Three Tier Oracle Security in London ~ Paul M. Wright

(nix, oracle, java, www, cloud ) intersect (safety, security, reliability, integrity)

Three Tier Oracle Security in London ~ Paul M. Wright RSS Feed
 

DBMS_ASSERT bypass solution

DBMS_ASSERT is Oracle’s builtin input validation package and was introduced in 10gR2 and backported via the CPUs to vulnerable 10gR1 packages.
This has been documented at http://www.oracle-base.com/articles/10g/dbms_assert_10gR2.php as well as http://www.ngssoftware.com/papers/DBMS_ASSERT.pdf.
Unfortunately the package was implemented erroneously in some instances because the input validation could be bypassed by enquoting the input with double quotes.
http://www.red-database-security.com/wp/bypass_dbms_assert.pdf.
One alternative to using DBMS_ASSERT is using bind variables in the SQL string instead of concatenating input in directly.
http://archive.cert.uni-stuttgart.de/bugtraq/2006/07/msg00500.html
This is a good solution as Bind variables will normally reduce the performance hit of the query as well as eliminating the chance of SQL injection when properly employed.

The main problem with Bind variables is that they cannot be used with DDL statements such as ALTER. Therefore there are some situations where DBMS_ASSERT needs to be used.

It would be useful to be able to use DBMS_ASSERT in a way that could validate input but not be bypassed by enquoting “input”. The ENQUOTE_NAME procedure is good for this as seen below.

quotedInput := SYS.DBMS_ASSERT.ENQUOTE_NAME(input);
nonQuotedInput := REPLACE(quotedInput,'"','');
validatedInput := DBMS_ASSERT.simple_sql_name(notQuotedInput);

This should be of use where bind variables are impossible.

Best Regards,
Paul

Leave a Reply

You must be logged in to post a comment.