Oracle UTL_MAIL_INTERNAL Built-In Package
Versions 2002 - 21c

Security Advisory
This is an Internal support package for UTL_MAIL that no unprivileged end-user has any business accessing. It's sole raison d'etre is to return the name of the configured SMTP server ... not something any human user could actually require unless they are a DBA debugging a connection issue.

We are not aware of any current exploits that utilize this package, and the one saving grace for it is that it is not part of the database default installation. But read more about this package to better understand why the default grant of EXECUTE to PUBLIC puts your data at risk.
Recommended Security Rules

  • Let any user or schema without documented justification or escalated privileges gain access to this package by revoking EXECUTE from PUBLIC
  • Identify legitimate requirements for access to this package and grant EXECUTE explicitly to only justified schemas
  • Query the data dictionary after EXECUTE has been revoked from PUBLIC to verify the equivalence created is the equivalence approved by IT management and your CISO
  • Some usage may be in the form of dynamic SQL so carefully verify usage requirements in source code as well as in DBA_DEPENDENCIES
How Oracle Works
We're going to use this as an opportunity to rant on one of our favorite topics: "Insecure by Default" This package is a poster child for the concept of "Insecure by Default". Look at the following from the data dictionary.

Look first at the package's sole bit of functionality. It can be used to return the name of the configured SMTP server. Ok, why does a user with no privilege other than CREATE SESSION need to have access to that particular piece of information?

Clearly no good reason so let's see if there are any complicating dependencies with other database objects.

  2  FROM dba_dependencies
  3* WHERE referenced_name = 'UTL_MAIL_INTERNAL';


The first row returned is the relationship between package specification (header) and the package body. The second is to UTL_MAIL which interestingly enough does not have EXECUTE granted to PUBLIC. So why does UTL_MAIL_INTERNAL ... note the use of the word INTERNAL in the name ... need to be granted to PUBLIC? We don't know either.

UTL_MAIL and UTL_MAIL_INTERNAL are both owned by SYS and package is officially undocumented and unsupported for end user use. Nothing bad would happen if Oracle revoked the grant of EXECUTE to PUBLIC but a potential exploit would be eliminated.
UTL_MAIL_INTERNAL Package Information
Documented No
First Available Not known but likely 2002-2003 based on comments in the source file.
Security Model Owned by SYS with EXECUTE granted to PUBLIC
Source {ORACLE_HOME}/rdbms/admin/prvtmail.plb
Returns the name of the configured SMTP server.

Returns NULL if an SMTP server is not configured on the database host.
utl_mail_internal.get_smtp_server(smtp_server OUT VARCHAR2);
 sname VARCHAR2(30);

Related Topics