Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: exec any procedure

Re: exec any procedure

From: DA Morgan <damorgan_at_psoug.org>
Date: Fri, 03 Jun 2005 12:33:45 -0700
Message-ID: <1117827102.454729@yasure> 





Paul wrote:


> 

> DA Morgan <damorgan_at_psoug.org> wrote:

> 

> 

> 


>>>i have a user having execute any procedure priv.Is it some security
>>>issue.




> 

> 

> 


>>Yes. They can make themselves SYS anytime they want to.




> 

> 

> 

> How, without a password?

> 

> 

> Paul...




You don't need one if you have EXECUTE ANY PROCEDURE.



 From Pete Finnegan's site:




Often neglected, the OUTLN account has EXECUTE ANY PROCEDURE permission. 
On 8i it can become admin by using dbms_repcat_admin.




UPDATED 16-Sep-2004 I have just updated the links to other researchers 
advisories for the Oracle alert #68 as Alex Kornbrust has added detailed 
advisories for the three bugs that he discovered that were also fixed in 
Oracle alert #68. Alex found a particularly interesting SQL Injection 
bug in the CTXSYS.DRILOAD package where it is possible to execute almost 
any SQL command for instance granting yourself the DBA role.




And there are plenty of other ways to do it in other versions of Oracle.

-- 
Daniel A. Morgan
http://www.psoug.org
damorgan_at_x.washington.edu
(replace x with u to respond)


Received on Fri Jun 03 2005 - 14:33:45 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US