Clever Geek Handbook

What is EXTPROC in Oracle?

For security reasons, I asked the DB command to add EXTPROC_DLLS: ONLY; but they said this:

"Please keep in mind that KEY = EXTPROC1526 does not refer to any external process at all. This is just a key used by any processes to invoke Oraxxx over IPC. The key can be any value and the same key value must be passed through tnsnames.ora "

It seems to me that this is wrong. Could you help me with this? What is the exact use of EXTPROC, and what happens if we don't add EXTPROC_DLLS: ONLY?

+3


source to share


2 answers


Any program to connect the oracle database requires the Extproc agent.

PLS/SQL

e.g. required Extproc

to work with oracle

More info on securit here
Ill missed some link



Description
***********
The Oracle database server supports PL/SQL, a programming language. PL/SQ can execute external procedures via extproc. Over the past few years there has been a number of vulnerabilities in this area.

Extproc is intended only to accept requests from the Oracle database server but local users can still execute commands bypassing this restriction.

Details
*******
No authentication takes place when extproc is asked to load a library and execute a function. This allows local users to run commands as the Oracle user (Oracle on unix and system on Windows). If configured properly, under 10g, extproc runs as nobody on *nix systems so the risk posed here is minimal but still present.

and here

+2


source


Unlike other databases, Oracle does not allow plugins to access their own address space. In case of MySQL / PostgreSQL the .dll plugin (C stored procedure) is loaded by the main database process. Oracle allows the listener to start a new process extproc

(or extproc32

). This process loads the shared library and the rest of the database negotiates with this process through IPC.

This approach is safer since the external library cannot partition the database or corrupt the data. On the other hand, sometimes C stored procedures can be slower than Java.

This parameter can limit the path for the .dll to be loaded by extproc. those. created by the operator CREATE LIBRARY

.

PS: The use of C stored procedures is very rare, if you don't use them, you can freely remove the entire extproc stanza from listener.ora.



PS1: possible scenario for using the function extproc

.

  • User must have CREATE LIBRARY

    , which is not usually provided
  • extproc is not configured to run with closed privileges.
  • The user creates a malicious .so library that will do something "evil" during initialization.
  • User places this folder in / tmp directory
  • User creates Oracle LIBRARY pointing to / tmp using operator CREATE LIBRARY

  • User highlights extproc

    to dlopen

    this library
  • exproc

    will execute evil code with a laid back OS oracle:dba

When using this limitation, EXTPROC_DLLS:ONLY

developers must collaborate with DBAs, and only whitelisted libraries can be used.

+1


source






More articles:


All Articles