full-disclosure-uk August 2008 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: Re: [Full-disclosure] Team SHATTER Security

Re: [Full-disclosure] Team SHATTER Security Advisory: SQL Injection in Oracle Database (DBMS_DEFER_SYS.DELETE_TRAN)

From: Team SHATTER <shatter_at_nospam>
Date: Mon Aug 11 2008 - 21:29:15 GMT
To: "Memisyazici, Aras" <arasm@vt.edu>

Hash: SHA1

The DBA role in Oracle Database is not the same as SYSDBA privilege, which is granted to SYS. There are many things that a user granted the DBA role can't do - the most important being the ability to alter SYS owned objects. This is true on databases where O7_DICTIONARY_ACCESSIBILITY=FALSE (default value).

This vulnerability allows any user with execute privileges on the affected package (by default users granted the DBA role) to impersonate the SYS user.
This is especially high risk vulnerability in databases where strict separation-of-duty is implemented as required by some regulations. This may also be the case, for instance, where Oracle Database Vault is deployed. Exploiting this vulnerability may allow a DBA to bypass Database Vault protections and access protected data that should be restricted by Database Vault. In other words, a DBA may escalate to DV_OWNER (Database Vault Owner) privileges.

Also, the default privileges required to execute the affected package could have been changed to include non-trusted users. In this case, these non-trusted users may exploit the vulnerability to escalate privileges and own the database.

Application Security Inc. (www.appsecinc.com) Memisyazici, Aras wrote:
| Umm...
|>> By default, users granted DBA have the required privilege. <<
| So... You are saying, people should beware of DBAs (Database
Administrators... AKA DB Gods) having the possibility to do SQL injection? Riighhtt... And why should they go through the trouble of exploiting a webapp to manipulate data in the DB? They're DBAs... As in they already CAN manipulate the data in the database since they sort of ADMINISTER it!
| Aras "Russ" Memisyazici
| Systems Administrator
| Office of Vice President for Research
| Virginia Tech
| -----Original Message-----
| From: Team SHATTER [mailto:shatter@appsecinc.com]
| Sent: Monday, August 04, 2008 12:42 PM
| To: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk
| Subject: Team SHATTER Security Advisory: SQL Injection in Oracle
| Team SHATTER Security Advisory
| SQL Injection in Oracle Database (DBMS_DEFER_SYS.DELETE_TRAN)
| August 4, 2008
| Risk Level:
| Medium
| Affected versions:
| Oracle Database Server versions 9iR1, 9iR2, 10gR1, 10gR2 and 11gR1
| Remote exploitable:
| Yes (Authentication to Database Server is needed)
| Credits:
| This vulnerability was discovered and researched by Esteban Martínez
Fayó of Application Security Inc.
| Details:
| The PL/SQL package DBMS_DEFER_SYS owned by SYS has an instance of SQL
Injection in the DELETE_TRAN procedure. A malicious user can call the vulnerable procedure of this package with specially crafted parameters and execute SQL statements with the elevated privileges of SYS user.
| Impact:
| Any Oracle database user with EXECUTE privilege on the package
SYS.DBMS_DEFER_SYS can exploit this vulnerability. By default, users granted DBA have the required privilege. Exploitation of this vulnerability allows an attacker to execute SQL commands with SYS privileges.
| Vendor Status:
| Vendor was contacted and a patch was released.
| Workaround:
| Restrict access to the SYS.DBMS_DEFER_SYS package.
| Fix:
| Apply Oracle Critical Patch Update July 2008 available at Oracle Metalink.
| Links:

| http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2592
| Timeline:
| Vendor Notification - 9/24/2007
| Vendor Response - 9/28/2007
| Fix - 7/15/2008
| Public Disclosure - 7/23/2008

Version: GnuPG v1.4.9 (MingW32)

iEYEARECAAYFAkigrysACgkQ9EOAcmTuFN3trACfajJ17O9b/1efhlM0QAljCedp if4AoJ6+dqDggI41lsxePQ9PKfIjDkg+

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/