Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Latest Oracle CPU is out"] [Next entry: "Pete Finnigan webinar "The right way to secure Oracle""]

Escalate privileges to SYSDBA with CREATE USER

Paul emailed me the other day to send his new paper that shows how he was able to exploit a problem with Oracles namespace resolution. The idea is that because a user may have the CREATE USER privilege so he can create a database user with the same name as a SYS owned package. In the example Paul creates a user called DBMS_FLASHBACK. The namespace resolution and the fact that SYS ignores definer rights code means that the creation of a function from a package (the same name as a real function) can be used to call code to grant SYSDBA to the attackers user through his function.

Its a nice idea but the execution is really a trojan as its still necessary for a DBA logged in as SYSDBA to execute the "doppleganger" function. Nice idea though.