Supplied Packages, Database Links, and SQL Injection

From: "MacGregor, Ian A." <ian@xxxxxxxxxxxxxxxxx>
To: "oracle-l" <oracle-l@xxxxxxxxxxxxx>
Date: Tue, 9 May 2006 11:17:33 -0700

Certain supplied packages such as dbms_export_extension are flawed, you can 
inject SQL such as "grant dba to me;"  into them and the code will be executed. 
 Now suppose you are pulling data from a database which includes sensitive 
information to one that does not via a database link.  No sensitive data is 
accessible, the account on the sensitive database to which the database link 
connects has no privilege to access the sensitive objects.  However there is a 
package, I'll call it dbms_flawed which is exploitable via  SQL injection.  A 
user runs dbms_flawed.exeute_this@remote_db('grant dba to me')  thereby gaining 
that privilege or execute dbms_flawed.execute@remote_db('grant all on 
trusted_user.cofidential_info_table to me');  The controls setup to prevent 
improper access are bypassed.

The answer is to to not allow "me" to execute dbms_flawed.  However, there are 
other packages which might now or someday be exploitable.  How are folks 
handling this.  Have you revoked execute privileges from public from all 
packages, a certain set of packages (if so which ones)?  Is there a list of 
packages which have the potential to be exploited.
Revoking privileges can be tricky.  Dba_dependencies will find  calls from 
stored procedures, but not anonymous blocks.



Ian MacGregor
Stanford Linear Accelerator Center
ian@xxxxxxxxxxxxxxxxx








  
--
//www.freelists.org/webpage/oracle-l

Supplied Packages, Database Links, and SQL Injection

Other related posts: