Bypass Oracle Logon Trigger
It is possible to bypass the Oracle database logon trigger. This can cause severe security problems.
Oracle database logon trigger are often used to restrict user access (e.g. based on time or ip addresses) and/or to do audit entries into (custom) tables.
Sample Database Logon Trigger:
-- Logon trigger which allows only connect from the IP-addresses 192.168.2.121, 192.168.2.123, 192.168.2.233
-- Logon trigger which allows only connects only during business hours 6 and 18.
-- This can be bypassed and every user can connect and execute SQL statements. -- The audit entry into the table is also not executed.
CREATE OR REPLACE TRIGGER rds_logon_trigger
AFTER LOGON ON DATABASE
IF SYS_CONTEXT('USERENV','IP_ADDRESS') not in ('192.168.2.121','192.168.2.123','192.168.2.233') THEN
RAISE_APPLICATION_ERROR(-20003,'You are not allowed to connect to the database');
IF (to_number(to_char(sysdate,'HH24'))< 6) and (to_number(to_char(sysdate,'HH24')) >18) THEN
RAISE_APPLICATION_ERROR(-20005,'Logon only allowed during business hours');
-- insert data into an audit-table
-- table must be created first !!!
INSERT INTO rds_user_log VALUES(
Apply the patches for Oracle CPU April 2007.
7-jun-2006 Oracle secalert was informed
8-jun-2006 Bug confirmed
17-apr-2007 Oracle published CPU April 2007 [DB05]
17-apr-2007 Advisory published
© 2007 by Red-Database-Security GmbH - last update 17-apr-2007