Oracle UTL_MAIL_INTERNAL Built-In Package
Versions 2002 - 21c

Security Advisory
This is an Internal support package for UTL_MAIL that no unprivileged end-user has any business accessing. It's sole raison d'etre is to return the name of the configured SMTP server ... not something any human user could actually require unless they are a DBA debugging a connection issue.

We are not aware of any current exploits that utilize this package, and the one saving grace for it is that it is not part of the database default installation. But read more about this package to better understand why the default grant of EXECUTE to PUBLIC puts your data at risk.
 
Recommended Security Rules

 NEVER
  • Let any user or schema without documented justification or escalated privileges gain access to this package by revoking EXECUTE from PUBLIC
 WITH GREAT CARE
  • Identify legitimate requirements for access to this package and grant EXECUTE explicitly to only justified schemas
  • Query the data dictionary after EXECUTE has been revoked from PUBLIC to verify the equivalence created is the equivalence approved by IT management and your CISO
 CAUTIONS
  • Some usage may be in the form of dynamic SQL so carefully verify usage requirements in source code as well as in DBA_DEPENDENCIES
 
How Oracle Works
We're going to use this as an opportunity to rant on one of our favorite topics: "Insecure by Default" This package is a poster child for the concept of "Insecure by Default". Look at the following from the data dictionary.

Look first at the package's sole bit of functionality. It can be used to return the name of the configured SMTP server. Ok, why does a user with no privilege other than CREATE SESSION need to have access to that particular piece of information?

Clearly no good reason so let's see if there are any complicating dependencies with other database objects.

SQL> SELECT name
  2  FROM dba_dependencies
  3* WHERE referenced_name = 'UTL_MAIL_INTERNAL';

NAME
------------------------------
UTL_MAIL_INTERNAL
UTL_MAIL


The first row returned is the relationship between package specification (header) and the package body. The second is to UTL_MAIL which interestingly enough does not have EXECUTE granted to PUBLIC. So why does UTL_MAIL_INTERNAL ... note the use of the word INTERNAL in the name ... need to be granted to PUBLIC? We don't know either.

UTL_MAIL and UTL_MAIL_INTERNAL are both owned by SYS and package is officially undocumented and unsupported for end user use. Nothing bad would happen if Oracle revoked the grant of EXECUTE to PUBLIC but a potential exploit would be eliminated.
 
UTL_MAIL_INTERNAL Package Information
AUTHID DEFINER
Dependencies
UTL_MAIL V$PARAMETER  
Documented No
First Available Not known but likely 2002-2003 based on comments in the source file.
Security Model Owned by SYS with EXECUTE granted to PUBLIC
Source {ORACLE_HOME}/rdbms/admin/prvtmail.plb
 
GET_SMTP_SERVER
Returns the name of the configured SMTP server.

Returns NULL if an SMTP server is not configured on the database host.
utl_mail_internal.get_smtp_server(smtp_server OUT VARCHAR2);
DECLARE
 sname VARCHAR2(30);
BEGIN
  utl_mail_internal.get_smtp_server(sname);
  dbms_output.put_line(sname);
END;
/

Related Topics
UTL_MAIL
UTL_RAW
UTL_SMTP
UTL_TCP