Re: Security Question

• From: Pete Finnigan <pete@xxxxxxxxxxxxxxxx>
• To: mcdonald.connor@xxxxxxxxx
• Date: Fri, 06 Feb 2009 16:04:30 +0000

Hi Connor,

Thanks for your input; I agree totally. the ALTER SESSION system
privilege is dangerous as it can move data outside of the database and
potentially allow reading of data from an account that has no privileges
on the data.

Whilst I made a mess of editing my post yesterday my point was valid.
This lead me to think about what is possible with just ALTER SESSION and
i have spent a little time playing this lunch time and I have been able
to read credit cards, get password hashes, dump data blocks, work out
structure and more. I wrote a second blog entry describing how this can
be done - http://www.petefinnigan.com/weblog/archives/00001234.htm -

Christopher:

So yes to answer your question it is possible ti dump data blocks with
ALTER SESSION but not from the files themselves. This is not an issue
for someone who wants to steal data; they do not consider the source;
they consider the result!

cheers

Pete

Connor McDonald wrote:
> On Fri, Feb 6, 2009 at 6:22 PM, Pete Finnigan <pete@xxxxxxxxxxxxxxxx> wrote:
> 
>> Hi Christopher,
>>
>> Thanks for your email. Yes you are right of course. I actually didnt
>> mean to suggest that block dumps were possible with alter session but
>> added the word block because of brain fade.
>> Alex also picked up the same issue.
>>
>> I have edited the post and replied to Alex's comment. The post is
>> http://www.petefinnigan.com/weblog/archives/00001232.htm#comments
>>
>> Thanks for keeping me honest
>>
>> kind regards
>>
>> Pete
>>
>>
> Either way...when you see what's possible in oraus.msg with "alter session
> set events" its not the kind of privilege you want to be handing out on a
> whim...  If possible, wrap the desired command up in a controlled proc and
> give access to that.
> 

-- 

Pete Finnigan
Director
PeteFinnigan.com Limited

Specialists in database security.

If you need help to audit or secure an Oracle database, please ask for
details of our courses and consulting services

Phone: +44 (0)1904 791188
Fax  : +44 (0)1904 791188
Mob  : +44 (0)7742 114223
email: pete@xxxxxxxxxxxxxxxx
site : http://www.petefinnigan.com

Registered Office: 9 Beech Grove, Acomb, York, YO26 5LD, United Kingdom
Company No       : 4664901
VAT No.          : 940 6681 14

Please note that this email communication is intended only for the
addressee and may contain confidential or privileged information. The
contents of this email may be circulated internally within your
organisation only and may not be communicated to third parties without
the prior written permission of PeteFinnigan.com Limited.  This email is
not intended nor should it be taken to create any legal relations,
contractual or otherwise.

--
//www.freelists.org/webpage/oracle-l

• References:
  • Security Question
    • From: Newman, Christopher
  • Re: Security Question
    • From: Pete Finnigan
  • Re: Security Question
    • From: Connor McDonald

Other related posts:

• » Security Question- Newman, Christopher
• » Re: Security Question- Jared Still
• » Re: Security Question- Pete Finnigan
• » Re: Security Question- Connor McDonald
• » Re: Security Question - Pete Finnigan

1. Home
2. oracle-l
3. Archive
4. 02-2009

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---