Three Tier Oracle Security in London ~ Paul M. Wright

David’s Java/Oracle security research has been made public by the Blackhat conference in DC before it is patched by Oracle. Additionally there is some misinformation going round that this work only affects 11.2 which is incorrect as it affects 10.2.0.4.3 as well. These vulnerabilities are theoretically easy to fix but since theoretical is not good enough for real world I have written a short paper to explain how to test the fixes before deploying them, along with some analysis about preventing this type of issue in the future. This is in my opinion the most serious research for a long time and needs to be acted on, so hopefully this paper will help solve a few headaches out there.
Cheers,
Paul

February 7th, 2010 | Category: Uncategorized | Comments Off

Hello Folks,
So back in the saddle and Jan CPU is 7.5 for Linux so needs to be taken seriously. The PSU containing the CPU installs nicely for 10.2.0.4.3 and gives full detail of the vulnerabilities being fixed whilst installing…makes interesting reading. The Jan CPU does not fix all the bugs I was expecting it to fix, so there are still some serious vulns in the pipeline.
This is an interesting blog entry that I came across.
http://intevydis.blogspot.com/2010/01/oracle-weblogic-1032-node-manager-fun.html
Congrats to Oracle on the EU merger go ahead. So Larry has the full stack now. Exciting times ahead for Oracle folks.
More to come and business as usual.
Cheers,
Paul

January 26th, 2010 | Category: Uncategorized | Comments Off

Been ill this week with man flu ~ not bird or swine flu, much more serious than that..

..So back to the plot.. In the current absence of Definer’s Rights Roles, there is a temptation for Devs to GRANT EXECUTE to PUBLIC on their new packages so the privs can carry through to other schema’s packages. PUBLIC is too wide a grouping, and just because it is the only Definer’s Rights Role, does not mean that ALL grants should be made to it. This is bad habit picked up to save working out the actual privileges required.
Therefore it is a good idea to alert to these PUBLIC grants using HH RegEx rules with the MATCHES keyword as below:

statement MATCHES 'to\s*public'

Note that the character literals in the regEx are case insensitive with HH.

For more in depth RegEx rule writing there is a nice page on Sentrigo’s web site at the URL below, which I recommend reading:
http://www.sentrigo.com/how-to-compose-effective-and-efficient-regular-expressions

Additionally I would like to mention, Alex’s Anti Hacker class in SF, taking place January 12-14, 2010 in San Francisco, California. https://pages.sentrigo.com/Anti-Hacking.html.
I know Alex has experience of implementing defensive solutions with a number of commercial customers and is at the cutting edge of offensive research as well, which is a powerful combination. The syllabus looks interesting so worth checking out…and maybe taking in the Bay Area and the bridge at the same time.

Cheers,
Paul

December 13th, 2009 | Category: Uncategorized | Comments Off

The dust has now settled so let’s see what has survived in the memory banks..
Tom’s presentation was entertaining with an application development security theme. I missed Alex Keh’s talk on AD which was a shame as looking at the slides it was a good talk (download password is at the bottom of the printed paper agenda given in the bags).
Instead I went to Slavik’s SQL injection talk and learnt some more ways to extrude data via error messages. Slavik’s talk was a good summary of the best of Oracle security research and was well attended. Then to Joel’s DBLinks presentation which was a well thought out methodical and thorough talk on how DB links behave in distributed and RAC environments. Finally to Pete’s Data Security talk which was good revision and again well attended with folks meeting up again in the evening for meet the speaker where I discussed the maximum SCN issue over DBLinks with Joel . The Security Roundtable the next day was a good opportunity to discuss new ideas, among those is the notion of Definer Rights Roles (akin to public but with the ability to revoke and deny the customizable Definer Rights Role from a user). The PL/SQL speakers did not understand the the security importance of this proposed feature when I had mentioned it at “meet the speaker” the night before, but found “like minds” at the security round table. It was inspiring to talk to people working for Oracle who are still highly motivated to improve the product and prepared to listen to folks outside of Oracle for ideas and user stories. Excellent.
In summary I think the networking aspect was probably the highlight of the conference ~ being able to meet other speakers and discussing ideas with them was Great..more to come on the some of the technical lessons learnt.

December 6th, 2009 | Category: Uncategorized | Comments Off

So UKOUG next week, where I will be attending Monday and Tuesday. There are quite a few Oracle security presentations some of which are listed below. Many of the presentation pdfs have already been posted on UKOUG’s site, so you can print them off before attending if you wish.

10:45 - 11:45 Hall 1
Server Technology Keynote: What are we still doing wrong?
Thomas Kyte - Oracle
12:05 - 13:05 Hall 10B
Active Directory and Windows Security Integration with Oracle Database
Alex Keh - Oracle
12:05 - 12:50 Hall 6
SQL Injection attacks
Slavik Markovich - Sentrigo
13:40 - 14:40 Hall 9
Oracle Database Links part 2 - Distributed Transactions
Joel Goodman - Oracle
14:50 - 15:35 Hall 10A
The right way to secure data
Pete Finnigan - PeteFinnigan.com
16:00 - 18:00 Hall 11B
Security and Vault Management
David Storey - Oracle
Tuesday
10:35 - 11:35 Hall 1 Foyer Level 5
Oracle Security roundtable
Pete Finnigan - PeteFinnigan.com
Co-presenter: Slavik Markovich - Sentrigo
Paul Wright - Markit
Kevin Else - No Fools
Keith Hutton - Cervello Consultants
12:05 - 13:05 Hall 10A
Securing your web services
Gerard Davison - Oracle
15:00 - 15:45 Hall 9
The murky world of Database Character Sets
Paul Hancock - Lloyds Banking Group
17:05 - 18:05 Hall 5
Oracle Database Security done right
Frits Hoogland - VX Company

See you there..

Cheers,
Paul

November 29th, 2009 | Category: Uncategorized | Comments Off

Hi All,
I received Applied Oracle Security in the post this weekend from Amazon. Yes they are still selling actual books, as well as offering Amazing Elastic Clouds to the masses.
Being Oracle Press I expected the book to be from the Oracle vendor perspective, but having said that David Knox’s previous Oracle Press book was a very good read, so let’s start with a positive open mind. The Database Vault chapter looks good with a fundamentals and advanced section. DBV is beginning to be taken up, though if a low priv user can make themselves DBA and a DBA can make themselves SYSDBA then the added icing on the cake of DBV should not be relied on in it’s self. Need to firm up the foundations as well.
There are a couple of nice Apex security chapters though I have not used this software much commercially, I can see its appeal.
The book includes a chapter on Audit Vault which runs as the Oracle unix user so is susceptible to escalations giving ability to tamper with the audit trail mechanism. Sentrigo HH runs as a seperate user from Oracle so this is not an issue for HH. If you are interested in either DBV or Apex then worth buying the book. It is not on Safari but can be purchased electronically for Kindle.

My current perspective on Oracle security is that there are a few central basic core improvements that could be made to the Oracle DB to allow more direct access to users securely.
One of these is the issue of how to allocate privileges on PL packages efficiently. If a package is found to be vulnerable then public execute is revoked and privileges to the user that requires it are granted. BUT have a think why public was granted in the first place.
One reason is that it means every user can execute the package, BUT the other is that any other package can also execute the package using their definer rights. Roles are not enabled with DEFINER rights, that is except for the PUBLIC “ROLE”. PUBLIC is the only customisable grouping that is picked up by definer rights so if a package is granted to public then any other package can also execute it. This is interesting in my opinion because what it illustrates is that the reason for so many public grants is because PUBLIC is the only role which can pass it’s privileges via DEFINER rights. So the ability for more precisely defined roles to be effective through definer rights would enable the revocation of more public grants and mean that many would not need to be granted originally. So DEFINER rights Roles please Oracle :)
Of course major changes to the core RDBMS are not easy, but it is good to have a wish list.
Cheers,
Paul

November 22nd, 2009 | Category: Uncategorized | Comments Off

When a new CPU/PSU comes out a package is known to be vulnerable e.g. SYS.DMP_SYS (CVE-2009-1007) but applying the patch may be too risky and/or take too long to test before deployment. CPUs are complex and their effect cannot be predicted. The strategy has to be one of install on QA and stand well back ~ November 5th firework style.
A quicker and simpler way to remove the threat of a vulnerable package is to simply REVOKE the PUBLIC EXECUTE on that package. The effects of this can be predicted and controlled more closely, but it may be the case that SYS.DMP_SYS is used by other packages, applications and in-house code that rely on that PUBLIC EXECUTE for their functionality. This is especially the case with SYS objects because high privileged DBA and application accounts with EXECUTE ANY PROCEDURE are still relying on the PUBLIC EXECUTE to be able to use that package because the EXECUTE ANY PROCEDURE system privilege omits the SYS schema. Only SYS does not use the PUBLIC EXECUTE privilege for SYS packages.
The other advantage of being able to make manual changes like this rather than relying on the patch is that PRE-CPU information can be acted upon.

In order to carry out this command…

REVOKE EXECUTE ON SYS.DMP_SYS FROM PUBLIC;

…with low risk, access to SYS.DMP_SYS has to be monitored and profiled over time before the change is made. This is one of the benefits of using a Database Activity Monitoring System. To profile use of SYS.DMP_SYS properly, a host based system is required as a network based system is only going to see calls from the app tier and not internal calls from other Oracle packages in the DB. The simplest and most generic host-based DAMS rule language is Sentrigo Hedgehog as follows.

object='SYS.DMP_SYS' AND USER <>'SYS'

If the above rule returns no results after a couple of weeks then the PUBLIC EXECUTE can be REVOKEd with low risk. This is quicker than testing patches and will work more often than a complex patch which may fail. So in addition to IDS/IPS and user activity monitoring, DAMS can provide a quicker and more efficient change control process.
If you are interested in the benefits of deploying a Database Activity Monitoring system it is worth reading the case-study highlighted in UKOUG SCENE Journal and attending the SANS DAMS course of the same name. I recommend registering sooner rather than later to avoid disappointment.
Cheers,
Paul

November 15th, 2009 | Category: Uncategorized | Comments Off

Hi Folks,

Here is an Oracle Security Summary:

Alexandre has published some PoC code for CVE-2009-1991 at http://dsecrg.com/pages/vul/show.php?id=110.

The new UKOUG SCENE Journal has been published with an emphasis on “Security in the City“ and UKOUG have kindly highlighted an article of mine on Database Application Monitoring systems used for financial transparency. The main thrust of the article was that Oracle’s own auditing systems run as the Oracle unix user so are vulnerable to buffer overflows, OS access via utl_file and Java as well as DBA actions using the oracle unix account.

The benefit of Sentrigo HH is that it runs as a separate user from Oracle and so cannot be accessed as easily either by attacker’s code or DBA/dev staff. In other words it is not vulnerable to this type of audit trail tampering below.

SQL> call javaos('rm /u01/app/oracle/admin/orcl/adump/ora_563.aud');
Call completed.

The above is basic Java DB to OS functionality and given the unreliability of the Aurora JVM it is worth both taking actions to defend against this as well as providing assurance via a DAMS system … more to come on this..and the metalink article Doc ID:787878.1 I mentioned last week at SEC520.

Cheers,
Paul

November 8th, 2009 | Category: Uncategorized | Comments Off

Security in a multi-user system relies on individuality of account access and Identity Integrity.
The ability to assume the identity of another user is one of the most powerful privileges that exists and should be monitored and logged using a Database Activity Monitoring System both for compliance, assurance and good practice.

Client supplied identity information passed to the DB can be selected using this script ~ Press the plain text button above the code to copy and paste clean code into SQL*PLUS.

set heading off
select SYS_CONTEXT('USERENV','TERMINAL')
,SYS_CONTEXT('USERENV','LANGUAGE')
,SYS_CONTEXT('USERENV','SESSIONID')
,SYS_CONTEXT('USERENV','INSTANCE')
,SYS_CONTEXT('USERENV','ENTRYID')
,SYS_CONTEXT('USERENV','ISDBA')
,SYS_CONTEXT('USERENV','NLS_TERRITORY')
,SYS_CONTEXT('USERENV','NLS_CURRENCY')
,SYS_CONTEXT('USERENV','NLS_CALENDAR')
,SYS_CONTEXT('USERENV','NLS_DATE_FORMAT')
,SYS_CONTEXT('USERENV','NLS_DATE_LANGUAGE')
,SYS_CONTEXT('USERENV','NLS_SORT')
,SYS_CONTEXT('USERENV','CURRENT_USER')
,SYS_CONTEXT('USERENV','CURRENT_USERID')
,SYS_CONTEXT('USERENV','SESSION_USER')
,SYS_CONTEXT('USERENV','SESSION_USERID')
,SYS_CONTEXT('USERENV','PROXY_USER')
,SYS_CONTEXT('USERENV','PROXY_USERID')
,SYS_CONTEXT('USERENV','DB_DOMAIN')
,SYS_CONTEXT('USERENV','DB_NAME')
,SYS_CONTEXT('USERENV','HOST')
,SYS_CONTEXT('USERENV','OS_USER')
,SYS_CONTEXT('USERENV','EXTERNAL_NAME')
,SYS_CONTEXT('USERENV','IP_ADDRESS')
,SYS_CONTEXT('USERENV','NETWORK_PROTOCOL')
,SYS_CONTEXT('USERENV','BG_JOB_ID')
,SYS_CONTEXT('USERENV','FG_JOB_ID')
,SYS_CONTEXT('USERENV','AUTHENTICATION_TYPE')
,SYS_CONTEXT('USERENV','AUTHENTICATION_DATA')
,SYS_CONTEXT('USERENV','CURRENT_SQL')
,SYS_CONTEXT('USERENV','CLIENT_IDENTIFIER')
,SYS_CONTEXT('USERENV','GLOBAL_CONTEXT_MEMORY') from dual;

But the above information is known to be easily falsified which has also been demonstrated . Only the IP address has reasonable integrity, post TCP hand shake that is.

Therefore the Identity Integrity of DB users usually relies on username/password confidentiality but there are a number of ways to bypass this control which need to be recorded in a Database Activity Monitoring System or DAMS.

1. The BECOME USER system privilege allows an OCI call to be made thus changing the effective identity of a logged on user.

2. BECOME USER is built into sys.kupp$proc.change_user(’ASSUMED_USERNAME’);
This is a handy command to use in release scripts that require a change of user from the higher DBA downwards and has also been used to go up in privileges such as in Tanel’s now removed post http://blog.tanelpoder.com/2007/11/10/oracle-security-all-your-dbas-are-sysdbas-and-can-have-full-os-access/ which has been duplicated at this URL http://www.articles.freemegazone.com/oracle-security-all-dba-os-access.php. This is how the identity change looks.

SQL> conn dbauser@(description=(address=(protocol=tcp)(host=myhost)(port=1521))(connect_data=(service_name=orcl)))
password
Connected.

SQL> SELECT USER FROM DUAL;
USER
------------------------------
DBAUSER

SQL> exec sys.kupp$proc.change_user('PAULMWRIGHT');
PL/SQL procedure successfully completed.

SQL> SELECT USER FROM DUAL;
USER
------------------------------
PAULMWRIGHT

The good news is that Sentrigo HH will still record the original DBAUSER in its alerts and logs even after kupp$proc.change_user(). Additionally a rule can be set up to record all calls to the sys.kupp$proc package.

object='SYS.KUPP$PROC' and statement contains 'change_user'

But there are more straightforward ways of assuming another user’s identity in Oracle such as simply changing the password of a user to a known value and logging on as them. These techniques are invaluable when troubleshooting a user’s privilege errors. But they need to be monitored and logged so how many ways of doing that?

ALTER USER ASSUMED_USER IDENTIFIED BY NEWPASSWORD;

--But if wish to put back the old password after the identity has been used can use this well known method
SELECT PASSWORD FROM SYS.USER$ WHERE NAME='ASSUMED_USER';
ALTER USER ASSUMED_USER IDENTIFIED BY NEWPASSWORD;
ALTER USER ASSUMED_USER IDENTIFIED BY VALUES 'ORIGINALPASSWORDHASH';

Therefore good idea to alert to ALTER USER commands in Sentrigo HH with this rule:

statement contains 'ALTER USER'

--or even better using RegEx to allow for variable white space:
statement matches 'ALTER\s*USER'

--but also need to consider the GRANT syntax:
grant role to paulwright identified by password;

--additionally the direct update:
update sys.user$ set password = '737B466C2DF536B9' where name=’PAULMWRIGHT’;

--both of which are going to require a more sophisticated rule writing strategy to catch all possible permutations
--more on this later...

A perhaps less obvious method of temporarily assuming another’s identity is by backing up the password file and then overwriting a new one and then copying back the original by combining the techniques in these two papers.
http://www.dcs.co.jp/security/NGS_freedownloads/OracleSysDBA_Backdoor.pdf
http://www.oracleforensics.com/wordpress/index.php/2008/10/10/create-any-directory-to-sysdba/
This method will allow a user to assume the identity and privileges of the SYS user as long as they have CREATE ANY DIRECTORY to start with. Therefore a DAMS should alert to UTL_FILE and references to the location of the password file as well. BUT what if the password file has been overwritten by using an OS based script which has been written via UTL_FILE and executed by CREATE TABLE without needing a directory pointing to the password file location itself, as per CREATE TABLE to OSDBA? Again the DAMS rules have to be more sophisticated.

Also need to think about a DB user with Java privileges running orapwd from the OS. This will allow the user to change the SYS password by recreating the password file, thus enabling the SYS identity and privileges.
See JAVA_ADMIN to OSDBA paper http://www.oracleforensics.com/wordpress/index.php/2009/08/31/java_admin-to-osdba/. Commands such as the following do allow a DB user to change the SYS password and thus assume the SYS identity.

SQL> call javaos('C:\app\PaulWright\product\11.1.0\db_1\bin\orapwd.exe file=PWDorcl2.ora password=pass entries=5 FORCE=Y');

Call completed.

If you check the password file you will see the password changed. This will then need a reboot to be effective but once OS access is gained via Java the whole DB is open for reboot and deletion of audit trail. DB is meant to be a firewall to the OS not a gateway.
But the required Java privileges are not set by default, so they need to be granted.. On this note I recommend reading an interesting Metalink article Doc ID:787878.1 entitled “Data Pump Errors With ORA-39083 And ORA-29532 During Full Import When Creating Object Type PROC_SYSTEM_GRANT”. Can you see what this article from March 2009 is actually showing? ….. more to come on this at the SANS conference.

Lastly I have a “CREATE PROCEDURE to OSDBA” escalation that affects 10g and 11g which I will also be discussing at the SANS DAMS course on Saturday 5th December where I will show you how to solve all the above vulnerability issues as well as provide effective profiling of user activity to give assurance that your organisation’s security measures are being enforced. It is important for those responsible for defending internal assets to keep ahead of the cutting edge, so see you there.

Best regards,
Paul

November 1st, 2009 | Category: Uncategorized | Comments Off