A new type of OLAP DML injection attacks-vulnerability warning-the black bar safety net

ID MYHACK58:62201566250
Type myhack58
Reporter 佚名
Modified 2015-08-27T00:00:00


For using the DBMS_AW, the OLAP_TABLE or any OLAPthe function of the Oracle OLAP application, it will be faced with a new type of injection threats. In the final analysis, this is due to the SQL and the OLAP DML the syntactic differences between the leading. The end result is that an attacker can use this to higher privileges to execute arbitrary SQL operation. 0x01 the introduction Online analytical processing(OLAP)is typically used to query Multidimensional Data. In Oracle, you can create an analytic workspace(Analytic Workspace)to store pending analysis of the data, calculate formulas and models and other computing objects and to perform analysis of various programs. Here, the calculation objects and programs are using the OLAP DML to write. Note that the OLAP DML is different from SQL, because they have different syntax. For example, in SQL,--for single-line comments,/*/for multiline comments. While the OLAP DML in the comments is to use double quotation marks"to represent. A semicolon(;)can be used to separate a single line on each of the OLAP DML command, and a command is split into two rows when you use a single minus sign as a line-continuation character. The OLAP DML from SQL perform, but need the help of the received OLAP DML interface. This includes DBMS_AWPL/SQL package, the OLAP_TABLE function, as well as other OLAP functions such as OLAP_CONDITION and OLAP_EXPRESSION it. In addition, there are many OLAP DML commands and functions, as well as some SQL command series can also be obtained from the OLAP DML to perform. 0x02 OLAP DML injection attacks This article describes a new injection attack, the main appears on the user's input is passed to the OLAP function or the DBMS_AW package. Even if the input for the SQL that is legitimate, even using a constraint variable, this risk still exists. Basically, the attacker can be any SQL statement embedded in an OLAP DML statement, and to the high privileges to perform it. The following gives a practical example. DROP_AW_ELIST_ALL Oracle provides a stored procedure, the corresponding code is as follows: ! ! Here we can see that DBMS_ASSERT is used to ensure that in"MYSCHEMA"and the"AWNAME"the two user-supplied parameters are not embedded SQL. Once verified, they will be passed to the stored procedure DBMS_AW. EXECUTE, and execute the OLAP DML command"AW ATTACH" to. But we still can to this call“entrained”into any OLAP DML command, the method is to use double quotation marks to enclose a forged AWNAME, and the semicolon followed by another command. In the following example, we execute the OLAP DML command SQL PROCEDURE, it will incidentally perform a PL/SQL stored procedure, this example is DBMS_OUTPUT. PUT_LINE。 ! Please note that the above output of SYS. A further example is in DBMS_AW. AW_ATTACH this stored procedure is found. In fact, the DBMS_AW most of the stored procedures and functions have this security vulnerability. DBMS_AW. AW_ATTACH in obtaining the AW name, which is passed to the GEN_DBNAME (a). GEN_DBNAME()function will use the DBMS_ASSERT. QUALIFIED_SQL_NAME()on the AW name is checked to validate the input legitimacy. Similarly, here the attacker can also be entrained to any of the OLAP DML, and from here execute the SQL. ! In the above attack by using double quotation marks, the attacker can bypass DBMS_ASSERT. QUALIFIED_SQL_NAME input validation. Don't forget, the OLAP DML will also see the double quotes, and treated as a comment character. Then, the attacker can provide a hyphen, so it can be an OLAP DML command AW ATTACH is divided into two rows. Then followed by a semicolon, so the attacker will be able to perform the subsequent OLAP DML command in this example is to call the SQL PROCEDURE, and then with a double-quote ends. As a result, the user's input is not only bypassing DBMS_ASSERT. QUALIFIED_SQL_NAME, the OLAPDML will also be treated as a comment symbol. When processing the OLAP_TABLE function, if there is any user input is passed to the third argument, which was to receive an OLAP DML command, or is passed to the fourth parameter of the LIMIT_MAP, then the attacker can execute any OLAP DML. Here we have a specially designed examples to be described. Below the first few lines of code, just to demonstrate the security issues and do some simple setup work: ! Here, we would like to in a view using the OLAP_TABLE, and from a named XLNAME analysis the workspace variable is read into the LIMIT_MAP it. Even if the user does not have write AW's permission, they can still modify their own private copy. This private copy can be used for the AW object access. Therefore, if the user DAVID connected and sent the following, he will be able to rewrite the XLNAME, which directly affect the OLAP_TABLE parameters LIMIT_MAP it. The use of keywords PREDMLCMD, DAVID can execute any OLAP DML command. ! Note that, the above SYS_CONTEXT('USERENV','CURRENT_USER')as a function of the output of DAVID. This indicates that the OLAP DML, and later, the SQL commands are based on the current user's identity to perform, rather than to the view of the owner of the identity to perform. In order to take advantage of this to get higher permissions, the user DAVID will need this view transfer to one with definer rights PL/SQL package or can operate on any data table of the storage process. Practical examples are many, but for ease of explanation, we designed the example relates to SELECT_FROM_TABLE, here is the stored procedure owner is SYS: ! 0x03 summary If the developer in the PL/SQL package using the DBMS_AW, a stored procedure or function using the definition of those permissions, and the user input is passed to the DBMS_AW, then, even if the input content by the SQL level of validation, or even the use of a constraint variable, the attacker can still execute any OLAP DML command, and based on a PL/SQL package owner of the identity from any of the SQL execution. Similarly, if the developer in use definer rights PL/SQL package using the OLAP_TABLE or any other OLAP functions, then the attacker can use the user input to launch a similar attack. If the OLAP_TABLE is used in the view, and the view can be like the example above, that allow then to be dealt with, at the same time through the PL/SQL package to access this view, then the same will suffer a similar injection attack. An OLAP application developer must to all user input is carefully checked to ensure that the user input does not“entrain”any OLAP DML command. For this purpose, usually need to reject anything containing hyphens, double quotes, or the semicolon of content, of course, this also taking into account the specific application of the special case.