We’ve been hacked!!!
We found out that someone has been fidgeting with our policies but we can’t seem to figure out who ; We’ve been asked to investigate who changed our row access policies (but we need some suspension of disbelief).
The policies haven’t been touched in a long time but we’ve got reason to believe that more then 2 weeks ago , someone changed our policies!
The issue is that we can’t use the Query History tab only gives us 14 days of history.
We’re in quite a bind and really need to figure out who changed our policy!
To quickly set-up this test , run the following.
*We’ve refrained from using an actual user because of the level of access that that user would need. In this case , you’re hunting yourself 🙂
Mock Data
create table MOCK_DATA (
id INT,
salary INT,
teamnumber INT
);
insert into MOCK_DATA (id, salary, teamnumber) values (1, 781767, 2);
insert into MOCK_DATA (id, salary, teamnumber) values (2, 701047, 5);
insert into MOCK_DATA (id, salary, teamnumber) values (3, 348497, 2);
insert into MOCK_DATA (id, salary, teamnumber) values (4, 555275, 2);
insert into MOCK_DATA (id, salary, teamnumber) values (5, 144962, 3);
insert into MOCK_DATA (id, salary, teamnumber) values (6, 832979, 4);
insert into MOCK_DATA (id, salary, teamnumber) values (7, 387404, 1);
insert into MOCK_DATA (id, salary, teamnumber) values (8, 427563, 3);
insert into MOCK_DATA (id, salary, teamnumber) values (9, 788928, 3);
insert into MOCK_DATA (id, salary, teamnumber) values (10, 257613, 1);
insert into MOCK_DATA (id, salary, teamnumber) values (11, 483792, 4);
insert into MOCK_DATA (id, salary, teamnumber) values (12, 720679, 3);
insert into MOCK_DATA (id, salary, teamnumber) values (13, 452976, 4);
insert into MOCK_DATA (id, salary, teamnumber) values (14, 541193, 2);
insert into MOCK_DATA (id, salary, teamnumber) values (15, 159377, 1);
insert into MOCK_DATA (id, salary, teamnumber) values (16, 825003, 4);
insert into MOCK_DATA (id, salary, teamnumber) values (17, 362209, 3);
insert into MOCK_DATA (id, salary, teamnumber) values (18, 291622, 5);
insert into MOCK_DATA (id, salary, teamnumber) values (19, 646774, 3);
insert into MOCK_DATA (id, salary, teamnumber) values (20, 971930, 1);
CREATE OR REPLACE ROW ACCESS POLICY demo_policy
AS (teamnumber int) RETURNS BOOLEAN ->
CURRENT_ROLE() = 'HR'
OR LEFT(CURRENT_ROLE(),13) = 'MANAGER_TEAM_' AND RIGHT(CURRENT_ROLE(),1) = RIGHT(teamnumber, 1);
alter table MOCK_DATA add row access policy demo_policy on (teamnumber);
“The Hack”
CREATE OR REPLACE PROCEDURE totally_not_a_suspicious_procedure()
RETURNS VARCHAR
LANGUAGE JAVASCRIPT
AS
$$
var stmt = snowflake.createStatement({
sqlText: "alter table MOCK_DATA drop row access policy demo_policy;"
});
stmt.execute();
return "Row access policy dropped successfully.";
$$;
CALL totally_not_a_suspicious_procedure()
select * from MOCK_DATA;
CREATE OR REPLACE PROCEDURE totally_not_a_suspicious_procedure2()
RETURNS VARCHAR
LANGUAGE JAVASCRIPT
AS
$$
var stmt = snowflake.createStatement({
sqlText: "alter table MOCK_DATA add row access policy demo_policy on (teamnumber);;"
});
stmt.execute();
return "Row access policy dropped successfully.";
$$;
CALL totally_not_a_suspicious_procedure2();
drop totally_not_a_suspicious_procedure();
drop totally_not_a_suspicious_procedure2();
*The hacker thinks he’s being smart by calling a procedure instead of the actual command because he assumes that it’ll only show the CALL
It’s up to you to write the commands to figure out who accessed the tables or policies! Remember that you can’t use the Query History tab because this should’ve happened ‘more then 14 days ago’.
3 responses to “Week 44 – Basic”
-
Curious to see how others handle this as I’m not sure my solution is the best one!
- Solution URL – https://github.com/ChrisHastieIW/Frosty-Friday
-
simple query to return any queries which drop a row access policy, when and by who
- Solution URL – https://github.com/ChrisBo94/FrostyFriday/blob/main/Week_44.sql
-
Normski did it!
- Solution URL – https://github.com/NMangera/frosty_friday/blob/main/week%2044%20-%20basic%20/Security
Leave a Reply
You must be logged in to post a comment.