0 - Production

CORE 10.1.0.4.0 Production

TNS for 32-bit Windows: Version 10.1.0.4.0

- Production NLSRTL Version 10.1.0.4.0 - Production

SQL> - unable to delete data from the data dictionary (normal)

SQL> delete from sys.registry $;

delete from sys.registry $

*

ERROR at line 1:

ORA-01031: insufficient privileges

SQL> - create a special custom view

SQL> create or replace view e as select [... censored ...];

View created.

SQL> - throw away the data through the view!!! ==> Security hole!!!

SQL> delete from e;

17 rows deleted.

Suggested that the interim solution:

If you can not immediately install patches or upgrades, NSFOCUS recommend that you take the following measures to reduce the threat:

* 9i to 10g R1 filter connection the role of the deletion of CREATE VIEW (and CREATE DATABASE LINK, etc.) permissions.

* Deleted from the base table primary key. Please note that this may lead to performance and integrity problems.

Vendor patch: Oracle

At present, manufacturers have not provided a patch or upgrade, we recommend using this software, users concerned about the vendor's home page at any time to obtain the latest version.

Note: <* Source: Alexander Kornbrust (ak@red-database-security.com) link: http://marc.theaimsgroup.com/?l=bugtraq&m=114468438319540&w=2 *>




Oracle Tutorial Articles


Can't Find What You're Looking For?


Rating: Not yet rated

Comments

No comments posted.