Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NEWS] Oracle DBMS Access Control Bypass in Login

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NEWS] Oracle DBMS Access Control Bypass in Login
Date: 25 Jan 2006 10:05:18 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Oracle DBMS  Access Control Bypass in Login
------------------------------------------------------------------------


SUMMARY

Oracle is a widely deployed DBMS. Clients use a protocol called TNS to 
communicate to the Oracle server. Protocol messages are used for session 
setup, authentication and data transfer. The standard authentication 
mechanism requires a client to supply a valid pair of user name and 
password.

During the login process an Oracle user with no more than "create session" 
privileges can execute commands in the context of the special database 
user SYS. This of course grants any user the highest administrative 
privileges possible.

DETAILS

Vulnerable Systems:
 * Oracle 8i (8.1.7.x.x)
 * Oracle 9i (9.2.0.7)
 * Oracle 10g Release 1 (10.1.0.4.2)
 * Oracle 10g Release 2 (10.2.0.1.0)

The authentication part of the protocol is comprised of two steps, 
including two different client requests and two server responses 
respectively. The first request (message code 0x76) contains only the user 
name while the second (message code 0x73) contains the user name and an 
obfuscated password. This second request also contains a list of 
name-value pairs describing various attributes of the client. The value 
named "AUTH_ALTER_SESSION" is intended for setting up session attributes 
related to the locale and language, in the form of an ALTER SESSION SQL 
statement. It turns out that this value can contain any SQL statement. 
Moreover, this command is executed in the context of the SYS user, which 
operates outside of the Oracle access control mechanism. Thus, by setting 
the value of "AUTH_ALTER_SESSION" to an arbitrary SQL statement an 
attacker can execute any arbitrary command in the database. In particular, 
the attacker can create a new database account and create DBA privileges 
to the new account.

Notice that if the attacker tries to execute "GRANT DBA TO 
attacker_account" a deadlock occurs and attacker_account cannot login to 
the database until the connection is closed.

Disclosure Timeline:
Vendor notified on 02-Nov-05
Patch released on 17-Jan-06 (5745699 OAUTH - REMOTE AUTHENTICATED ESCALATE 
TO DBA VIA AUTH_ALTER_SESSION)


ADDITIONAL INFORMATION

The information has been provided by  <mailto:shulman@imperva.com> 
shulman.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NEWS] Oracle DBMS Access Control Bypass in Login, SecuriTeam <=
Previous by Date:  [NT] TFTPd Filename Format String, SecuriTeam
Next by Date:  [REVS] Attacking Automatic Wireless Network Selection, SecuriTeam
Previous by Thread:  [NT] TFTPd Filename Format String, SecuriTeam
Next by Thread:  [REVS] Attacking Automatic Wireless Network Selection, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]