what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Oracle-select.txt

Oracle-select.txt
Posted Apr 14, 2006
Authored by Alexander Kornbrust | Site red-database-security.com

Oracle versions 9.2.0.0-10.2.0.3 suffer from an unpatched vulnerability which allows users with SELECT only privileges on a base table to insert/update/ delete data via a specially crafted view.

tags | advisory
SHA-256 | 52fce6051885e4c90f88131ef99b44526f5d4aaf91684d6e8bede57d2e41a144

Oracle-select.txt

Change Mirror Download
Dear bugtraq-Reader

Last Thursday 6th April 2006, Oracle released a note on the Oracle knowledgebase Metalink with details about an unfixed security vulnerability (=0day) and a working test case (=exploit code) which effects all versions of Oracle from 9.2.0.0 to 10.2.0.3. This note "363848.1 – A User with SELECT Object Privilege on Base Tables Can Delete Rows from a View" was available last week to Metalink customers. The note was also displayed in the daily headlines section of the Metalink.

That’s why this information can be assumed as public knowledge and DBAs/Developers which missed the note on Metalink should know this vulnerability in order to avoid/mitigate the risk (if possible) whilst waiting for a patch from Oracle.

After noticing the note, I informed Oracle secalert that releasing such information on Metalink is not a wise idea. Oracle normally criticises individuals and/or companies for releasing information about Oracle vulnerabilities (like David Litchfield from NGSSoftware for releasing information an ever not fixed bug in mod_plsql gateway). In this case, not only Oracle released detailed information on the vulnerability; they also included the working exploit code on the Metalink.

In an interview, the Oracle CSO stated: “I’ve known customers to terminate contracts … for releasing exploit code… you might get applause from hackers… but business will not pay you to slit their throats. With knowledge comes responsibility.”

After my email, Oracle removed the note from Metalink.


Problem:

In Oracle versions (9.2.0.0-10.2.0.3) exists an unpatched vulnerability which allows users with “SELECT” only privileges on a base table to insert/update/ delete data via a specially crafted view.

The impact of this vulnerability on the Oracle data dictionary is low because most data dictionary tables don’t have a primary key which is a requirement for this vulnerability.

The impact on custom applications can be huge and eliminate the entire role concept because in well designed applications there is normally a read-only role for low-privilege users (e.g. reporting or external auditors). If these low-privileged users are able to create a view, which is standard in Oracle 9.2.x to 10 g R1, they could also insert, update and delete data via a specially crafted view. Depending on the architecture, it is possible to modify data, escalate privileges, …


Test cases:

Oracle provided a complete test case in note 363848.1. I decided not to publish such code on the internet as long as patches are not available. If you need additional information you could contact me via email. A test case (without the specially crafted view) is available on my website:

http://www.red-database-security.com/advisory/oracle_modify_data_via_views.html



Patches:

Currently there are no patches available. According to Oracle secalert Oracle will provide patches in a future critical patch update.

Red-Database-Security is not convinced that the April 2006 CPU will contain patches against this vulnerability.



Workarounds / Risk Mitigation:

Sanitize the connect role (9i - 10g R1) and remove the CREATE VIEW (and CREATE DATABASE LINK, …) privilege from the connect role.
Removing the primary key from the base table solves the problem too. Be aware that this could cause performance and integrity issues on the application.

Oracle recommends creating views the option “WITH CHECK OPTION”. This
recommendation helps against accidental modification but not against hackers.


Credits:

Special thanks to Jens Flasche who made Red-Database-Security aware of the
Metalink note and for the first analysis + additional test cases.



URLs:

Interview: Oracle CSO - Mary Ann Davidson
http://news.com.com/When+security+researchers+become+the+problem/2010-1071_3-5807074.html

Metalink Hacking
http://www.red-database-security.com/wp/oracle_metalink_hacking_us.pdf




----------------------------------------------------------------------

Are you interested in additional information about Oracle security?


Our next Oracle Anti-Hacker-Training:

23-may – 26-may (4 days (english) – Milano / Italy)
29-may – 2-june (5 days (english) – Cupertino [CA] / U.S.A)
19-june – 23-june (5 days (german) – Oberursel/Frankfurt / Germany)

----------------------------------------------------------------------

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close