Database Reference
In-Depth Information
Table 13-1.
Privilege account heirarchy
Account Category
Example
Main Security Threat
Access Control Method
App account
DB account with execute, select on
schema account objects
Read on sensitive data
AIM-non-human
Schema account
HR schema with objects
Tampering with objects
Access to key to decrypt CC
numbers
AIM-non-human
User management
Support desk account using a
user-management system in PL/SQL
Change DBA's password and
log on as them
Human individual
Individual DBA
“Mydba” DB account in sys.user$
with cut down DBA role (remove
alter user)
Escalate privilege, through
SYSTEM, for instance (see
following example)
Human individual
Shared SYS
SYS in the orapw Oracle
password file
Modify SYS dictionary
access to DB enc key
EPV automated control
Individual OSDBA
(DBA Unix group)
wrightp in /etc/passwd
Modify SYS dictionary
access enc key in OS wallet
Human individual
“oracle”
“oracle”
Modify software install, to
install backdoor
EPV automated control
“root”
“root”
Complete OS
EPV automated control
Foxt KEoN et al.
Physical human
access to the
machine
Datacenter administrator
Complete system
CCTV, ID card, security
guard, metal door, roof
and floors, etc.
This table can be seen as a ladder of privilege authorization that can be elevated through either legitimate
approval or directly escalated without approval.
Privilege Escalation
Privilege
escalation
is the unauthorized gaining of greater privilege. In other words, moving between the groups listed
in the previous table when authorization does not already exist. This is different from authorized privilege
elevation
.
Here is an interesting example of privilege escalation where a low-privileged user creates an index on the PUP table,
thus gaining SYSTEM privilege. The PUP is normally set up by default, but run this command if it isn't.
@?/sqlplus/admin/pupbld.sql
INSERT INTO PRODUCT_USER_PROFILE VALUES ('SQL*Plus', 'TEST', 'MODIFY', NULL, NULL, 'DISABLED',
NULL, NULL);
A user who will then escalate their privileges is set up as follows:
create user test identified by o;
grant create session, create procedure, create any index to test;
