Red-Database-Security GmbH is specialized in Oracle SecurityProductsRepscan 2.5 Hedgehog Enterprise Checkpwd (free)
Services
Information
Company
|
Bypass Oracle Logon Trigger
Details It is possible to bypass the Oracle database logon trigger. This can cause severe security problems. Oracle database logon trigger are often used to restrict user access (e.g. based on time or ip addresses) and/or to do audit entries into (custom) tables. Sample Database Logon Trigger: -- Logon trigger which allows only connect from the IP-addresses 192.168.2.121, 192.168.2.123, 192.168.2.233 -- Logon trigger which allows only connects only during business hours 6 and 18. -- This can be bypassed and every user can connect and execute SQL statements. -- The audit entry into the table is also not executed. CREATE OR REPLACE TRIGGER rds_logon_trigger AFTER LOGON ON DATABASE BEGIN IF SYS_CONTEXT('USERENV','IP_ADDRESS') not in ('192.168.2.121','192.168.2.123','192.168.2.233') THEN RAISE_APPLICATION_ERROR(-20003,'You are not allowed to connect to the database'); END IF; IF (to_number(to_char(sysdate,'HH24'))< 6) and (to_number(to_char(sysdate,'HH24')) >18) THEN RAISE_APPLICATION_ERROR(-20005,'Logon only allowed during business hours'); END IF; -- insert data into an audit-table -- table must be created first !!! INSERT INTO rds_user_log VALUES( user, sys_context('USERENV','SESSIONID'), sys_context('USERENV','HOST'), null, null, null, sysdate, to_char(sysdate, 'hh24:mi:ss'), null, null, null ); END; / Patch Information Apply the patches for Oracle CPU April 2007. History 7-jun-2006 Oracle secalert was informed 8-jun-2006 Bug confirmed 17-apr-2007 Oracle published CPU April 2007 [DB05] 17-apr-2007 Advisory published © 2007 by Red-Database-Security GmbH - last update 17-apr-2007 |