From idlabs-advisories@idefense.com Thu Sep 2 23:45:37 2004 From: idlabs-advisories@idefense.com To: idlabs-advisories@idefense.com Date: Thu, 2 Sep 2004 13:35:34 -0400 Reply-To: customerservice@idefense.com Subject: [Full-Disclosure] iDEFENSE Security Advisory 09.02.04b: Oracle Database Server ctxsys.driload Access Validation Vulnerability Oracle Database Server ctxsys.driload Access Validation Vulnerability iDEFENSE Security Advisory 09.02.04b www.idefense.com/application/poi/display?id=136&type=vulnerabilities September 2, 2004 I. BACKGROUND Oracle Database Server is a family of database products that range from personal databases to enterprise solutions. Further information is available at: http://www.oracle.com/database/index.html II. DESCRIPTION Remote exploitation of an access validation vulnerability in multiple versions of Oracle Corp.'s Oracle Database Server could allow authenticated users to obtain administrative privileges. The problem specifically exists because although Oracle 9i Databases have the account ctxsys locked by default, ctxsys.driload is still accessible by users. The package ctxsys.driload allows every user to execute commands as DBA. A database connection with execute permissions on the package ctxsys.driload is required. The following example query executed under the credentials of the default user scott (password 'tiger') demonstrates this vulnerability: SQL> exec ctxsys.driload.validate_stmt ('create user hacker identified by hacker'); SQL> exec ctxsys.driload.validate_stmt('grant dba, connect to hacker'); III. ANALYSIS Successful exploitation allows authenticated users to execute arbitrary commands as DBA, which allows complete control over the database.This vulnerability is the result of three separate issues: 1. Some packages of ctxsys are granted to public (e.g. driload) 2. The package driload uses the permissions of the owner (CTXSYS = DBA) instead of the caller of the procedure (e.g. scott). 3. The package driload executes every valid SQL command (e.g. create user, grant dba to, drop user, etc.) without further tests. Locking of the ctxsys user account does not prevent exploitation. IV. DETECTION DEFENSE has confirmed that Oracle Database Server version 9.2.0.4 is vulnerable. It has been reported that 8.1.7.4, and 9.0.1.3 are vulnerable. It is suspected that all versions earlier than 9.2.0.4 are vulnerable. V. WORKAROUND If ctxsys is not needed, drop the user by executing the following SQL statement: SQL> Drop user ctxsys Otherwise, revoke public privileges to the vulnerable object via the following SQL statement: SQL> revoke grant ctxsys.driload from public VI. VENDOR RESPONSE "[This] issue [has] been addressed in Alert 68." http://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdf VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2004-0637 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 05/06/2004 Initial vendor notification 05/06/2004 iDEFENSE clients notified 05/06/2004 Initial vendor response 09/02/2004 Public disclosure IX. CREDIT Alexander Kornbrust (www.red-database-security.com) is credited with this discovery. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp X. LEGAL NOTICES Copyright (c) 2004 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html