[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20060728201353.90629.qmail@web55704.mail.re3.yahoo.com>
Date: Fri, 28 Jul 2006 13:13:53 -0700 (PDT)
From: Russell Lowenthal <perpetualv@...oo.com>
To: rjamya <rjamya@...il.com>
Cc: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk,
hasecorp@...mail.com
Subject: Re: Oracle 10g R2 and, probably,
all previous versions
Doh! Busted right back! Now I get the same results
(assuming I grant the user alter session of course -
if the user doesn't have alter session I get the
privilege error).
Thanks Raj!
--- rjamya <rjamya@...il.com> wrote:
> Russell,
>
> you have a syntax error, you need a comma before
> LEVEL.
>
> Raj
>
> On 7/28/06, Russell Lowenthal <perpetualv@...oo.com>
> wrote:
> > Interesting comment. So if I understand what you
> are
> > saying I should be able to create a user:
> >
> > SQL> create user nottoosmart identified by
> > d0ntkn0wmuch;
> >
> > User created.
> >
> > SQL> grant create session to nottoosmart;
> >
> > Grant succeeded.
> >
> > SQL> connect nottoosmart/d0ntkn0wmuch
> > Connected.
> > SQL> alter session set events '10046 trace name
> > context forever level 16';
> > ERROR:
> > ORA-01031: insufficient privileges
> >
> > Hmm - would you mind posting your EXACT test case?
> I
> > ran this against a 9.2.0.7, 10.2.0.1 and 10.2.0.2
> > database and seem to get different results then
> you
> > are seeing. Just for the heck of it I went ahead
> and
> > granted the user alter session privileges:
> >
> > SQL> conn / as sysdba
> > Connected.
> > SQL> grant alter session to nottoosmart;
> >
> > Grant succeeded.
> >
> > SQL> connect nottoosmart/d0ntkn0wmuch
> > Connected.
> > SQL> alter session set events '10046 trace name
> > context forever level 16';
> > ERROR:
> > ORA-02194: event specification syntax error 230
> (minor
> > error 215) near 'LEVEL'
> >
> > so even a user that I've purposely given
> privileges to
> > alter their own session doesn't seem to be able to
> do
> > anything with this command.
> >
> > So far I have to call this myth: Busted
> >
> > ---Original message----
> > I can't believe it. Oracle releases new patches
> and
> > they have not been solved one of the main
> problems: A
> > user with only the SELECT privilege can do
> WHATEVER
> > (S)HE WANTS WITH THE ENTIRE DATABASE!!!!
> >
> > I'm not sure if is time to full disclosure it but,
> > anyway, I will "full disclosure" one inocent
> issue, an
> > integer overflow:
> >
> > Example:
> > --Connect with any user with only CREATE SESSION
> > SQL> alter session set events '10046 trace name
> > context forever, level
> > SQL> 16';
> >
> > Session altered.
> >
> > SQL> alter session set events
> >
>
'10046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004610046100461004
> >
>
61004610046100461004610046100461004610046100461004610046100461004610046100461004610046trace
> > name context forever, level 16';
> > ERROR:
> > ORA-00600: internal error code, arguments: [300],
> > [985], [], [], [], [], [], []
> >
> >
> > It's not even a crash but (be sure) that there are
> > other "combinations" that makes it vulnerable to
> > integer overflows allowing the execution of
> arbritrary
> > code.
> >
> > PD: Hello Mary Ann! Are you on holidays?
> >
> >
>
_________________________________________________________________
> > Grandes éxitos, superhéroes, imitaciones, cine y
> TV...
> >
> > http://es.msn.kiwee.com/ Lo mejor para tu móvil.
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam? Yahoo! Mail has the best spam
> protection around
> > http://mail.yahoo.com
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter:
>
http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia -
> http://secunia.com/
> >
>
>
> --
> ----------------------------------------------
> Got RAC?
>
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists