Red-Database-Security GmbH is specialized in Oracle Security

Products
Repscan 2.5
Hedgehog Enterprise
Checkpwd (free)

Services
Oracle Audit / Hardening
Security Training
Consulting

Information
Oracle Security Blog
Published AlertsRSS Published Alerts
Upcoming AlertsRSS Published Alerts
Patch Information
Whitepaper
Presentations
Oracle Fact Sheets
Exploits
Tutorials
Videos
Scripts

News & Events
Events
News

Company
Contact
People
Partner
Impressum
Sitemap


Search



Search Red-Database-Security
Bypass Oracle Logon Trigger

Name Bypass Oracle Logon Trigger (7826485) [DB05]
Systems Affected Oracle 8-10g Rel. 2
Severity High Risk
Category Bypass Security Feature Database Logon Trigger
Vendor URL http://www.oracle.com/
Author Alexander Kornbrust (ak at red-database-security.com)
CVE  
Advisory 17 April 2007 (V 1.00)


Details
It is possible to bypass the Oracle database logon trigger. This can cause severe security problems.

Oracle database logon trigger are often used to restrict user access (e.g. based on time or ip addresses) and/or to do audit entries into (custom) tables.

Sample Database Logon Trigger:

-- Logon trigger which allows only connect from the IP-addresses 192.168.2.121, 192.168.2.123, 192.168.2.233
-- Logon trigger which allows only connects only during business hours 6 and 18.
-- This can be bypassed and every user can connect and execute SQL statements. -- The audit entry into the table is also not executed.

CREATE OR REPLACE TRIGGER rds_logon_trigger
AFTER LOGON ON DATABASE
BEGIN

IF SYS_CONTEXT('USERENV','IP_ADDRESS') not in ('192.168.2.121','192.168.2.123','192.168.2.233') THEN
RAISE_APPLICATION_ERROR(-20003,'You are not allowed to connect to the database');
END IF;

IF (to_number(to_char(sysdate,'HH24'))< 6) and (to_number(to_char(sysdate,'HH24')) >18) THEN
RAISE_APPLICATION_ERROR(-20005,'Logon only allowed during business hours');
END IF;

-- insert data into an audit-table
-- table must be created first !!!
INSERT INTO rds_user_log VALUES(
user,
sys_context('USERENV','SESSIONID'),
sys_context('USERENV','HOST'),
null,
null,
null,
sysdate,
to_char(sysdate, 'hh24:mi:ss'),
null,
null,
null
);
END;
/

Patch Information
Apply the patches for Oracle CPU April 2007.


History
7-jun-2006 Oracle secalert was informed
8-jun-2006 Bug confirmed
17-apr-2007 Oracle published CPU April 2007 [DB05]
17-apr-2007 Advisory published


© 2007 by Red-Database-Security GmbH - last update 17-apr-2007