14 DAY TRIAL // The data redaction feature, designed for selective, real-time protection of certain database information can be bypassed without too much effort, according to security expert David Litchfield.
Employed at Datacomm TSS and recognized authority on database security, Litchfield held a presentation called “Oracle Data Redaction Is Broken” at the DefCon hacker convention last week.
He informed the audience that the service supposed to prevent sensitive information from reaching SQL query results does not require complicated methods for being defeated in order to launch privilege escalation attacks.
During his demonstration, he showed how a remote attacker could achieve the necessary privilege for accessing the redacted information by injecting some SQL queries, as per The Register.
In the paper disclosing some of his findings, the security expert says that privilege escalation can also be obtained using DBMS_REDACT:
“Anyone with the privileges to execute DBMS_REDACT can create redaction policies on any table in any schema except the SYS schema. As such an attacker can execute code as that user by passing a nefarious function in the “EXPRESSION” clause of DBMS_REDACT. When that owner next queries the table the attacker's function will execute.”
At the convention, Litchfield said that Oracle had a slow patching process and that they would also issue broken or incomplete fixes. According to The Register, he told the DefCon audience that patching the code is the preferred method of Oracle engineers, rather than providing a repair for a fundamental flaw.