[Previous entry: "How to write injection proof PL/SQL"] [Next entry: "A new paper on PL/SQL Injection"]
Exploiting CREATE ANY DIRECTORY to become a SYSDBA
October 20th, 2008 by Pete
Post to del.icio.us
Post to Furl
Paul has recently put out a new paper on his site called "CREATE ANY DIRETORY to SYSDBA" and also code for the example exploit. This is an interesting paper and shows why the granting of any privilege with the keyword "ANY" in it is an issue. There are possibilities to exploit any of these ANY privileges to gain access to data or to escalate privileges.
The paper is interesting but (this is not a critisism) its a class of issue that should not be allowed to exist in a production database. We must always follow the least privilege principle and indeed this is one area I concentrate heavily on when i perform an Oracle database security audit for clients. The second issue with Paul's paper (again in no way a critisism) is that the UTL_FILE and directory object method are not the only ways to get at the password file (in this case). I still see 10g databases with utl_file_dir set to * for instance and there are also lots of other packages and Java that allow access to the file system, so beware there are othe possible vectors here involving different packages, privileges etc.
Good paper.
