{"id":2201,"date":"2016-08-11T14:46:40","date_gmt":"2016-08-11T17:46:40","guid":{"rendered":"http:\/\/www.dbarj.com.br\/?p=2201"},"modified":"2016-08-11T15:11:40","modified_gmt":"2016-08-11T18:11:40","slug":"protect-create-public-synonym-privilege-escalation","status":"publish","type":"post","link":"https:\/\/www.dbarj.com.br\/en\/2016\/08\/protect-create-public-synonym-privilege-escalation\/","title":{"rendered":"How to protect CREATE PUBLIC SYNONYM against privilege escalation"},"content":{"rendered":"<p>During my last presentation on <strong>GUOB Tech Tour 2016 &#8211; Oracle Technology Tour LA &#8211; Brazil<\/strong>, I demonstrate how we could easily use the CREATE PUBLIC SYNONYM privilege to escalate and get DBA privilege.<\/p>\n<p>In this article, I will give you a\u00a0package that I&#8217;ve created and I use in my systems to allow users to create their own public synonyms without compromising the security.<\/p>\n<p>So, let&#8217;s begin.<\/p>\n<h2><span style=\"color: #000080;\">How does it work?<\/span><\/h2>\n<p><strong>This package works allowing the user to only create synonyms to his own objects or dropping public synonyms that are pointing to one of his objects.<\/strong><\/p>\n<h3><span style=\"color: #000080;\">Give the necessary grants to the package owner<\/span><\/h3>\n<p>First of all, this package should be created on a user with the following minimal privileges given directly (not via ROLE) :<\/p>\n<ul>\n<li><strong><span style=\"color: #800000;\">SELECT\u00a0on DBA_SYNONYMS<\/span><\/strong><\/li>\n<li><strong><span style=\"color: #800000;\">CREATE PUBLIC SYNONYM<\/span><\/strong><\/li>\n<li><span style=\"color: #800000;\"><strong>DROP PUBLIC SYNONYM<\/strong><\/span><\/li>\n<\/ul>\n<h3>1. Create the package<\/h3>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"oracledb\">CREATE OR REPLACE PACKAGE MANAGE_PUBLIC_SYNONYM AS\r\n  -- Created by Rodrigo Jorge - www.dbarj.com.br --\r\n  PROCEDURE CREATE_SYNONYM(SYNONYM_NAME IN VARCHAR2, OBJECT_NAME IN VARCHAR2);\r\n  PROCEDURE DROP_SYNONYM(SYNONYM_NAME IN VARCHAR2);\r\nEND;\r\n\/<\/pre>\n<h3>2 Create the package body<\/h3>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"oracledb\">CREATE OR REPLACE PACKAGE BODY MANAGE_PUBLIC_SYNONYM AS\r\n  -- Created by Rodrigo Jorge - www.dbarj.com.br --\r\n  FUNCTION CHECK_EXISTS(SYN_NAME IN VARCHAR2) RETURN BOOLEAN IS\r\n    OUT_RESULT NUMBER;\r\n  BEGIN\r\n    SELECT 1\r\n    INTO   OUT_RESULT\r\n    FROM   DBA_SYNONYMS\r\n    WHERE  OWNER = 'PUBLIC'\r\n    AND    SYNONYM_NAME = SYN_NAME;\r\n    RETURN TRUE;\r\n  EXCEPTION\r\n    WHEN NO_DATA_FOUND THEN\r\n      RETURN FALSE;\r\n  END;\r\n\r\n  FUNCTION GET_PUBLIC_SYN_OWNER(SYN_NAME IN VARCHAR2) RETURN VARCHAR2 IS\r\n    OUT_RESULT VARCHAR2(30);\r\n  BEGIN\r\n    SELECT TABLE_OWNER\r\n    INTO   OUT_RESULT\r\n    FROM   DBA_SYNONYMS\r\n    WHERE  OWNER = 'PUBLIC'\r\n    AND    SYNONYM_NAME = SYN_NAME;\r\n    RETURN OUT_RESULT;\r\n  END;\r\n\r\n  PROCEDURE RAISE_ERROR(IN_CODE IN NUMBER) IS\r\n  BEGIN\r\n    CASE IN_CODE\r\n      WHEN -20001 THEN\r\n        RAISE_APPLICATION_ERROR(IN_CODE, 'Synonym already exists.');\r\n      WHEN -20002 THEN\r\n        RAISE_APPLICATION_ERROR(IN_CODE, 'Synonym does not exist.');\r\n      WHEN -20003 THEN\r\n        RAISE_APPLICATION_ERROR(IN_CODE, 'Synonym is not yours.');\r\n      ELSE\r\n        RAISE_APPLICATION_ERROR(-20999, 'Generic error.');\r\n    END CASE;\r\n  END;\r\n\r\n  PROCEDURE CREATE_SYNONYM(SYNONYM_NAME IN VARCHAR2, OBJECT_NAME IN VARCHAR2) IS\r\n    SESS_USER VARCHAR2(30);\r\n  BEGIN\r\n    IF CHECK_EXISTS(SYNONYM_NAME) = TRUE\r\n    THEN\r\n      RAISE_ERROR(-20001);\r\n    END IF;\r\n    SESS_USER := SYS_CONTEXT('USERENV', 'SESSION_USER');\r\n    EXECUTE IMMEDIATE 'CREATE PUBLIC SYNONYM ' || DBMS_ASSERT.ENQUOTE_NAME(SYNONYM_NAME, FALSE) || ' FOR ' || DBMS_ASSERT.ENQUOTE_NAME(SESS_USER, FALSE) || '.' || DBMS_ASSERT.ENQUOTE_NAME(OBJECT_NAME, FALSE);\r\n  END;\r\n\r\n  PROCEDURE DROP_SYNONYM(SYNONYM_NAME IN VARCHAR2) IS\r\n    OBJ_OWNER VARCHAR2(30);\r\n    SESS_USER VARCHAR2(30);\r\n  BEGIN\r\n    IF CHECK_EXISTS(SYNONYM_NAME) = FALSE\r\n    THEN\r\n      RAISE_ERROR(-20002);\r\n    END IF;\r\n    OBJ_OWNER := GET_PUBLIC_SYN_OWNER(SYNONYM_NAME);\r\n    SESS_USER := SYS_CONTEXT('USERENV', 'SESSION_USER');\r\n    IF OBJ_OWNER &lt;&gt; SESS_USER\r\n    THEN\r\n      RAISE_ERROR(-20003);\r\n    END IF;\r\n    EXECUTE IMMEDIATE 'DROP PUBLIC SYNONYM ' || DBMS_ASSERT.ENQUOTE_NAME(SYNONYM_NAME, FALSE);\r\n  END;\r\n\r\nEND;\r\n\/<\/pre>\n<h3>3\u00a0Grant Privilege to this package to the users that need Public Synonyms<\/h3>\n<p>Example:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"oracledb\">GRANT EXECUTE ON MANAGE_PUBLIC_SYNONYM TO SCOTT;<\/pre>\n<p>Optionally, you can also create a synonym to avoid typing the owner of the package every time:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"oracledb\">CREATE SYNONYM SCOTT.MANAGE_PUBLIC_SYNONYM FOR MANAGE_PUBLIC_SYNONYM;<\/pre>\n<p>And that&#8217;s it.<\/p>\n<h2><span style=\"color: #000080;\">How to use?<\/span><\/h2>\n<h3>To create a public synonym<\/h3>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"oracledb\">BEGIN\r\n  MANAGE_PUBLIC_SYNONYM.CREATE_SYNONYM('EMP','EMP');\r\nEND;\r\n\/<\/pre>\n<h3>To drop\u00a0a public synonym<\/h3>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"oracledb\">BEGIN\r\n  MANAGE_PUBLIC_SYNONYM.DROP_SYNONYM('EMP');\r\nEND;\r\n\/<\/pre>\n<p>And <span style=\"text-decoration: underline;\">remember<\/span>: you will not be able to touch on\u00a0another user&#8217;s public synonym.<\/p>\n<b>Have you enjoyed? Please leave a comment or give a \ud83d\udc4d!<\/b>\n<div class='watch-action'><div class='watch-position align-left'><div class='action-like'><a class='lbg-style2 like-2201 jlk' href='javascript:void(0)' data-task='like' data-post_id='2201' data-nonce='de4404f630' rel='nofollow'><img class='wti-pixel' src='https:\/\/www.dbarj.com.br\/wp-content\/plugins\/wti-like-post\/images\/pixel.gif' title='Like' \/><span class='lc-2201 lc'>0<\/span><\/a><\/div><\/div> <div class='status-2201 status align-left'><\/div><\/div><div class='wti-clear'><\/div>","protected":false},"excerpt":{"rendered":"<p>During my last presentation on GUOB Tech Tour 2016 &#8211; Oracle Technology Tour LA &#8211; Brazil, I demonstrate how we could easily use the CREATE PUBLIC SYNONYM privilege to escalate and get DBA privilege. In this article, I will give you a\u00a0package that I&#8217;ve created and I use in my systems to allow users to &hellip; <\/p>\n<p><a class=\"more-link btn\" href=\"https:\/\/www.dbarj.com.br\/en\/2016\/08\/protect-create-public-synonym-privilege-escalation\/\">Continue reading<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20,15],"tags":[],"class_list":["post-2201","post","type-post","status-publish","format-standard","hentry","category-security-en","category-database-en","item-wrap"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>How to protect CREATE PUBLIC SYNONYM against privilege escalation - DBA - Rodrigo Jorge - Oracle Tips and Guides<\/title>\n<meta name=\"description\" content=\"In this article, I will show how to protect your database against privilege escalation using CREATE PUBLIC SYNONYM.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.dbarj.com.br\/en\/2016\/08\/protect-create-public-synonym-privilege-escalation\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"DBA RJ\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/2016\\\/08\\\/protect-create-public-synonym-privilege-escalation\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/2016\\\/08\\\/protect-create-public-synonym-privilege-escalation\\\/\"},\"author\":{\"name\":\"DBA RJ\",\"@id\":\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/#\\\/schema\\\/person\\\/28a44ca3a6633fe4156ad1ea209d40a9\"},\"headline\":\"How to protect CREATE PUBLIC SYNONYM against privilege escalation\",\"datePublished\":\"2016-08-11T17:46:40+00:00\",\"dateModified\":\"2016-08-11T18:11:40+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/2016\\\/08\\\/protect-create-public-synonym-privilege-escalation\\\/\"},\"wordCount\":220,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/#\\\/schema\\\/person\\\/28a44ca3a6633fe4156ad1ea209d40a9\"},\"articleSection\":[\"Database Security\",\"Oracle Database General\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/2016\\\/08\\\/protect-create-public-synonym-privilege-escalation\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/2016\\\/08\\\/protect-create-public-synonym-privilege-escalation\\\/\",\"url\":\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/2016\\\/08\\\/protect-create-public-synonym-privilege-escalation\\\/\",\"name\":\"How to protect CREATE PUBLIC SYNONYM against privilege escalation - DBA - Rodrigo Jorge - Oracle Tips and Guides\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/#website\"},\"datePublished\":\"2016-08-11T17:46:40+00:00\",\"dateModified\":\"2016-08-11T18:11:40+00:00\",\"description\":\"In this article, I will show how to protect your database against privilege escalation using CREATE PUBLIC SYNONYM.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/2016\\\/08\\\/protect-create-public-synonym-privilege-escalation\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/2016\\\/08\\\/protect-create-public-synonym-privilege-escalation\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/2016\\\/08\\\/protect-create-public-synonym-privilege-escalation\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"How to protect CREATE PUBLIC SYNONYM against privilege escalation\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/#website\",\"url\":\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/\",\"name\":\"DBA - Rodrigo Jorge - Oracle Tips and Guides\",\"description\":\"Blog about Databases, Security and High Availability\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/#\\\/schema\\\/person\\\/28a44ca3a6633fe4156ad1ea209d40a9\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/#\\\/schema\\\/person\\\/28a44ca3a6633fe4156ad1ea209d40a9\",\"name\":\"DBA RJ\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.dbarj.com.br\\\/wp-content\\\/uploads\\\/2019\\\/09\\\/RodrigoJorgePOUG19.png\",\"url\":\"https:\\\/\\\/www.dbarj.com.br\\\/wp-content\\\/uploads\\\/2019\\\/09\\\/RodrigoJorgePOUG19.png\",\"contentUrl\":\"https:\\\/\\\/www.dbarj.com.br\\\/wp-content\\\/uploads\\\/2019\\\/09\\\/RodrigoJorgePOUG19.png\",\"width\":712,\"height\":712,\"caption\":\"DBA RJ\"},\"logo\":{\"@id\":\"https:\\\/\\\/www.dbarj.com.br\\\/wp-content\\\/uploads\\\/2019\\\/09\\\/RodrigoJorgePOUG19.png\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How to protect CREATE PUBLIC SYNONYM against privilege escalation - DBA - Rodrigo Jorge - Oracle Tips and Guides","description":"In this article, I will show how to protect your database against privilege escalation using CREATE PUBLIC SYNONYM.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.dbarj.com.br\/en\/2016\/08\/protect-create-public-synonym-privilege-escalation\/","twitter_misc":{"Written by":"DBA RJ","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.dbarj.com.br\/en\/2016\/08\/protect-create-public-synonym-privilege-escalation\/#article","isPartOf":{"@id":"https:\/\/www.dbarj.com.br\/en\/2016\/08\/protect-create-public-synonym-privilege-escalation\/"},"author":{"name":"DBA RJ","@id":"https:\/\/www.dbarj.com.br\/en\/#\/schema\/person\/28a44ca3a6633fe4156ad1ea209d40a9"},"headline":"How to protect CREATE PUBLIC SYNONYM against privilege escalation","datePublished":"2016-08-11T17:46:40+00:00","dateModified":"2016-08-11T18:11:40+00:00","mainEntityOfPage":{"@id":"https:\/\/www.dbarj.com.br\/en\/2016\/08\/protect-create-public-synonym-privilege-escalation\/"},"wordCount":220,"commentCount":0,"publisher":{"@id":"https:\/\/www.dbarj.com.br\/en\/#\/schema\/person\/28a44ca3a6633fe4156ad1ea209d40a9"},"articleSection":["Database Security","Oracle Database General"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.dbarj.com.br\/en\/2016\/08\/protect-create-public-synonym-privilege-escalation\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.dbarj.com.br\/en\/2016\/08\/protect-create-public-synonym-privilege-escalation\/","url":"https:\/\/www.dbarj.com.br\/en\/2016\/08\/protect-create-public-synonym-privilege-escalation\/","name":"How to protect CREATE PUBLIC SYNONYM against privilege escalation - DBA - Rodrigo Jorge - Oracle Tips and Guides","isPartOf":{"@id":"https:\/\/www.dbarj.com.br\/en\/#website"},"datePublished":"2016-08-11T17:46:40+00:00","dateModified":"2016-08-11T18:11:40+00:00","description":"In this article, I will show how to protect your database against privilege escalation using CREATE PUBLIC SYNONYM.","breadcrumb":{"@id":"https:\/\/www.dbarj.com.br\/en\/2016\/08\/protect-create-public-synonym-privilege-escalation\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.dbarj.com.br\/en\/2016\/08\/protect-create-public-synonym-privilege-escalation\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.dbarj.com.br\/en\/2016\/08\/protect-create-public-synonym-privilege-escalation\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.dbarj.com.br\/en\/"},{"@type":"ListItem","position":2,"name":"How to protect CREATE PUBLIC SYNONYM against privilege escalation"}]},{"@type":"WebSite","@id":"https:\/\/www.dbarj.com.br\/en\/#website","url":"https:\/\/www.dbarj.com.br\/en\/","name":"DBA - Rodrigo Jorge - Oracle Tips and Guides","description":"Blog about Databases, Security and High Availability","publisher":{"@id":"https:\/\/www.dbarj.com.br\/en\/#\/schema\/person\/28a44ca3a6633fe4156ad1ea209d40a9"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.dbarj.com.br\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/www.dbarj.com.br\/en\/#\/schema\/person\/28a44ca3a6633fe4156ad1ea209d40a9","name":"DBA RJ","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.dbarj.com.br\/wp-content\/uploads\/2019\/09\/RodrigoJorgePOUG19.png","url":"https:\/\/www.dbarj.com.br\/wp-content\/uploads\/2019\/09\/RodrigoJorgePOUG19.png","contentUrl":"https:\/\/www.dbarj.com.br\/wp-content\/uploads\/2019\/09\/RodrigoJorgePOUG19.png","width":712,"height":712,"caption":"DBA RJ"},"logo":{"@id":"https:\/\/www.dbarj.com.br\/wp-content\/uploads\/2019\/09\/RodrigoJorgePOUG19.png"}}]}},"_links":{"self":[{"href":"https:\/\/www.dbarj.com.br\/en\/wp-json\/wp\/v2\/posts\/2201","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dbarj.com.br\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dbarj.com.br\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dbarj.com.br\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dbarj.com.br\/en\/wp-json\/wp\/v2\/comments?post=2201"}],"version-history":[{"count":0,"href":"https:\/\/www.dbarj.com.br\/en\/wp-json\/wp\/v2\/posts\/2201\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.dbarj.com.br\/en\/wp-json\/wp\/v2\/media?parent=2201"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dbarj.com.br\/en\/wp-json\/wp\/v2\/categories?post=2201"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dbarj.com.br\/en\/wp-json\/wp\/v2\/tags?post=2201"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}