Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-disclosure] Oracle 10g R2 and, probably, all previous versions

from [Russell Lowenthal] Network Security [Permanent Link]
Subject: Re: [Full-disclosure] Oracle 10g R2 and, probably, all previous versions
Date: Fri, 28 Jul 2006 13:13:53 -0700 (PDT) 
Doh! Busted right back! Now I get the same results
(assuming I grant the user alter session of course -
if the user doesn't have alter session I get the
privilege error).

Thanks Raj!

--- rjamya <rjamya@gmail.com> wrote:


Russell,

you have a syntax error, you need a comma before
LEVEL.

Raj

On 7/28/06, Russell Lowenthal <perpetualv@yahoo.com>
wrote:

Interesting comment. So if I understand what you

are

saying I should be able to create a user:

SQL> create user nottoosmart identified by
d0ntkn0wmuch;

User created.

SQL> grant create session to nottoosmart;

Grant succeeded.

SQL> connect nottoosmart/d0ntkn0wmuch
Connected.
SQL> alter session set events '10046 trace name
context forever level 16';
ERROR:
ORA-01031: insufficient privileges

Hmm - would you mind posting your EXACT test case?

I

ran this against a 9.2.0.7, 10.2.0.1 and 10.2.0.2
database and seem to get different results then

you

are seeing.  Just for the heck of it I went ahead

and

granted the user alter session privileges:

SQL> conn / as sysdba
Connected.
SQL> grant alter session to nottoosmart;

Grant succeeded.

SQL> connect nottoosmart/d0ntkn0wmuch
Connected.
SQL> alter session set events '10046 trace name
context forever level 16';
ERROR:
ORA-02194: event specification syntax error 230

(minor

error 215) near 'LEVEL'

so even a user that I've purposely given

privileges to

alter their own session doesn't seem to be able to

do

anything with this command.

So far I have to call this myth: Busted

---Original message----
I can't believe it. Oracle releases new patches

and

they have not been solved one of the main

problems: A

user with only the SELECT privilege can do

WHATEVER

(S)HE WANTS WITH THE ENTIRE DATABASE!!!!

I'm not sure if is time to full disclosure it but,
anyway, I will "full disclosure" one inocent

issue, an

integer overflow:

Example:
--Connect with any user with only CREATE SESSION
SQL> alter session set events '10046 trace name
context forever, level
SQL> 16';

Session altered.

SQL> alter session set events




'10046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004





61004610046100461004610046100461004610046100461004610046100461004610046100461004610046trace

name context forever, level 16';
ERROR:
ORA-00600: internal error code, arguments: [300],
[985], [], [], [], [], [], []


It's not even a crash but (be sure) that there are
other "combinations" that makes it vulnerable to
integer overflows allowing the execution of

arbritrary

code.

PD: Hello Mary Ann! Are you on holidays?





_________________________________________________________________

Grandes éxitos, superhéroes, imitaciones, cine y

TV...


http://es.msn.kiwee.com/ Lo mejor para tu móvil.

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam

protection around

http://mail.yahoo.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter:



http://lists.grok.org.uk/full-disclosure-charter.html

Hosted and sponsored by Secunia -

http://secunia.com/





-- 
----------------------------------------------
Got RAC?




__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  cpanel login problem, ali
Next by Date:  Hustle -- Tumbleweed Email Firewall Remote Vulnerability, Ryan Smith
Previous by Thread:  Re: [Full-disclosure] Oracle 10g R2 and, probably, all previous versions, rjamya
Next by Thread:  [OpenPKG-SA-2006.017] OpenPKG Security Advisory (freetype), OpenPKG
Indexes:  [Date] [Thread] [Top] [All Lists]