Securing external program execution (EXTPROC)

Some database applications can use external dynamic libraries implemented in a language such as C or C++. Usually these external libraries are developed for performance reasons, but they can also represent a major security threat by being replaced with ones that contain malicious code. Therefore this feature must be used with maximum precaution.

The listener process allows executing external programs using a dedicated program named extproc, which is located by default at $ORACLE_HOME/bin. The access to these external libraries can be configured within the listener configuration file listener.ora.

The following is a configuration example from listener.ora that allows executing a specific library:

  (SID_LIST =
    (SID_DESC =
      (SID_NAME = CLRExtProc)
      (ORACLE_HOME = /u01/app/oracle/product/11.2.0/db/)
      (PROGRAM = extproc)
      (ENVS = "EXTPROC_DLLS=ONLY:/home/oracle/appclrso.so")
    )
  )

The corresponding entry for extproc from tnsnames.ora is as follows:

EXTPROC_CONNECTION_DATA =
  (DESCRIPTION =
    (ADDRESS_LIST =
      (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
    )
    (CONNECT_DATA =
      (SID = PLSExtProc)
    )
  )

In this recipe we will demonstrate some security recommendations related to extproc.

Getting ready

All steps will be performed on nodeorcl1.

How to do it...

By using a configuration similar to the example provided earlier, an attacker may fake without too much effort the libraries called by extproc.

  1. By calling external procedures with a listener started under oracle user, they will have identical read and write privileges. An attacker who gained access to the application user and oracle user, can simply replace the library called by extproc with a soft link pointing to other libraries:
     mv /home/oracle/appclrso.so /home/oracle/appclrso.so1
ln –s /lib64/libc-2.5.so /home/oracle/appclrso.so
SQL> create or replace library ex_cmd as '/home/oracle/appclrso.so';
SQL> create or replace procedure execute_cmd(command IN CHAR)
 is external
name "system"
library ex_cmd
language c;
SQL> exec execute_cmd("<os command>");
  2. To prevent read/write access on files owned by oracle by external procedures a good solution is to define extproc in a different listener which will be owned by a different user than Oracle. This user should not have read and write privileges on files owned by Oracle.

How it works...

The communication between extproc and external libraries is performed using interprocess communication (PROTOCOL = IPC).

There's more...

Other security recommendations related to extproc are as follows:

  • Use an IDS tool such as Tripwire covered in Using Tripwire for file integrity checking recipe in Chapter 1, Operating System Security to perform periodical checks on external libraries and Oracle network configuration files (listener.ora, sqlnet.ora, and tnsnames.ora)
  • Make the libraries used by external procedures immutable, a subject covered in Chapter 1, Using immutable files to prevent modifications, to prevent replacement or code injection
  • If you do not use external libraries, remove the extproc executable and delete the extproc entries from listener.ora
  • You may trace the extproc agent if you have suspicions about being attacked by using the TRACE_LEVEL_AGENT sqlnet.ora parameter
  • Do not use the EXTPROC_DLLS=ANY specifier, always use EXTPROC_DLL=ONLY:<library name>

See Also

  • The Using Tripwire for file integrity checking recipe in Chapter 1, Operating System Security
  • The Using immutable files to prevent modifications recipe in Chapter 1, Operating System Security
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.117.158.165