| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20060728175502.86841.qmail@web55708.mail.re3.yahoo.com> Date: Fri, 28 Jul 2006 10:55:01 -0700 (PDT) From: Russell Lowenthal <perpetualv@...oo.com> To: hasecorp@...mail.com, bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk Subject: Oracle 10g R2 and, probably, all previous versions Interesting comment. So if I understand what you are saying I should be able to create a user: SQL> create user nottoosmart identified by d0ntkn0wmuch; User created. SQL> grant create session to nottoosmart; Grant succeeded. SQL> connect nottoosmart/d0ntkn0wmuch Connected. SQL> alter session set events '10046 trace name context forever level 16'; ERROR: ORA-01031: insufficient privileges Hmm - would you mind posting your EXACT test case? I ran this against a 9.2.0.7, 10.2.0.1 and 10.2.0.2 database and seem to get different results then you are seeing. Just for the heck of it I went ahead and granted the user alter session privileges: SQL> conn / as sysdba Connected. SQL> grant alter session to nottoosmart; Grant succeeded. SQL> connect nottoosmart/d0ntkn0wmuch Connected. SQL> alter session set events '10046 trace name context forever level 16'; ERROR: ORA-02194: event specification syntax error 230 (minor error 215) near 'LEVEL' so even a user that I've purposely given privileges to alter their own session doesn't seem to be able to do anything with this command. So far I have to call this myth: Busted ---Original message---- I can't believe it. Oracle releases new patches and they have not been solved one of the main problems: A user with only the SELECT privilege can do WHATEVER (S)HE WANTS WITH THE ENTIRE DATABASE!!!! I'm not sure if is time to full disclosure it but, anyway, I will "full disclosure" one inocent issue, an integer overflow: Example: --Connect with any user with only CREATE SESSION SQL> alter session set events '10046 trace name context forever, level SQL> 16'; Session altered. SQL> alter session set events '10046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004 61004610046100461004610046100461004610046100461004610046100461004610046100461004610046trace name context forever, level 16'; ERROR: ORA-00600: internal error code, arguments: [300], [985], [], [], [], [], [], [] It's not even a crash but (be sure) that there are other "combinations" that makes it vulnerable to integer overflows allowing the execution of arbritrary code. PD: Hello Mary Ann! Are you on holidays? _________________________________________________________________ Grandes éxitos, superhéroes, imitaciones, cine y TV... http://es.msn.kiwee.com/ Lo mejor para tu móvil. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Powered by blists - more mailing lists