8.1. Tricking Oracle into Dropping a Policy
VPDs are created using the DBMS_RLS package. The DBMS_FGA package can also be used — it does exactly the same thing. Incidentally, the RLS stands for row-level security, and the FGA stands for fine-grained access. If we want to see who can execute this package, we get the following:
SQL> select grantee,privilege from dba_tab_privs where table_name ='DBMS_RLS'; GRANTEE PRIVILEGE ---------------------------- EXECUTE_CATALOG_ROLE EXECUTE
XDB EXECUTE WKSYS EXECUTE SQL> select grantee,privilege from dba_tab_privs where table_name ='DBMS_FGA'; GRANTEE PRIVILEGE ---------------------------- EXECUTE_CATALOG_ROLE EXECUTE
Looking at this, if we can execute code as XDB or WKSYS, then we can manipulate RLS policies. Before we start, this let's set up a simple VPD. First, create the user who will own the VPD:
SQL> CONNECT / AS SYSDBA Connected. SQL> CREATE USER VPD IDENTIFIED BY PASS123; User created. SQL> GRANT CREATE SESSION TO VPD; Grant succeeded. SQL> GRANT CREATE TABLE TO VPD; Grant succeeded. SQL> GRANT CREATE PROCEDURE TO VPD; SQL> GRANT UNLIMITED TABLESPACE TO VPD; Grant succeeded. SQL> GRANT EXECUTE ON DBMS_RLS TO VPD; Grant succeeded.
With that done, we can set up a table for use as a VPD. For this example, we'll create a table that stores army orders:
SQL> CONNECT VPD/PASS123 Connected. SQL> CREATE TABLE VPDTESTTABLE (CLASSIFICATION VARCHAR2(20), 2 ORDER_TEXT VARCHAR(20), RANK VARCHAR2(20)); Table created. SQL> GRANT SELECT ON VPDTESTTABLE ...
Get The Oracle® Hacker's Handbook: Hacking and Defending Oracle now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
