Three Tier Oracle Security in London ~ Paul M. Wright

ORACLE SECURITY AND COMPUTER FORENSICS

Three Tier Oracle Security in London ~ Paul M. Wright RSS Feed
 
«
»

JAVA$POLICY$ Past Exploitation Check

Hello Oracle Security interested folks,

Firstly thanks to Oracle for referencing my Oracle Wallet article on www.oracle.com as well as the interesting comments from our readers. This blog has become quite popular so thank you for your support.

I have some excellent news as my company has been selected as a Channel Partner for Sentrigo covering the South East of England. Some of you may be aware that I have already successfully deployed the Hedgehog solution within the financial services sector in London over the past 2 years.
Reliable, low resource consuming, host-based DB/Application monitoring has been the holy grail for the last decade and is provably with us in the form of Sentrigo Hedgehog. Effective DB/App security has to be host-based and Sentrigo’s is the best host-based agent because they specialise in this technology. Further details can be provided to backup this assertion by emailing myself at paulmwright@oraclesecurity.com

So.. here is a simple query for finding user accounts which have had their Java privileges escalated and then the user has subsequently been dropped:

select * from JAVA$POLICY$ where grantee# in (select grantee# from sys.JAVA$POLICY$ minus select user# from sys.user$);

If this check returns a resultset it is potentially indicative of historic Java exploit testing in the DB… more in-depth information to come on Java Security at ISSD.

Cheers,
Paul

April 25th, 2010 | Category: Uncategorized | Subscribe to comments | Leave a comment | Trackback URL

2 Responses to “JAVA$POLICY$ Past Exploitation Check”

  1. 1
    Don:
    April 27th, 2010 at 6:15 PM

    Thanks for this Paul. This is the list of users that have been deleted that also had Java privileges.
    How does that give us a history of past exploitation?

  2. 2
    Paul Wright:
    April 29th, 2010 at 2:20 PM

    Hi Don,
    If DB users were to test the Java exploitation code in Oracle the normal process would be to create a test user, escalate it and then drop the user so that it can ascertained if the exploit works using this test account, but without leaving evidence of this testing. This would usually be on a dev box. The idea is that the exploit has been tested but no evidence of that fact left behind. HOWEVER, historic privileges of dropped users are still recorded in JAVA$POLICY$ as first pointed out at this blog entry http://www.oracleforensics.com/wordpress/index.php/2010/03/31/java-forensics-in-oracle/ . The other potential scenario is the privs are granted and then revoked from the attacker’s account. These grants for existing users are recorded as well of course but that is easily viewable in DBA_JAVA_POLICY view.
    Cheers,
    Paul

Leave a Reply

You must be logged in to post a comment.