Three Tier Oracle Security in London ~ Paul M. Wright

(nix, oracle, java, www, cloud ) intersect (safety, security, reliability, integrity)

Three Tier Oracle Security in London ~ Paul M. Wright RSS Feed
 

Post July 2009 CPU

July 2009 CPU PoCs are out in force. The CPU’s criticality is measured via the CVSS number which is from 1 to 10 being the most critical. This CPU has a vulnerability of 9 as the maximum criticality bug that has been fixed for the DB. However that is only on Windows. For *nix the highest is 6.5.

There are some interesting new CPU PoCs available from Dennis Yurichev here.
http://blogs.conus.info/node/26
http://blogs.conus.info/node/25
http://blogs.conus.info/node/24
http://blogs.conus.info/node/23

Dennis’s site is an excellent resource for Oracle security research. I still have work to be fixed in the CPU as well, though on the whole software bugs in the Oracle DB are decreasing in number and criticality. However the threat of Data Leakage is still increasing overall in my experience.

As well as new research there has been movement in terms of repackaging the large number of historic Oracle exploits into a more usable framework via Metasploit by Chris Gates at Blackhat. http://www.blackhat.com/presentations/bh-usa-09/GATES/BHUSA09-Gates-OracleMetasploit-PAPER.pdf

One effect of this presentation is to lower the skill level required to exploit the Oracle DB, which means it is more important to secure Oracle via the CPU, or applying the latest large patchset or manually mitigating the vulnerabilities. In many situations none of these are possible therefore alerting to an attempt to exploit could be the last line of defence, as well as a compensating balance for compliance.

I am writing Sentrigo Hedgehog rules to alert to the PoCs above as well as use of new Metasploit modules. These are very easy to write and there will be more to come on this in future publications.

Talking of publications, I noticed that my book had been reviewed via the ACM ran reviews.com web site.http://www.reviews.com/review/review_review.cfm?listname=highlight&review_id=137053. I wrote the book in both the Christmas and Annual holidays of 2006-2007 whilst at NGS so it provides some nostalgia to read this review. Additionally it brings a little bemusement at the fact that it is still the only book on the subject of Oracle forensics, which represents room for improvement, as this subject is far from being solved….Relational DBs do not persist actions over time like OS file systems and DB logging systems can only record the session details provided by the client most of which are spoofable. Additionally escalation between medium level system privileges and SYSDBA still abound. Lastly, every logging system I have worked with has been bypassable in some way so the problem of accurately tracing user activity within the Oracle DB still needs a lot more work. Recently there has been some movement in terms of other Database Forensics research publications especially by Martin S. Olivier who has collected together a number of references at this page http://mo.co.za/forbib.htm . His paper entitled “On metadata context in Database Forensics” is worth noting.

Leave a Reply

You must be logged in to post a comment.