CREATE ANY DIRECTORY threats : PDBs and the PATH_PREFIX clause

Mahmoud Hatem security

In my last blog post  “CREATE ANY DIRECTORY”=DBA=SYSDBA ! Ouch ! i talked about the potential threat that can represent the PREPROCESSOR feature introduced in oracle 11gr2 in a consolidated environment and how to develop a systemtap live patch to help preventing that.As Frank Pachot also stated a new parameter “PDB_OS_CREDENTIAL” was introduced in oracle 12.2.0.1 which is meant to prevent that in CDB databases:

“The operating system interactions that are done as the OS user name specified in the credential include:

  •     External jobs that do not already have an operating system credential specified
  •     External table pre-processors
  •     PL/SQL library executions” Ref

Still there is another threat ! As stated by Connor Mcdonald in the comment section of my previous blog post : “Similarly, giving out “create any directory” is just setting yourself up to get burned – a few nasty UTL_FILE calls against anything V$DATAFILE and whoosh…the database is gone.”

For example an administrator of one PDB can compromise data belonging to another PDB ! Or inject code in another shell script that will be executed later by a higher privileged user example : “dbhome_1/QOpatch/qopiprep.bat” used when querying  “OPATCH_XML_INV”.

What if i tell you that there is a solution in CDB databases and it’s name is “PATH_PREFIX” !

PATH_PREFIX is a propriety that we specify at PDB creation : Ref

“Use this clause to ensure that file paths for directory objects associated with the PDB are restricted to the specified directory or its subdirectories. This clause also ensures that the following files associated with the PDB are restricted to the specified directory: the Oracle XML repository for the PDB, files created with a CREATE PFILE statement, and the export directory for Oracle wallets. You cannot modify the setting of this clause after you create the PDB. This clause does not affect files created by Oracle Managed Files.”

So using this propriety all directories have to be created relatively the specified path indicated by PATH_PREFIX. (example a malicious user can no more create a directory pointing to ‘/bin’ or overwrite your data files) Feel safer no ! Let’s give it a try !

ORACLE 12.2.0.1 / OEL6.6 test :

First without setting the PATH_PREFIX :

Capture

Capture 10

There is no change we can still use absolute paths !

When setting the PATH_PREFIX :

Capture2

Capture 21

We can no more use absolute path !  Good that’s what we are looking for !

And yes this PDB property existed since oracle 12.1.0.1 but it seem it was not working as expected as we can still use absolute paths even when it’s set. See Deiby Gomez  test in 12.1.0.1 https://www.toadworld.com/platforms/oracle/b/weblog/archive/2015/09/25/pdb-creation-with-path-prefix  .

ORACLE 12.1.0.2/OEL 6.6 test :

Sans titre

Capture 23

Although PATH_PREFIX is set we can still use absolute path at directory creation !

Check also LOCKDOWN PROFILE / PDB Lockdown Profile Features : ref

OS_ACCESS EXTERNAL_FILE_ACCESS Using external files or directory objects in the PDB when PATH_PREFIX is not set for the PDB

That’s it 😀

One thought on “CREATE ANY DIRECTORY threats : PDBs and the PATH_PREFIX clause

  1. Hi Hatem,

    Thanks for this great article…..correct me if i am wrong, the lockdown profile EXTERNAL_FILE_ACCESS only covers PDB level not CDB level.

    Regards,
    Emad Al-Mousa

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s