Three Tier Oracle Security in London ~ Paul M. Wright

(nix, oracle, java, www, cloud ) intersect (safety, security, reliability, integrity)

Three Tier Oracle Security in London ~ Paul M. Wright RSS Feed
 

CREATE_DIRECTORY

This is the permanent home for the CREATE_DIRECTORY package that allows controlled creation of directories to access the OS from the Oracle DB.
Note this is version 1.1. – Thanks to Cristian for input to this.

--CREATES A DIRECTORY IN A SPECIFIC OS LOCATION AND GRANTS PRIVS
CREATE OR REPLACE PACKAGE CREATE_DIRECTORY AS
PROCEDURE createdirectory(directory_name IN VARCHAR2, directory_path
IN VARCHAR2);
END create_directory;
/
CREATE OR REPLACE PACKAGE BODY CREATE_DIRECTORY as
PROCEDURE createdirectory(directory_name IN VARCHAR2, directory_path
IN VARCHAR2) IS
l_exec_string VARCHAR2(1024):= 'CREATE OR REPLACE DIRECTORY ';
l_directory_name_stripped VARCHAR2(1024);
l_directory_name_dstripped VARCHAR2(1024);
l_directory_name_validated VARCHAR2(1024);
l_directory_validated VARCHAR2(1024);
BEGIN
l_directory_name_stripped := REPLACE(directory_name,'''','');
l_directory_name_dstripped := REPLACE(l_directory_name_stripped,'"','');
l_directory_name_validated := DBMS_ASSERT.simple_sql_name(l_directory_name_dstripped);
l_directory_validated := REPLACE(directory_path,'.','');
IF instr(l_directory_validated,'/u01/thisismypath') = 1
THEN
l_exec_string := l_exec_string||l_directory_name_validated ||' AS
'||''''||l_directory_validated||'''' ;
EXECUTE IMMEDIATE (l_exec_string);
l_exec_string := 'GRANT READ, WRITE ON DIRECTORY
'||l_directory_name_validated ||' TO '||user;
EXECUTE IMMEDIATE (l_exec_string);
END IF;
END createdirectory;
END create_directory;
/

EXEC CREATE_DIRECTORY.createdirectory('PAULSDIR2','/u01/thisismypath');

The above code can act as a workround to allocating the CREATE ANY DIRECTORY privilege, especially in light of the vulnerability I first published on that allows any user with CREATE ANY DIRECTORY to overwrite the password file with a known password file containing an unauthorised SYSDBA account.

Please send feedback about the above code and any additions you would recommend to paul.wright@oracleforensics.com

Thanks,
Paul