Oracle DBMS – Access Control Bypass with Direct Path Export


Oracle is a widely deployed DBMS. Clients use a protocol called TNS to communicate to the Oracle server. Protocol messages are used for session setup, authentication and data transfer. Oracle provides database export functionality in various modes. One of the export modes is called Direct Path.


Imperva’s Application Defense Center is conducting an extensive research of the TNS protocol and its implementation. As part of the research the team has identified a severe vulnerability in Oracle’s access control mechanism.


Oracle provides database export functionality in various modes. One of the export modes is called Direct Path. This mode uses a special protocol message to extract table data rather than SQL queries.

Using this special protocol message an attacker can extract information from tables and views to which she has not been granted access.


The TNS protocol includes a special message used for direct path export. The message (0x5B) allows extraction of table data without using SQL query.

The message accepts the name of a schema and a table as well as the id of that schema and table. As long as the schema id in the message matches the schema name in the message and as long as the table name refers to some valid table in the given schema, the Oracle server will return the contents of the table identified by the given id, regardless of whether the user sending the query has access privileges to the requested table.

The ADC has not been able to access SYS schema objects using this vulnerability.


Sequentially send Direct Path Export messages with incrementing object IDs


  • All Oracle 9 and 10 versions prior to April 2008 CUP.

Not Vulnerable
  • Oracle 11

Vendor's Status

  • Vendor notified on 27-May-2007

  • Fix issued 15-April-2008 as item DB12 in the April 2008 CPU


SecureSphere Database Security Gateway users can mitigate this vulnerability by creating a custom database policy to restrict the usage of Direct Path Export to specific authorized users (e.g. database administrators). SecureSphere can also keep an independent audit trail of all usage of this command by authorized users for later review and forensics in the case of privilege abuse.


The information within this advisory is subject to change without notice. Use of this information constitutes acceptance for use in an AS IS condition. Any use of this information is at the user’s own risk. There are no warranties, implied or expressed, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information.

Redistribution of this alert electronically is allowed as long as it is not edited in any way. To reprint this alert, in whole or in part, in any medium other than electronic medium, for permission.