Re: new paper on direct access in C to the SGA

  • From: Mladen Gogala <mladen@xxxxxxxxxxxxxxx>
  • To: oracle-l@xxxxxxxxxxxxx
  • Date: Tue, 15 Jun 2004 14:46:31 -0400

On 06/15/2004 02:27:12 PM, "Goulet, Dick" wrote:
> Well, I know some folks here are not going to like me very much, but I for 
> one have little respect for those who publish such hacks and not too much 
> more for those vendors that use them.  As I've said before, if you can read a 
> memory chunk you sure as heck can write to it as well 

I have to question this statement. Shared memory protection is similar to the 
protection of a file.
You certainly can read /boot/bzImage but, unless you have the proper privilege 
level, you cannot
write into it.  Here is what shmget manpage says about the protection:

       IPC_CREAT   to create a new segment. If this flag  is  not  used,  then
                   shmget()  will  find the segment associated with key, check
                   to see if the user has  permission  to  receive  the  shmid
                   associated  with the segment, and ensure the segment is not
                   marked for destruction.
                                                                                
       IPC_EXCL    used with  IPC_CREAT  to  ensure  failure  if  the  segment
                   exists.
                                                                                
       mode_flags (lowest 9 bits)
                   specifying the permissions granted to the owner, group, and
                   world.  Presently, the execute permissions are not used  by
                   the system.

It is quite reminiscent of "open" call, and while normal (ab)user can open 
/boot/bzImage file, he usually
cannot write to it, unless he's super-(ab)user and not an ordinary one. It is 
the same story exactly with
the shared memory segments. Potential benefits for the ordinary (ab)user  like 
me comes from the fact
that, using this, I might be able to read ASCII passwords stored somewhere in 
the SGA and become an 
(ab)user with the DBA & SYSDBA privilege, and much more entertaining as such. 
Of course, being a DBA,
I already have all privileges, which means that the code is without value for 
me. If someone breaks into
my database using this perversion, I'll look for the instigator and let him 
have a really bad Finnegan's 
wake.
-- 
Mladen Gogala
Oracle DBA



Note:
This message is for the named person's use only.  It may contain confidential, 
proprietary or legally privileged information.  No confidentiality or privilege 
is waived or lost by any mistransmission.  If you receive this message in 
error, please immediately delete it and all copies of it from your system, 
destroy any hard copies of it and notify the sender.  You must not, directly or 
indirectly, use, disclose, distribute, print, or copy any part of this message 
if you are not the intended recipient. Wang Trading LLC and any of its 
subsidiaries each reserve the right to monitor all e-mail communications 
through its networks.
Any views expressed in this message are those of the individual sender, except 
where the message states otherwise and the sender is authorized to state them 
to be the views of any such entity.

----------------------------------------------------------------
Please see the official ORACLE-L FAQ: http://www.orafaq.com
----------------------------------------------------------------
To unsubscribe send email to:  oracle-l-request@xxxxxxxxxxxxx
put 'unsubscribe' in the subject line.
--
Archives are at //www.freelists.org/archives/oracle-l/
FAQ is at //www.freelists.org/help/fom-serve/cache/1.html
-----------------------------------------------------------------

Other related posts:

  1. Home
  2. oracle-l
  3. Archive
  4. 06-2004