Database Reference
In-Depth Information
Connected to:
Oracle Database 12c Enterprise Edition Release 12.1.0.1.0 - 64bit Production
With the Partitioning, OLAP, Advanced Analytics and Real Application Testing options
SQL> sho user
USER is "GAOPTEST"
SQL> grant all on directory OPATCH_SCRIPT_DIR to gaoptest;
grant all on directory OPATCH_SCRIPT_DIR to gaoptest
*
ERROR at line 1:
ORA-01749: you may not GRANT/REVOKE privileges to/from yourself
SQL> grant all on directory OPATCH_SCRIPT_DIR to public;
Grant succeeded.
SQL> grant all on directory OPATCH_SCRIPT_DIR to gaoprole;
Grant succeeded.
These two bypassed controls combined mean that GAOP can grant itself EXECUTE privileges on pre-existing
directories in 12c. This enables GAOP to run OS commands as the Oracle software owner using a method similar to
the previous
ADVISOR
escalation, with the addition that GAOP can also grant itself alter privileges on currently existing
non-SYS external tables.
Three security issue faults combine to allow the escalation:
•
Directories and external tables are left in the GA release.
•
GAOP can grant to itself.
•
GAOP can grant to critical SYS objects, i.e., directories.
It appears that when object privileges were added to directories in 11g that they were accidentally included
within GAOP's remit. Note that libraries, Java classes, synonyms, and DB links have not been included in GAOP's
remit previously, so it appears DB directories are a one-off here, thankfully. The problem is that directories are
probably the most sensitive and are pre-existing in the current 12c release. It only takes one method of escalation to
make the DB insecure.
■
Junior DBa roles will usually include wide read via
SELECT ANY DICTIONARY
, so the previous escalation via
qopiprep.bat
is a feasible escalation route with GaOp as well.
Note
As well as directories, GAOP has the ability to grant itself privileges on SYSTEM objects that control DB security,
such as the Product User Profile, or PUP. For example, a user holding GAOP can alter the PUP as shown:
SQL> grant all on system.PRODUCT_USER_PROFILE to gaoptest;
grant all on system.PRODUCT_USER_PROFILE to gaoptest
*
