Whoopee! I’m a Domain Admin

One of the first things I like to do at any new customer, employer or potential victim is to have a quick look around. It isn’t very professional or even organised and no I don’t have any automated scripts to do it. As my new employer is a huge windows shop with very little in the way of unix or grown up operating systems I thought I’d dig in to how their oracle instances had been set up.Was I in for a pleasant surprise……

Now oracle on windows is a bit weird. Each instance registers itself with the operating system as a service. Behind the scenes all it really does is launch the ORACLE.EXE executable with a few arguments, one of which is your instance name. There are good reasons why it does this as windows adopts a threading rather than process based model so all perfectly normal

The important thing to remember here is that you can choose what operating system user this service runs as and as a result this determines what privileges the database has in the wider world. In times past the default was to run the instance as LocalSystem, a rather restricted account that had very few if any network privileges. On Oracle RAC it was common to change this to an arbitrary user “trusted” on each of your cluster nodes. The big no no was always never, ever run your database as a domain admin. So imagine my surprise when I found out what the user account for most of my production databases was…err…yep

Why is this a bad idea? Well for starters it’s like running your database as root in a grown up world, you know it isn’t going to end well. Also oracle has a built in Java VM which allows you to create database packages that can talk to the operating system and by extension the outside world. Here’s a quick example where I’ve deliberately messed up the syntax a little to discourage blindly copying & pasting

import java.io.*;
public class command_exe{public static string DoIt(String MyCommand){try{Runtime.getRuntime().exec(MyCommand);Return(“0”);}catch (Exception e) {System.out.println(“Ooops, failed:” + MyCommand + “`n”);return(“1”) }}}

NAME “command_exe(Java.lang.String) return int’;

result number;
badcommand varchar2(255);
badcommand := ‘cmd.exe /C’||’net use Z: \\finance\directors\salaries’;
result := COMMANDER(badcommand);

In short, with a little Java and PLSQL knowledge and a huge cock up from one of my predecessors I can do absolutely anything on our network so long as it isn’t interactive. And the best part is that no operating system auditing can catch it as it will just show up as the user account running one of our many databases

I feel a pay rise, some free training courses and an unlimited expense account may be lurking in my future……..

Running Oracle as a Domain Admin is BAD – Don’t Do It.
In Oracle 12c things get a little better. On installation your are forced to choose a windows account that not only owns the oracle software but is also used as the account under which oracle services are run. Sadly it is still possible to override this so being a dumbass hasn’t completely gone away