Re: Team SHATTER Security Advisory: SQL Injection in Oracle Database (DBMS_DEFER_SYS.DELETE_TRAN)

[Team SHATTER <shatter () appsecinc com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The DBA role in Oracle Database is not the same as SYSDBA privilege,
which is granted to SYS. There are many things that a user granted the
DBA role can't do - the most important being the ability to alter SYS
owned objects. This is true on databases where
O7_DICTIONARY_ACCESSIBILITY=FALSE (default value).

This vulnerability allows any user with execute privileges on the
affected package (by default users granted the DBA role) to impersonate
the SYS user.
This is especially high risk vulnerability in databases where strict
separation-of-duty is implemented as required by some regulations. This
may also be the case, for instance, where Oracle Database Vault is
deployed. Exploiting this vulnerability may allow a DBA to bypass
Database Vault protections and access protected data that should be
restricted by Database Vault. In other words, a DBA may escalate to
DV_OWNER (Database Vault Owner) privileges.

Also, the default privileges required to execute the affected package
could have been changed to include non-trusted users. In this case,
these non-trusted users may exploit the vulnerability to escalate
privileges and own the database.

Team SHATTER,
Application Security Inc. (www.appsecinc.com)
Memisyazici, Aras wrote:
| Umm...
|
|>> By default, users granted DBA have the required privilege. <<
|
| So... You are saying, people should beware of DBAs (Database
Administrators... AKA DB Gods) having the possibility to do SQL
injection? Riighhtt... And why should they go through the trouble of
exploiting a webapp to manipulate data in the DB? They're DBAs... As in
they already CAN manipulate the data in the database since they sort of
ADMINISTER it!
|
| Aras "Russ" Memisyazici
| Systems Administrator
| Office of Vice President for Research
| Virginia Tech
|
| -----Original Message-----
| From: Team SHATTER [mailto:shatter () appsecinc com]
| Sent: Monday, August 04, 2008 12:42 PM
| To: bugtraq () securityfocus com; full-disclosure () lists grok org uk
| Subject: Team SHATTER Security Advisory: SQL Injection in Oracle
Database (DBMS_DEFER_SYS.DELETE_TRAN)
|
| Team SHATTER Security Advisory
|
| SQL Injection in Oracle Database (DBMS_DEFER_SYS.DELETE_TRAN)
|
| August 4, 2008
|
| Risk Level:
| Medium
|
| Affected versions:
| Oracle Database Server versions 9iR1, 9iR2, 10gR1, 10gR2 and 11gR1
|
| Remote exploitable:
| Yes (Authentication to Database Server is needed)
|
| Credits:
| This vulnerability was discovered and researched by Esteban Martínez
Fayó of Application Security Inc.
|
| Details:
| The PL/SQL package DBMS_DEFER_SYS owned by SYS has an instance of SQL
Injection in the DELETE_TRAN procedure. A malicious user can call the
vulnerable procedure of this package with specially crafted parameters
and execute SQL statements with the elevated privileges of SYS user.
|
| Impact:
| Any Oracle database user with EXECUTE privilege on the package
SYS.DBMS_DEFER_SYS can exploit this vulnerability. By default, users
granted DBA have the required privilege. Exploitation of this
vulnerability allows an attacker to execute SQL commands with SYS
privileges.
|
| Vendor Status:
| Vendor was contacted and a patch was released.
|
| Workaround:
| Restrict access to the SYS.DBMS_DEFER_SYS package.
|
| Fix:
| Apply Oracle Critical Patch Update July 2008 available at Oracle Metalink.
|
| Links:
|
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2008.html
| http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2592
|
| Timeline:
| Vendor Notification - 9/24/2007
| Vendor Response - 9/28/2007
| Fix - 7/15/2008
| Public Disclosure - 7/23/2008
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iEYEARECAAYFAkigrysACgkQ9EOAcmTuFN3trACfajJ17O9b/1efhlM0QAljCedp
if4AoJ6+dqDggI41lsxePQ9PKfIjDkg+
=k+BC
-----END PGP SIGNATURE-----