UTL_FILE: Understanding how it is used...... A practical approach

-

In my previous post I talked about Auditing UTL_FILE_DIR parameter file entry. If you haven't read it, you can check it out here.

In this post I will be focusing on how the UTL_FILE package is actually used to transfer files to the host operating system from the database. This post will be showing you exactly how dangerous the package can be in the hands of a malicious person.

Note that EXECUTE on the UTL_FILE package is granted to PUBLIC by default. What this means is that any user created in the database automatically has the right to use this package.

Enough of the stories. Now lets get straight to business


I will perform this exercise with steps for easy understanding. So lets go

What is needed for this exercise
a. Oracle Database 10g and above
b. DBA privilege


1. Create a directory object. Let us call the directory "utl_dir". in this post I will use the location 'C:\Users\05992\Favorites\Desktop\testing'

create or replace directory utl_dir
as 'C:\Users\05992\Favorites\Desktop\testing'

This is the only way oracle can recognise any directory in the operating system.
Directory objects are database object, and database object names are stored in UPPERCASE by default. Even if the ‘create directory’ command you issued had the directory name in lowercase, unless you put it within quotes, the directory name will be stored in UPPERCASE.

2. Confirm that directory object is created

select * from dba_directories


3. Grant read write on the utl_dir directory object to Public.

grant read, write on directory utl_dir to public;

Note in the real world sense it is best practice to grant object permissions to specific entities that require it.

Now that our directory object is ready and granted to all necessary parties, its time to write our plsql to write into the operating system.

-- PLSQL to open a file and write a line into the file then close the file
declare 
  fhandle  utl_file.file_type;
begin
  fhandle := utl_file.fopen(
                'UTL_DIR'     -- File location
              , 'ITCASXP_test_file.txt' -- File name
              , 'w' -- Open mode: w = write. 
                  );
  utl_file.put(fhandle, 'This is a tutorial from ITCASXP'
                      || CHR(100));
  utl_file.fclose(fhandle);
exception
  when others then 
    dbms_output.put_line('ERROR: ' || SQLCODE 
                      || ' - ' || SQLERRM);
    raise;
end;
/

Notice that the file named ITCASXP_test_file.txt has been created in the location 'C:\Users\05992\Favorites\Desktop\testing'.
Also notice that the test 'This is a tutorial from ITCASXP' has been added to the text file.


Now you can understand why this package, if not well protected can be really dangerous if accessed by malicious persons.

I hope you enjoyed this little exercise.

Comments

Post a Comment

Popular posts from this blog

Auditing Virtualization

-
Image
Virtualization is the process of creating virtual, representation of an entity, such as virtual applications, servers, storage and networks. It is the single most effective way to reduce IT expenses by reducing hardware footprint while boosting efficiency and agility for all size businesses. However good as it is, virtualization can create a single point of failure if poor implementation introduced a security flaw to the system. In this post I will be sharing with you how to audit virtualization.
Read more

How to Identify if the capacity of your FLASH storage device is genuine or counterfeit

-
Image
Have you at some time purchased a flash drive  or memory card that always stored corrupt data? You paid for a 64gig memory card and all you stored in it is simply just got corrupted. I have been a victim several times even with reputable retailers. These counterfeit flash storages are low capacity in nature, devices that have been maliciously altered so that they appear to have much more capacity than its original. An example is the 64 gig memory card I purchased which ended up having actual capacity of 2gig. So I actually paid for 2gig. Now I didn't get to know this on time because I actually copied a video file inside it as a test which checked out fine. The video file size was 1.5gb. I was able to play the video with no issue of corruption. Thus I "Assumed" the flash was genuine. Boy was I wrong. Later in the week I decided to do a major backup of my mobile phone since I was purchasing another one. After the backup, I formatted ...
Read more

Address Resolution Protocol (ARP): Understanding the basics

-
Image
Address resolution Protocol or ARP for short is basically used to resolve an IP address to a MAC address. A MAC address is a unique identifier for any device. And since we are talking networking today, The mac address we will be concentration on is that of a network device. Its important to note that, no two device can have the same mac address. Whenever a network device needs to communicate with another network device in a Local Area Network, it needs the MAC address of that device. This is where ARP comes to play. Lets take a look at the scenario bellow to clearly understand this concept: 1. There are 2 computers say A and B on the network. 2. They have both been assigned an IP address as seen below:        A: 192.168.0.1        B: 192.168.0.2 3. Computer A needs to communicate with computer B. 4. It looks at a list for the IP address to see if it has a corresponding MAC address. This list is called an ARP Cache. 5. If the en...
Read more