Tuesday, November 27, 2007

Oracle security, gain access to OS level

Via the Pete Finnigan website I came across a link to the weblog of Tanel Poder who found a security flaw in Oracle 11g.

"I was doing some low-level security research on Oracle 11g and realized that combining couple little known Oracle’s features can allow anyone with DBA or IMP_FULL_DATABASE rights run any OS command under the same privileges the Oracle processes are running. This allows an attacker to erase files from audit_file_dest or patch the Oracle binary (after setting _disable_image_check to true) or make a dedicated server process a SYSDBA one using a debugger.

I don’t rank this security issue a too critical one as exploiting it requires the attacker to already have high privileges - the BECOME USER privilege in addition to execute rights on KUPP$PROC package used by DataPump. These privileges are included in DBA and IMP_FULL_DATABASE roles by default. So in order to exploit the security flaw you would already have pretty destructive rights ( IMP_FULL_DATABASE has DROP ANY TABLE and such privs in it already )."

I do agree with Tanel Poder that you need a high security level to exploit this security flaw however I do not feel this is a minor security flaw because of this fact. I personally consider every security flaw a big issue and never a minor one. Even do you will need a high security level and trust level within a company it can be a big risk when a unprivileged person can gain access to a security level he or she is not entitled to. I am afraid Oracle corporation will have the same feeling as Tanel Poder and will rank this minor the same as was done with the Oracle applications password and Oracle iStore security flaw I mentioned to oracle.

No comments: