Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Database)  >   Oracle Database Vendors:   Oracle
Oracle Database Lets Remote Authenticated Low Privilege Users Make Unauthorized Modifications on a Base Table
SecurityTracker Alert ID:  1015886
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 10 2006
Impact:   Modification of user information
Vendor Confirmed:  Yes  
Version(s): -
Description:   A vulnerability was reported in Oracle. A remote authenticated user can make unauthorized changes to the database contents.

A remote authenticated user with 'SELECT' privileges on a base table can insert, update, and delete data from the table by creating or using a specially crafted view.

The specific impact on a database application depends on the application's design.

The vendor disclosed this vulnerability on April 6, 2006.

Impact:   A remote authenticated user with SELECT privileges can modify a base table.
Solution:   No solution was available at the time of this entry. The vendor is working on a fix.
Vendor URL: (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), UNIX (Tru64), Windows (NT), Windows (2000)

Message History:   None.

 Source Message Contents

Subject:  [Full-disclosure] Oracle read-only user can insert/update/delete

Hello Full Disclosure

Last Thursday 6th April 2006, Oracle released a note on the Oracle
knowledgebase Metalink with details about an unfixed security
vulnerability (=0day) and a working test case (=exploit code) which
effects all versions of Oracle from to This note
"363848.1 - A User with SELECT Object Privilege on Base Tables Can
Delete Rows from a View" was available last week to Metalink customers.
The note was also displayed in the daily headlines section of the
That's why this information can be assumed as public knowledge and
DBAs/Developers which missed the note on Metalink should know this
vulnerability in order to avoid/mitigate the risk (if possible) whilst
waiting for a patch from Oracle.

After noticing the note, I informed Oracle secalert that releasing such
information on Metalink is not a wise idea. Oracle normally criticises
individuals and/or companies for releasing information about Oracle
vulnerabilities (like David Litchfield from NGSSoftware for releasing
information an ever not fixed bug in mod_plsql gateway). In this case,
not only Oracle released detailed information on the vulnerability; they
also included the working exploit code on the Metalink. 

In an interview few months ago, the Oracle CSO stated:  "I've known
customers to terminate contracts ... for releasing exploit code... you
might get applause from hackers... but business will not pay you to slit
their throats. With knowledge comes responsibility." 

After my email, Oracle removed the note from Metalink. 


In Oracle versions ( exists an unpatched vulnerability
which allows users with "SELECT" only privileges on a base table to
insert/update/ delete data via a specially crafted view.

The impact of this vulnerability on the Oracle data dictionary is low
because most data dictionary tables don't have a primary key which is a
requirement for this vulnerability.

The impact on custom applications can be huge and eliminate the entire
role concept because in well designed applications there is normally a
read-only role for low-privilege users (e.g. reporting or external
auditors). If these low-privileged users are able to create a view,
which is standard in Oracle 9.2.x to 10 g R1, they could also insert,
update and delete data via a specially crafted view. Depending on the
architecture, it is possible to modify data, escalate privileges, ...

Test cases:

Oracle provided a complete test case in note 363848.1. I decided not to
publish such code on the internet as long as patches are not available.
If you need additional information you could contact me via email. A
test case (without the specially crafted view) is available on my


Currently there are no patches available. According to Oracle secalert
Oracle will provide patches in a future critical patch update.
Red-Database-Security is not convinced that the April 2006 CPU will
contain patches against this vulnerability.

Workarounds / Risk Mitigation:

Sanitize the connect role (9i - 10g R1) and remove the CREATE VIEW (and
CREATE DATABASE LINK, ...) privilege from the connect role. 
Removing the primary key from the base table solves the problem too. Be
aware that this could cause performance and integrity issues on the

Oracle recommends creating views the option "WITH CHECK OPTION". This 
recommendation helps against accidental modification but not against


Special thanks to Jens Flasche who made Red-Database-Security aware of
Metalink note and for the first analysis + additional test cases. 


Interview: Oracle CSO - Mary Ann Davidson

Metalink Hacking


Are you interested in additional information about Oracle security?

Our next Oracle Anti-Hacker-Training:

23-may - 26-may   (4 days (english) - Milano / Italy) 
29-may - 2-june   (5 days (english) - Cupertino [CA] / U.S.A) 
19-june - 23-june (5 days (german)  - Oberursel/Frankfurt / Germany) 


Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, LLC