Imperva security web site this just published this warning about
a severe Oracle security vulnerability titled “Security
Advisory: Oracle DBMS – Critical Access Control Bypass in Login
Bug”:
http://www.imperva.com/application_defense_center/papers/oracle-dbms-01172006.html
Imperva claims that there is a bug in the authorization
mechanism for Oracle 8i, 9i, and 10g that allows someone to use
the tnsnames.ora file to issue privileged SYS commands, with
nothing more than "create session" privileges:
"The standard authentication mechanism requires a client to
supply a valid pair of user name and password. During the login
process an Oracle user with no more than “create session”
privileges can execute commands in the context of the special
database user SYS. This grants any user the highest
administrative privileges possible."
Imperva has details on this alleged vulnerability:
“The authentication part of the protocol is comprised of two
steps, including two different client requests and two server
responses respectively. The first request (message code 0x76)
contains only the user name while the second (message code 0x73)
contains the user name and an obfuscated password.
This second request also contains a list of name-value pairs
describing various attributes of the client. The value named
“AUTH_ALTER_SESSION” is intended for setting up session
attributes related to the locale and language, in the form of an
ALTER SESSION SQL statement.
It turns out that this value can contain any SQL statement.
Moreover, this command is executed in the context of the SYS
user, which operates outside of the Oracle access control
mechanism. Thus, by setting the value of “AUTH_ALTER_SESSION” to
an arbitrary SQL statement an attacker can execute any arbitrary
command in the database. In particular, the attacker can create
a new database account and create DBA privileges to the new
account.”
and include the URL for the page.
