CREATE ANY DIRECTORY threats : PDBs and the PATH_PREFIX clause

In my last blog post  “CREATE ANY DIRECTORY”=DBA=SYSDBA ! Ouch ! i talked about the potential threat that can represent the PREPROCESSOR feature introduced in oracle 11gr2 in a consolidated environment and how to develop a systemtap live patch to help preventing that.As Frank Pachot also stated a new parameter “PDB_OS_CREDENTIAL” was introduced in oracle 12.2.0.1 which is meant to prevent that in CDB databases:

Continue reading

“CREATE ANY DIRECTORY”=DBA=SYSDBA ! Ouch !

As Kamil Stawiarski explained in some great articles :

“A lot companies consolidates databases into one appliance – like for example Oracle Exadata. So you can have a lot of different databases in one physical cluster. And what if I tell you that you can execute any OS command as an oracle user, having just access to a database user with appropriate privileges? What if I tell you that DBA=SYSDBA? And not just SYSDBA for one database but for every database in a cluster?” Ref1

This is possible using only three elements thanks to the PREPROCESSOR feature introduced in oracle 11G   Ref2 :

Continue reading