Call: +44 (0)7759 277220 Call
Forum

Welcome, Guest. Please Login.
Nov 23rd, 2024, 5:15pm
News: If you would like to register contact the forum admin
Home | Help | Search | Members | Login
   Pete Finnigan's Oracle Security Forum
   Oracle Security
   Oracle Security
(Moderator: Pete Finnigan)
   UTL_FILE_DIR set to *
« Previous topic | Next topic »
Pages: 1  Reply | Notify of replies | Send Topic | Print
   Author  Topic: UTL_FILE_DIR set to *  (Read 13595 times)
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
UTL_FILE_DIR set to *
« on: Jul 13th, 2006, 6:58pm »
Quote | Modify

Hello Everyone,
 
I manage the security for our project but have little understanding of Oracle and the ways it works.  Thankfully I have a DBA who I believe 'gets it' and has alerted me to a potentially serious security vulnerability with something our developers are trying to do.
 
Our developers want to set UTL_FILE_DIR to '*'.  Our DBA says this will allow any db user on any client to read/write to any directory the oracle OS user has permission to.  
 
I've sanitized some information about what they intend below:
---from our devs---  
APPLICATION has a dynamic changing directory for the generated files by the UTL_FILE package as below:
/<os_dir>/<customer_data_dir>/<customer_name>/<specific_data>/...
For each new CUSTOMER, we need to run a perl scrip to set up a new /<os_dir>/<customer_data_dir>/<customer_name>/.. directory.  The developers have tried to set UTL_FILE_DIR =/<os_dir>/<customer_data_dir>/*, but it did not work. Looks like Oracle can only take either exact directory match or one wildcard * for all directories.
 
Therefore, for APPLICATION reports to work we have to set the UTL_FILE_DIR =* in the initORA. The same also applies for OTHER APPLICATION.
---end---
 
Assuming that my DBA is correct about this risk, can someone help me with an explanation I can give to our developers why this shortcut is unacceptable?  They are the type to respond with "why would an internal user do something malicious?"  
 
Thank you and please let me know if more description is needed.
 
D3
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: UTL_FILE_DIR set to *
« Reply #1 on: Jul 13th, 2006, 7:41pm »
Quote | Modify

Hi  
 
your DBA is correct. Setting utl_file_dir to "*" will allow any remote user who has the ability to use UTL_FILE to write or read to any file that the owner of the Oracle software has rights to access. There are many hacks that you can dream up using this ability that would let you escalate to SYS privileges.
 
The developers should re-think their design. They can also use DIRECTORY objects remember which can be controlled by better RBAC, e.g. you can control who can access the file system at the user or role level rather than globally as with utl_file_dir
 
cheers
 
Pete
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: UTL_FILE_DIR set to *
« Reply #2 on: Jul 13th, 2006, 8:31pm »
Quote | Modify

Hi Pete,
 
Thanks for the confirmation about the DIRECTORY objects.  Our DBA had found that as a possible solution just after my posting.  It seems that there would still exist the possibility to read/write the Oracle directory (including binaries) but not the OS.  I'm exploring the details to lock that down and audit the heck out of what gets left open.  
 
Cheers,
D3
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: UTL_FILE_DIR set to *
« Reply #3 on: Jul 14th, 2006, 9:35am »
Quote | Modify

Hi,
 
you should also be aware that UTL_FILE is only one of many built in packages that can be used to access files on the OS.  
 
Good practice would be to ensure that the directory objects point to an OS directory structure that is isolated from the Oracle installation, i.e. if oracle is in /u01 and /u02 make sure directory objects are pointing only to /u04 and so on.
 
If you place contro0ls around who can create and access directory objects and also around where they point to you should be OK. For instance grant create directory to a new schema account. in that account create a package that manages the creation of the directory, hard code the pre-amble to the path - i.e. /u04 and then ensure no other schemas can create or alter directory objects. revoke create session from the package owner and grant access to just your create and alter directory package procedures to the application schema owner only. i.e make it harder for anyone to randonly call these procedures to access or chnage directories.
 
hth
 
Pete
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: UTL_FILE_DIR set to *
« Reply #4 on: Jul 14th, 2006, 3:37pm »
Quote | Modify

Another possible advantage of directories is that you can give them general names and point to them from your code.  
 
Suppose you have a production and a test site with different output paths. You can make a directory object called OUTPUT_DIR, which, on your production site might point to a different path than OUTPUT_DIR on a test site. You don't have to change your code, while with hardcoded utl_file paths you often have to.
 
Then think what happens when the directory structure has to change in, say, 3 years time from now, if you have paths hardcoded in your code?
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: UTL_FILE_DIR set to *
« Reply #5 on: Jul 14th, 2006, 5:47pm »
Quote | Modify

Hi Marcel-Jan,
 
I agree with your view and I think you meant with utl_file_dir but I would still suggest that a filter is required in the controls around the access to create and alter directory objects to ensure that they are not created to point at sensitive directories such as the Oracle home or data files.
 
cheers
 
Pete
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: UTL_FILE_DIR set to *
« Reply #6 on: Jul 19th, 2006, 5:08am »
Quote | Modify

AskTom has a java stored procedure for listing the contents of a directory. You could hardcode the  /<os_dir>/<customer_data_dir>/ into that, and have it automatically CREATE DIRECTORY for all the individual data directories in there (where there isn't already a directory object for it).
 
http://asktom.oracle.com/pls/ask/f?p=4950:8:12177331569948952020::NO::F4 950_P8_DISPLAYID,F4950_P8_CRITERIA:439619916584
 
As a side thought, what os account is running the perl script that creates the directory ?
Just thinking that a hard link created in that directory might be able to get to a file that really sits in another directory (eg the home directory of the oracle user). Not sure about symbolic/soft links. Probably best to test under your own OS anyway.
 
 
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pages: 1  Reply | Notify of replies | Send Topic | Print

« Previous topic | Next topic »

Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright © 2000-2004 Yet another Bulletin Board
  • PFCLScan PFCLScan

    Simply connect PFCLScan to your Oracle database and it will automatically discover the security issues that could make your Oracle database vulnerable to attack and to the potential loss of your data.

  • PFCL Obfuscate PFCLObfuscate

    PFCLObfuscate is the only tool available that can automatically add license controls to your PL/SQL code. PFCLObfuscate protects your Intellectual Property invested in your PL/SQL database code.

  • PFCLCode PFCLCode

    PFCLCode is a tool to allow you to analyse your PL/SQL code for many different types of security issues. PFCLCode gives you a detailed review and reports and includes a powerful colour syntax highlighting code editor

  • PFCLForensics PFCLForensics

    PFCLForensics is the only tool available to allow you to do a detailed live response of a breached Oracle database and to then go on and do a detailed forensic analysis of the data gathered.

  • Products We resell PFCLReselling

    PeteFinnigan.com Limited has partnered with a small number of relevant companies to resell their products where they enhance or compliment what we do

  • PFCLATK PFCLATK

    PFCLATK is a toolkit that allows detailed pre-defined policy driven audit trails for your Oracle database. The toolkit also provides for a centralised audit trail and centralised activity reporting

  • PFCLCookie PFCLCookie

    PFCLCookie is a useful tool to use to audit your websites for tracking cookies. Scan websites in a natural way using powerful browser driven scanner

  • PFCL Training PFCLTraining

    PFCLTraining is a set of expert training classes for you, aimed at teaching how to audit your own Oracle database, design audit trails, secure code in PL/SQL and secure and lock down your Oracle database.

  • PFCL Services PFCLServices

    Choose PFCLServices to add PeteFinnigan.com Ltd to your team for your Oracle Security needs. We are experts in performing detailed security audits, data security design work and policy creation

  • PFCLConsulting PFCLConsulting

    Choose PFCLConsulting to ask PeteFinnigan.com Limited to set up and use our products on your behalf

  • PFCLCustom PFCLCustom

    All of our software products can be customised at a number of levels. Choose this to see how our products can be part of your products and services

  • PFCLCloud PFCLCloud

    Private cloud, public cloud, hybrid cloud or no cloud. Learn how all of our services, trainings and products will work in the cloud

  • PFCLUserRights PFCLUserRights

    PFCLUserRights allows you to create a very detailed view of database users rights. The focus of the reports is to allow you to decide what privileges and accounts to keep and which to remove.

  • PFCLSTK PFCLSTK

    PFCLSTK is a toolkit application that allows you to provide database security easily to an existing database. PFCLSTK is a policy driven toolkit of PL/SQL that creates your security

  • PFCLSFTK PFCLSFTK

    PFCLSFTK is a toolkit that solves the problem of securing third party applications written in PL/SQL. It does this by creating a thin layer between the application and database and this traps SQL Injection attempts. This is a static firewall.

  • PFCLSEO PFCLSEO

    PFCLSEO is a web scanner based on the PFCLScan technology so that a user can easily scan a website for technical SEO issues