Three Tier Oracle Security in London ~ Paul M. Wright

(nix, oracle, java, www, cloud ) intersect (safety, security, reliability, integrity)

Three Tier Oracle Security in London ~ Paul M. Wright RSS Feed
 

SYSDBA Specific Privileges

I mentioned a while ago about this SYSDBA privilege escalation
http://www.pythian.com/blogs/388/exploiting-sysdba-invoker-rights-using-trigger-on-database. There have been some subsequent comments made that SYSDBA is effectively the same as DBA and so what is the difference i.e. DBA to SYSDBA privilege escalation is not a concern. That got me thinking about the differences between DBA and SYSDBA as they are quite interesting and illustrate Oracle’s thinking about security. These following actions cannot be made by a DBA but can be made by a SYSDBA.

-start and stop db. This is well known.

-PURGE DBA_RECYCLEBIN.
Yes to PURGE the DBA_RECYCLEBIN you have to be SYSDBA..hmm..

-select x$ tables such as those needed to read who is actually a SYSDBA (with high certainty).
SQL> SELECT * FROM X$KZSRT;
ADDR INDX INST_ID USERNAME SYSDBA SYSOPER VALID
---- ---- ------- --------- ------ ---------- -------
05A1C0B0 0 1 INTERNAL 1 1 1
05A1C0B0 1 1 SYS 1 1 1
05A1C0B0 2 1 SYSMAN 1 0 1

-select SYS.USER_HISTORY$. This is an interesting one as the history of user’s password hash can be cracked over time and if the user has adopted an algorithm that increments with each new password e.g. passw0rd1, passw0rd2, passw0rd3 then this will be shown from USER_HISTORY$ and future passwords predicted. Only SYSDBA can select from from this table.

-use DBMS_CRYPTO. In 10gr2 the strongest crypto is produced using DBMS_CRYPTO which is only accessible by SYSDBA not the DBA.

-GRANT SYSDBA. Of course only a SYSDBA can grant SYSDBA…Unless of course a user can find a SYSDBA privilege escalation…. perhaps the difference between DBA and SYSDBA is more important than first meets the eye!
There are quite a few security differences between SYSDBA and DBA… can you think of others?
Cheers,
Paul

2 Responses to “SYSDBA Specific Privileges”

  1. 1
    SvenVetter:

    Hi Paul

    With Oracle 11g exists a new feature called “Fine-Grained Access for Network callouts”. This controls the usage of 5 packages:
    - utl_tcp
    - utl_smtp
    - utl_mail
    - utl_http
    - utl_inaddr

    A nice feature ;-) but you have to install XDB :-(

    Without XDB only a sysdba can use this packages.

    Greetings
    Sven

  2. 2
    Paul Wright:

    Hello Sven,
    That’s interesting thanks for the extra information.
    I also had this classic bug in mind with regards to the difference between SYSDBA and DBA.
    http://blog.tanelpoder.com/2007/11/10/oracle-security-all-your-dbas-are-sysdbas-and-can-have-full-os-access/
    Of course an extra “privilege” between the SYSDBA and DBA is the privilege to logon withouth checking the password in SYS.USER$. See my new posting for a few gotchas connected to this fact.

Leave a Reply

You must be logged in to post a comment.