Pete Finnigan's Oracle Security Weblog

I just found this page on René Nyffenegger's website. The page is dated 24th January, so it has been there for a week or so. I have not seen anyone else pick up on this yet though, that is not to say theyt have not done so. The page is titled http://www.adp-gmbh.ch/blog/2006/01/24.php - (broken link) On a breakable Oracle and it describes in detail how to exploit the DB18 bug that Imperva found in the TNS / O3Logon process. This is where after verifying the user/password the Oracle client sends strings such as ALTER SESSION SET NLS_LANGUAGE='%s". The guys at Imperva discovered that these strings can be replaced by any other valid string such as GRANT DBA TO PUBLIC. The key to the issue is that in an un-patched system these statements are executed as SYS.

René details a Perl script that uses a Perl proxy that he also provides. He creates an Oracle suer with nothing but CREATE SESSION and then proceeds to grab the packets as they are sent to the database as part of an authorisation. He finds the string ALTER SESSION SET NLS_... and then works out its position in the packet and also the string end identifier. René then presents another perl script that also uses his proxy but this time the Perl script intercepts the packet and replaces the ALTER SESSION SET NLS... with the code to create a new user. He then starts his proxy and injects the code and connects to SQL*plus as his simple user. The trick is then repeated to grant DBA to this user. A final check in the data dictionary confirms that it has worked.

This is quite a complex exploit to demonstrate how this could work. It can be done much more simply.

As René points out in his article, patch immediately!!