Auditing an Oracle database for security issues is very important. PeteFinnigan.com provides all of the information and tools that you will need Click here for details of PeteFinnigan.com Limited's detailed Oracle database security audit service Click here for details of PeteFinnigan.com Limited's Oracle Security Training Courses
There are 60 visitors online    
Cookie Policy:We only use essential cookies on small sections of this website. For details see here.

Pete Finnigan's Oracle security weblog


Home » Archives » November 2004 » Interesting discussion on DBMS_SUPPORT versions

[Previous entry: "Hack notes books"] [Next entry: "Exploits and blog software"]

Interesting discussion on DBMS_SUPPORT versions

November 13th, 2004 by Pete


I just came across an interesting thread on ORACLE-L discussing the versions of DBMS_SUPPORT that are available in the database. The thread has not made it to the archives yet on freelists.org but should appear soon?

The thread asks the question about the version of this useful package. The poster demonstrated the confusion with this, i.e.

SQL> select sys.dbms_support.package_version from dual;

PACKAGE_VERSION
------------------------------------------------------------------------
DBMS_SUPPORT Version 1.0 (17-Aug-1998) - Requires Oracle 7.2 - 8.0.5

SQL>

The version of Oracle is:-

SQL> select * from v$version;

BANNER
------------------------------------------------------------
Personal Oracle9i Release 9.2.0.1.0 - Production
PL/SQL Release 9.2.0.1.0 - Production
CORE 9.2.0.1.0 Production
TNS for 32-bit Windows: Version 9.2.0.1.0 - Production
NLSRTL Version 9.2.0.1.0 - Production

SQL>

Hmmm, a slight issue? The version function says that this package should only be used between versions 7.2 and 8.0.5. What’s the score? The thread goes on to ask if there is a newer version of this package and what it might include such as showing the name of a trace file. Jared goes on to agree about the versions and Paul suggests that the package was not even shipped with version 8iR3.

So what is the issue with this package? This is an un-documented package apart from numerous metalink notes that mention it. The package should not be installed by default and should only be installed if you are instructed to do so by Oracle support. Many DBA's install it anyway.

So what is the security angle? Well if a package is not even shipped with one version (I think this was recorded as a mistake though rather than deliberate). A package that is not supported and is undocumented then it should not normally be there and in use. What can we use the package for besides reporting its version? - It can be used to get your own SID and also to turn on trace, either with extended trace or not. I include how to use this package in my paper all about all of the ways to turn on trace. To some using trace is a must but to a security person being able to set trace and also to set trace for another session is a security risk. Trace can be used to extract all sorts of application structure and also to steal critical data from the database and configurations. Therefore any method of setting trace should be restricted.

I would recommend using my script who_can_access.sql to see which users and roles can access this package. Let's see for a default install of this package:

who_can_access: Release 1.0.1.0.0 - Production on Sat Nov 13 19:49:29 2004
Copyright (c) 2004 PeteFinnigan.com Limited. All rights reserved.

NAME OF OBJECT TO CHECK [USER_OBJECTS]: DBMS_SUPPORT
OWNER OF THE OBJECT TO CHECK [USER]: SYS
OUTPUT METHOD Screen/File [S]: S
FILE NAME FOR OUTPUT [priv.lst]:
OUTPUT DIRECTORY [DIRECTORY or file (/tmp)]:

Checking object => SYS.DBMS_SUPPORT
====================================================================



PL/SQL procedure successfully completed.


For updates please visit http://www.petefinnigan.com/tools.htm

SQL>

As you can see the default is that no users can access this package, keep it this way. If any user has been granted access to this package revoke it, if its installed then remove it, unless Oracle support ask you to use it.

November 2004
SMTWTFS
 123456
78910111213
14151617181920
21222324252627
282930    

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

Weblog Home
Weblog Archives


Home
Oracle Security Tools page
Oracle security papers
Oracle Security alerts

Web Development
SQL Server Security

RSS 1.0 FEED
RSS 2.0 FEED
Atom 0.3 FEED
Powered by gm-rss 2.0.0


Valid XHTML 1.0!