Pete Finnigan's Oracle Security Forum
        (http://www.petefinnigan.com/forum/yabb/YaBB.cgi)
      

        Oracle Security >> Oracle Security >> Oracle exploit through view
        
(Message started by: Pete Finnigan on Apr 15th, 2006, 7:49am)
Title: Oracle exploit through view
Post by Pete Finnigan on Apr 15th, 2006, 7:49am
Hi,

A few day's ago Oracle published an exploit on Metalink. Alex Kornbrust published about it and Pete wrote about it on his weblog. The exploit is like this:

User A grants select privilege on a table T to user B.
User B (which has only create session and create view privilege)
creates a view on table A.T and then... user B can delete records from A.T!!
I tried this on 10GR2 (Release 10.2.0.2.0; the latest version for Linux) and it works!
How to create the view has already appeared on the net so don't understimate the danger and if possible remove the create view privilege from those users who don't really need it.

Ivan
Title: Re: Oracle exploit through view
Post by Pete Finnigan on Apr 25th, 2006, 6:22pm
Hi,

Take a look at:

http://andrewmax.blogspot.com/


kind regards,

Ivan
Title: Re: Oracle exploit through view
Post by Pete Finnigan on Apr 27th, 2006, 7:12am
http://andrewmax.blogspot.com/

Just for info, I had a look at the above.
I played around with some SQL and have managed to reproduce the UPDATE issue without CREATE VIEW privilege. I haven't got the delete/inserts working but I don't doubt that it is possible.

[Update - I've now got DELETE and INSERT working as well]


Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright © 2000-2004 Yet another Bulletin Board