Three Tier Oracle Security in London ~ Paul M. Wright

(nix, oracle, java, www, cloud ) intersect (safety, security, reliability, integrity)

Three Tier Oracle Security in London ~ Paul M. Wright RSS Feed
 

CREATE USER to SYSDBA

San Francisco and speaking at RSA Moscone was a great experience and being invited to Oracle’s Head Office in Redwood for a tour and to talk security was an unexpected highlight of the trip. Oracle’s Head office is a pleasant excursion with a lake and growing bird sanctuary. One reason for the visit was to discuss and gain permission for publishing my new paper which is entitled “CREATE USER to SYSDBA”. It details a novel method for a user to escalate their privileges by overriding a SYS package with their own package via the CREATE USER system privilege using a bug that I came across. CREATE USER system privilege is commonly held by support/help desk accounts as well as developer/application accounts, which would be less well secured and less privileged than the SYS account, and should therefore be kept seperate. Therefore DBA, Devs and Security folks should pay heed to the best practices in this paper.

There are quite a few medium level system privilege escalations to SYSDBA in Oracle but what made this one interesting is that it is a good example of an attack that can be alerted to by a host based system like Sentrigo Hedgehog but not by traditional network based systems. HH already has the advantage of being able to alert on SSH’d sessions and having an audit trail that is non-modifiable by a user that has gained SYSDBA, but crucially HH is not fooled by namespace overriding or attempts to bypass rules via synonyms as it knows the actual identity of objects that are called underneath the SQL query. Anyway the paper has example PoC code, HH rules and forensic response just like the last CREATE ANY DIRECTORY to SYSDBA paper had previously.

I have another paper entitled “CREATE PUBLIC SYNONYM to SYSDBA” paper in the pipeline, which will debut as part of the new SANS DAMS course I am writing and teaching in my spare time. Will hopefully be able to give a preview of this at UKOUG 2009 and at Openworld as well . It would be good to give my regards to Mr Moscone again.

Walking over the Golden Gate bridge provides a wonderful view of the Bay, and I can recommend the Cliff House Restaurant south of the Bridge towards Golden Gate Park, for a cracking view of the Pacific.

Cheers,
Paul

Leave a Reply

You must be logged in to post a comment.