Oracle read-only user can insert/update/delete data via specially crafted views

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Oracle read-only user can insert/update/delete data via specially crafted views
From: ak@xxxxxxxxxxxxxxxxxxxxxxxxx
Date: 10 Apr 2006 11:57:23 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Dear bugtraq-Reader

Last Thursday 6th April 2006, Oracle released a note on the Oracle 
knowledgebase Metalink with details about an unfixed security vulnerability 
(=0day) and a working test case (=exploit code) which effects all versions of 
Oracle from 9.2.0.0 to 10.2.0.3. This note "363848.1 ? A User with SELECT 
Object Privilege on Base Tables Can Delete Rows from a View" was available last 
week to Metalink customers. The note was also displayed in the daily headlines 
section of the Metalink.
 
That?s why this information can be assumed as public knowledge and 
DBAs/Developers which missed the note on Metalink should know this 
vulnerability in order to avoid/mitigate the risk (if possible) whilst waiting 
for a patch from Oracle.

After noticing the note, I informed Oracle secalert that releasing such 
information on Metalink is not a wise idea. Oracle normally criticises 
individuals and/or companies for releasing information about Oracle 
vulnerabilities (like David Litchfield from NGSSoftware for releasing 
information an ever not fixed bug in mod_plsql gateway). In this case, not only 
Oracle released detailed information on the vulnerability; they also included 
the working exploit code on the Metalink. 

In an interview, the Oracle CSO stated:  ?I?ve known customers to terminate 
contracts ? for releasing exploit code? you might get applause from hackers? 
but business will not pay you to slit their throats. With knowledge comes 
responsibility.? 

After my email, Oracle removed the note from Metalink. 


Problem: 

In Oracle versions (9.2.0.0-10.2.0.3) exists an unpatched vulnerability which 
allows users with ?SELECT? only privileges on a base table to insert/update/ 
delete data via a specially crafted view.

The impact of this vulnerability on the Oracle data dictionary is low because 
most data dictionary tables don?t have a primary key which is a requirement for 
this vulnerability.

The impact on custom applications can be huge and eliminate the entire role 
concept because in well designed applications there is normally a read-only 
role for low-privilege users (e.g. reporting or external auditors). If these 
low-privileged users are able to create a view, which is standard in Oracle 
9.2.x to 10 g R1, they could also insert, update and delete data via a 
specially crafted view. Depending on the architecture, it is possible to modify 
data, escalate privileges, ?


Test cases:

Oracle provided a complete test case in note 363848.1. I decided not to publish 
such code on the internet as long as patches are not available. If you need 
additional information you could contact me via email. A test case (without the 
specially crafted view) is available on my website:

http://www.red-database-security.com/advisory/oracle_modify_data_via_views.html



Patches:

Currently there are no patches available. According to Oracle secalert Oracle 
will provide patches in a future critical patch update.
 
Red-Database-Security is not convinced that the April 2006 CPU will contain 
patches against this vulnerability.



Workarounds / Risk Mitigation:

Sanitize the connect role (9i - 10g R1) and remove the CREATE VIEW (and CREATE 
DATABASE LINK, ?) privilege from the connect role. 
Removing the primary key from the base table solves the problem too. Be aware 
that this could cause performance and integrity issues on the application.

Oracle recommends creating views the option ?WITH CHECK OPTION?. This 
recommendation helps against accidental modification but not against hackers. 


Credits:

Special thanks to Jens Flasche who made Red-Database-Security aware of the 
Metalink note and for the first analysis + additional test cases. 



URLs:

Interview: Oracle CSO - Mary Ann Davidson
http://news.com.com/When+security+researchers+become+the+problem/2010-1071_3-5807074.html

Metalink Hacking
http://www.red-database-security.com/wp/oracle_metalink_hacking_us.pdf




----------------------------------------------------------------------

Are you interested in additional information about Oracle security?


Our next Oracle Anti-Hacker-Training:

23-may ? 26-may   (4 days (english) ? Milano / Italy) 
29-may ? 2-june   (5 days (english) ? Cupertino [CA] / U.S.A) 
19-june ? 23-june (5 days (german)  ? Oberursel/Frankfurt / Germany) 

----------------------------------------------------------------------

Prev by Date: phpinfo() Cross Site Scripting PHP 5.1.2 and 4.4.2
Next by Date: Re[2]: Bypassing ISA Server 2004 with IPv6
Previous by thread: phpinfo() Cross Site Scripting PHP 5.1.2 and 4.4.2
Next by thread: function *() php/apache Crash PHP 4.4.2 and 5.1.2
Index(es):
- Date
- Thread