DBSecWorx: UTL_MAIL

Oracle UTL_MAIL_INTERNAL Built-In Package Versions 2002 - 21c

Security Advisory

This is an Internal support package for UTL_MAIL that no unprivileged end-user has any business accessing. It's sole raison d'etre is to return the name of the configured SMTP server ... not something any human user could actually require unless they are a DBA debugging a connection issue.

We are not aware of any current exploits that utilize this package, and the one saving grace for it is that it is not part of the database default installation. But read more about this package to better understand why the default grant of EXECUTE to PUBLIC puts your data at risk.

Recommended Security Rules

NEVER

Let any user or schema without documented justification or escalated privileges gain access to this package by revoking EXECUTE from PUBLIC

WITH GREAT CARE

Identify legitimate requirements for access to this package and grant EXECUTE explicitly to only justified schemas
Query the data dictionary after EXECUTE has been revoked from PUBLIC to verify the equivalence created is the equivalence approved by IT management and your CISO

CAUTIONS

Some usage may be in the form of dynamic SQL so carefully verify usage requirements in source code as well as in DBA_DEPENDENCIES

How Oracle Works

We're going to use this as an opportunity to rant on one of our favorite topics: "Insecure by Default" This package is a poster child for the concept of "Insecure by Default". Look at the following from the data dictionary.

Look first at the package's sole bit of functionality. It can be used to return the name of the configured SMTP server. Ok, why does a user with no privilege other than CREATE SESSION need to have access to that particular piece of information?

Clearly no good reason so let's see if there are any complicating dependencies with other database objects.

SQL> SELECT name 2 FROM dba_dependencies 3* WHERE referenced_name = 'UTL_MAIL_INTERNAL'; NAME ------------------------------ UTL_MAIL_INTERNAL UTL_MAIL

The first row returned is the relationship between package specification (header) and the package body. The second is to UTL_MAIL which interestingly enough does not have EXECUTE granted to PUBLIC. So why does UTL_MAIL_INTERNAL ... note the use of the word INTERNAL in the name ... need to be granted to PUBLIC? We don't know either.

UTL_MAIL and UTL_MAIL_INTERNAL are both owned by SYS and package is officially undocumented and unsupported for end user use. Nothing bad would happen if Oracle revoked the grant of EXECUTE to PUBLIC but a potential exploit would be eliminated.

UTL_MAIL_INTERNAL Package Information

AUTHID DEFINER

Dependencies

UTL_MAIL

V$PARAMETER

Documented No

First Available Not known but likely 2002-2003 based on comments in the source file.

Security Model Owned by SYS with EXECUTE granted to PUBLIC

Source {ORACLE_HOME}/rdbms/admin/prvtmail.plb

GET_SMTP_SERVER

Returns the name of the configured SMTP server.

Returns NULL if an SMTP server is not configured on the database host. utl_mail_internal.get_smtp_server(smtp_server OUT VARCHAR2);

DECLARE

       sname VARCHAR2(30);

      BEGIN

        utl_mail_internal.get_smtp_server(sname);

        dbms_output.put_line(sname);

      END;

      /