Checking if ADMIN_RESTRICTIONS is Enabled

Wednesday, August 04, 2010

Application Security, Inc.

46d1980e375ce08915b30d9a328c2fdc

By Alex Rothacker, Manager Team SHATTER, Application Security, Inc. 

Application Security, Inc.'s Team SHATTER (Security Heuristics of Application Testing Technology for Enterprise Research) has starting taking database security and vulnerability questions.

Our first question was submitted by @jedimercer asking:

How can I verify ADMIN_RESTRICTIONS is enabled on an Oracle Database when I can access the TNS listener but I do not have database credentials?

In order to check the ADMIN_RESTRICTIONS flag, it usually requires proper credentials to the Oracle database. However, there is an unofficial way to work around this if you have access to the listener.

Trying to set the LOG_STATUS will return a TNS-12508 error if the ADMIN_RESTRICTIONS flag is set.

See the following example from the lsnrctl prompt:

LSNRCTL> show LOG_STATUS

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC)))

LISTENER parameter "log_status" set to ON

The command completed successfully

LSNRCTL> SET LOG_STATUS ON

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC)))

TNS-12508: TNS:listener could not resolve the COMMAND given

First, get the current status of the LOG_STATUS flag and then try to set it to that same status. You're not trying to change any settings here - you just want to know if you can.  

In the case that the SET LOG_STATUS command succeeds, the ADMIN_RESTRICTIONS flag is not set.

Do you have a question for Team SHATTER? Leave us a question in the comments space below or @TeamSHATTER on Twitter.

Cross posted from Database Security 3.0.

Possibly Related Articles:
18304
General
Databases Oracle
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.