<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2800.1522" name=GENERATOR></HEAD>
<BODY>
<DIV><FONT face=Arial size=2>
<P class=MsoTitle style="MARGIN: 12pt 0cm 3pt"><STRONG><FONT size=5>Oracle DBMS
– Access Control Bypass in Login</FONT></STRONG></P>
<P class=MsoTitle style="MARGIN: 12pt 0cm 3pt"><STRONG><FONT
size=5>**********************************************************</FONT></STRONG></P>
<H1 style="MARGIN: 12pt 0cm 3pt"><FONT size=5>Background</FONT></H1>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><FONT face="Times New Roman"
size=3>***********************</FONT></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><FONT face="Times New Roman"
size=3>Oracle is a widely deployed DBMS. Clients use a protocol called TNS to
communicate to the Oracle server. Protocol messages are used for session setup,
authentication and data transfer. The standard authentication mechanism requires
a client to supply a valid pair of user name and password.</FONT></P>
<H1 style="MARGIN: 12pt 0cm 3pt"><FONT size=5>Scope</FONT></H1>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><FONT face="Times New Roman"
size=3>****************************</FONT></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><FONT face="Times New Roman"
size=3>Imperva’s <?xml:namespace prefix = st1 ns =
"urn:schemas-microsoft-com:office:smarttags" /><st1:place
w:st="on"><st1:PlaceName w:st="on">Application</st1:PlaceName> <st1:PlaceName
w:st="on">Defense</st1:PlaceName> <st1:PlaceType
w:st="on">Center</st1:PlaceType></st1:place> is conducting an extensive research
of the TNS protocol and its implementation. As part of the research the team has
identified a severe vulnerability in Oracle’s access control
mechanism.</FONT></P>
<H1 style="MARGIN: 12pt 0cm 3pt"><FONT size=5>Findings</FONT></H1>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><FONT face="Times New Roman"
size=3>***************************</FONT></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><FONT face="Times New Roman"
size=3>During the login process an Oracle user with no more than “create
session” privileges can execute commands in the context of the special database
user SYS. This of course grants any user the highest administrative privileges
possible.</FONT></P>
<H1 style="MARGIN: 12pt 0cm 3pt"><FONT size=5>Details</FONT></H1>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><FONT face="Times New Roman"
size=3>**********************************</FONT></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><FONT face="Times New Roman"
size=3>The authentication part of the protocol is comprised of two steps,
including two different client requests and two server responses respectively.
The first request (message code 0x76) contains only the user name while the
second (message code 0x73) contains the user name and an obfuscated password.
</FONT></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><FONT face="Times New Roman"
size=3>This second request also contains a list of name-value pairs describing
various attributes of the client. The value named “AUTH_ALTER_SESSION” is
intended for setting up session attributes related to the locale and language,
in the form of an <I>ALTER SESSION</I> SQL statement.</FONT></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><FONT face="Times New Roman"
size=3>It turns out that this value can contain <B>any</B> SQL statement.
Moreover, this command is executed in the context of the SYS user, which
operates outside of the Oracle access control mechanism. Thus, by setting the
value of “AUTH_ALTER_SESSION” to an arbitrary SQL statement an attacker can
execute any arbitrary command in the database. In particular, the attacker can
create a new database account and create DBA privileges to the new
account.</FONT></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><FONT face="Times New Roman"
size=3>Notice that if the attacker tries to execute <I>“GRANT DBA TO
attacker_account”</I> a deadlock occurs and <I>attacker_account</I> cannot login
to the database until the connection is closed.</FONT></P>
<H1 style="MARGIN: 12pt 0cm 3pt"><FONT size=5>Exploit</FONT></H1>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><FONT face="Times New Roman"
size=3>*********************************</FONT></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><FONT face="Times New Roman"
size=3>Change the value of the <I>AUTH_ALTER_SESSION</I> attribute in TNS
authentication message.</FONT></P>
<H1 style="MARGIN: 12pt 0cm 3pt"><FONT size=5>Tested Versions</FONT></H1>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><FONT face="Times New Roman"
size=3>***********************************</FONT></P>
<H2 style="MARGIN: 12pt 0cm 3pt"><EM>Vulnerable</EM></H2>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><FONT face="Times New Roman"
size=3>Oracle 8i (8.1.7.x.x)</FONT></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><FONT face="Times New Roman"
size=3>Oracle 9i (9.2.0.7)</FONT></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><FONT face="Times New Roman"
size=3>Oracle 10g Release 1 (10.1.0.4.2)</FONT></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><FONT face="Times New Roman"
size=3>Oracle 10g Release 2 (10.2.0.1.0)</FONT></P>
<H2 style="MARGIN: 12pt 0cm 3pt"><EM>Not Vulnerable</EM></H2>
<H1 style="MARGIN: 12pt 0cm 3pt"><FONT size=5>Vendor’s Status</FONT></H1>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><FONT face="Times New Roman"
size=3>*****************************</FONT></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><FONT face="Times New Roman"
size=3>Vendor notified on 02-Nov-05</FONT></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><FONT face="Times New Roman"
size=3>Patch released on 17-Jan-06 (5745699 OAUTH - REMOTE AUTHENTICATED
ESCALATE TO DBA VIA AUTH_ALTER_SESSION)</FONT></P>
<H1 style="MARGIN: 12pt 0cm 3pt"><FONT size=5>Workaround</FONT></H1>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><FONT face="Times New Roman"
size=3>*********************************</FONT></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><FONT face="Times New Roman"
size=3>None.</FONT></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><?xml:namespace prefix = o ns =
"urn:schemas-microsoft-com:office:office" /><o:p><FONT face="Times New Roman"
size=3> </FONT></o:p></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><FONT face="Times New Roman"
size=3>Copyright (c) 2006 Imperva</FONT></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><FONT face="Times New Roman"
size=3>Redistribution of this alert electronically is allowed as long as it is
not edited in any way. To reprint this alert, in whole or in part, in any medium
other than electronic medium, please email adc@imperva.com for
permission.</FONT></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><o:p><FONT face="Times New Roman"
size=3> </FONT></o:p></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><FONT face="Times New Roman"
size=3>Disclaimer</FONT></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><FONT face="Times New Roman"
size=3>The information within this advisory is subject to change without notice.
Use of this information constitutes acceptance for use in an AS IS condition.
Any use of this information is at the user's own risk.<SPAN
style="mso-spacerun: yes"> </SPAN>There are no warranties, implied or
express, with regard to this information. In no event shall the author be liable
for any direct or indirect damages whatsoever arising out of or in connection
with the use or spread of this information.</FONT></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><o:p><FONT face="Times New Roman"
size=3> </FONT></o:p></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><o:p><FONT face="Times New Roman"
size=3> </FONT></o:p></P>
<P class=MsoNormal
style="MARGIN: 0cm 0cm 0pt; LINE-HEIGHT: normal; TEXT-ALIGN: left; mso-layout-grid-align: none"
align=left><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'; mso-fareast-font-family: 'Times New Roman'; mso-fareast-language: EN-US; mso-bidi-language: AR-SA"><o:p> </o:p></SPAN></P></FONT></DIV>
<DIV> </DIV>
<DIV dir=ltr align=left>
<DIV dir=ltr align=left>
<TABLE class=MsoNormalTable cellSpacing=0 cellPadding=0 align=left border=0>
<TBODY>
<TR>
<TD
style="PADDING-RIGHT: 0in; PADDING-LEFT: 0in; PADDING-BOTTOM: 0in; PADDING-TOP: 0in"
colSpan=3>
<P style="MARGIN-BOTTOM: 12pt; mso-element: frame"><FONT face=Verdana
color=#2f506d size=1><SPAN
style="FONT-SIZE: 8.5pt; COLOR: #2f506d; FONT-FAMILY: Verdana"><STRONG>Amichai
Shulman<BR></STRONG>CTO</SPAN></FONT></P></TD></TR>
<TR>
<TD
style="PADDING-RIGHT: 0in; PADDING-LEFT: 0in; PADDING-BOTTOM: 0in; PADDING-TOP: 0in"
vAlign=top noWrap>
<P style="mso-element: frame"><FONT face=Verdana color=#2f506d
size=1><SPAN
style="FONT-SIZE: 8.5pt; COLOR: #2f506d; FONT-FAMILY: Verdana"><A
href="http://www.imperva.com/"><SPAN style="TEXT-DECORATION: none"><IMG
id=_x0000_i1048 height=17 alt="Imperva, Inc."
src="outbind://1-0000000044163070C8CC2F4FAE7B0EB7C70691860700BC3B7C5C1CE51F4093A17834685D3AC100000000CD69000096242ACDF1723A4BBF70D21211FB9B230000016AE35C0000/cid:034083219@31102005-0A44"
width=112 border=0></SPAN></A><BR>12 Hachilazon
St.<BR>Ramat-Gan<BR>Israel</SPAN></FONT></P>
<P style="mso-element: frame"><FONT face=Verdana color=#2f506d
size=1><SPAN
style="FONT-SIZE: 8.5pt; COLOR: #2f506d; FONT-FAMILY: Verdana">Office:
972-3-6120133 (103)<BR>Mobile: 972-54-5885083 <BR>E-mail: <A
href="mailto:shulman@imperva.com">shulman@imperva.com</A><o:p></o:p></SPAN></FONT></P></TD>
<TD
style="PADDING-RIGHT: 0in; PADDING-LEFT: 0in; PADDING-BOTTOM: 0in; WIDTH: 0.1in; PADDING-TOP: 0in"
vAlign=top width=10>
<P class=MsoNormal style="mso-element: frame"><FONT face="Times New Roman"
color=navy size=3><SPAN style="FONT-SIZE: 12pt; COLOR: navy"><IMG
id=_x0000_i1049 height=112 alt=................................
src="outbind://1-0000000044163070C8CC2F4FAE7B0EB7C70691860700BC3B7C5C1CE51F4093A17834685D3AC100000000CD69000096242ACDF1723A4BBF70D21211FB9B230000016AE35C0000/cid:034083219@31102005-0A4B"
width=41 border=0><o:p></o:p></SPAN></FONT></P></TD>
<TD
style="PADDING-RIGHT: 0in; PADDING-LEFT: 0in; PADDING-BOTTOM: 0in; PADDING-TOP: 0in"
vAlign=top noWrap>
<P style="TEXT-ALIGN: center; mso-element: frame" align=center><FONT
face=Verdana color=#333333 size=1><SPAN
style="FONT-SIZE: 8.5pt; COLOR: #333333; FONT-FAMILY: Verdana"><A
href="http://imperva.com/go/iw/"><SPAN style="TEXT-DECORATION: none"><IMG
id=_x0000_i1050 height=40 src="cid:650353520@17012006-23D2" width=140
border=0></SPAN></A><BR><BR><STRONG><B><FONT face=Verdana><SPAN
style="FONT-FAMILY: Verdana">InfoWorld</SPAN></FONT></B></STRONG> product
review<BR>gives Imperva the<BR></SPAN></FONT><STRONG><B><FONT face=Verdana
color=#d7182a size=1><SPAN
style="FONT-SIZE: 8.5pt; COLOR: #d7182a; FONT-FAMILY: Verdana">HIGHEST
SCORE</SPAN></FONT></B></STRONG><FONT face=Verdana color=#333333
size=1><SPAN
style="FONT-SIZE: 8.5pt; COLOR: #333333; FONT-FAMILY: Verdana"><BR>in
Application Security<BR><A
href="http://imperva.com/go/iw/">http://imperva.com/go/iw/</A><o:p></o:p></SPAN></FONT></P></TD></TR></TBODY></TABLE></DIV>
<P class=MsoNormal><FONT face="Times New Roman" color=navy size=3><SPAN
style="FONT-SIZE: 12pt; COLOR: navy"><o:p> </o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=navy size=3><SPAN
style="FONT-SIZE: 12pt; COLOR: navy"> <o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=navy size=3><SPAN
style="FONT-SIZE: 12pt; COLOR: navy"> <o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=navy size=3><SPAN
style="FONT-SIZE: 12pt; COLOR: navy"> <o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=navy size=3><SPAN
style="FONT-SIZE: 12pt; COLOR: navy"> <o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=navy size=3><SPAN
style="FONT-SIZE: 12pt; COLOR: navy"> <o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=navy size=3><SPAN
style="FONT-SIZE: 12pt; COLOR: navy"> <o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=navy size=3><SPAN
style="FONT-SIZE: 12pt; COLOR: navy"> <o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=navy size=3><SPAN
style="FONT-SIZE: 12pt; COLOR: navy"> <o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=navy size=3><SPAN
style="FONT-SIZE: 12pt; COLOR: navy"> <o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face="Times New Roman" color=navy size=3><SPAN
style="FONT-SIZE: 12pt; COLOR: navy"> <o:p></o:p></SPAN></FONT></P></DIV>
<DIV> </DIV></BODY></HTML>