Three Tier Oracle Security in London ~ Paul M. Wright

(nix, oracle, java, www, cloud ) intersect (safety, security, reliability, integrity)

Three Tier Oracle Security in London ~ Paul M. Wright RSS Feed
 

Securing Java in Oracle Update and escalating to SYSDBA

Updated Securing Java in Oracle paper here.

David’s work has drawn attention.
http://www.h-online.com/security/news/item/Vulnerability-in-Oracle-11gR2-allows-system-privileges-for-all-Update-923143.html
http://www.computerworld.com/s/article/9151318/Black_Hat_Zero_day_hack_of_Oracle_11g_database_revealed?taxonomyId=1
etc..
What the reports miss is that this definitely affects 10.2.0.4.3 as well in a big way.

Oracle have provided some guidance in the absence of a patch:

- revoke execute on "oracle/aurora/util/Wrapper" from public;
- grant execute on sys.dbms_jvm_exp_perms to IMP_FULL_DATABASE;
- grant execute on sys.dbms_jvm_exp_perms to EXP_FULL_DATABASE;
- revoke execute on sys.dbms_jvm_exp_perms from PUBLIC;

Of course the problem is knowing the effect that these privilege changes will have before making the changes. Most organisations either take the risk of the change breaking functionality or decide to stay as they are. What is needed is a low risk method of evaluating the effect of the change before it is made..That is exactly the subject of my updated paper Securing Java in Oracle paper. This paper describes using Database Application Monitoring Systems to profile application behaviour prior to applying the fix so the effect can be predicted, thus lowering risk.

Different subject… I have been interested in the difference between DBA account privileges and SYSDBA account privileges for a while. There are a few listed here http://www.oracleforensics.com/wordpress/index.php/2008/09/16/sysdba-specific-privileges/.
One of the reasons it interests me is that any DBA can gain SYSDBA quite trivially. Not by direct grant and not by shifting the SYSDBA bit in memory, but by simply changing the SYS password via ALTER USER SYS IDENTIFIED BY NEWPASSWORD; which can be done by any DBA user via ALTER USER system privilege. This makes any DBA escalation a SYSDBA escalation so why increasingly differentiate their privileges?
There is a safeguard to ALTERing SYS’s password but it can be bypassed by using the GRANT method of changing a user’s password as Alex states http://blog.red-database-security.com/2010/02/24/how-to-prevent-a-user-granted-the-alter-user-privilege-from-changing-syssystem-password-and-how-to-bypass-it/.

Additionally by using the Java API in Oracle it is possible to call the OS as the oracle OS user, thus commands such as orapwd can be invoked which allow the sys password to be changed to a given value! .. more detail on this at a later date…but suffice it to say that Securing Java in Oracle should be given high priority due to it’s highly privileged access to the OS from low privileged DB accounts.

I will be presenting on the subject of Securing Java in Oracle both via the SDLC and using DAMS at the ISSD conference in May http://www.issdconference.com/index.php?option=com_content&view=article&id=161. See you there.

Cheers,
Paul

Leave a Reply

You must be logged in to post a comment.