Auditing an Oracle database for security issues is very important. PeteFinnigan.com provides all of the information and tools that you will need Click here for details of PeteFinnigan.com Limited's detailed Oracle database security audit service Click here for details of PeteFinnigan.com Limited's Oracle Security Training Courses
     
Cookie Policy:We only use essential cookies on small sections of this website. For details see here.

Welcome, Guest. Please Login.
Dec 21st, 2014, 5:27am
News: Welcome to Pete Finnigan's Oracle security forum
Home | Help | Search | Members | Login
   Pete Finnigan's Oracle Security Forum
   Oracle Security
   Oracle Security
(Moderator: Pete Finnigan)
   Oracle Voyager Worm
« Previous topic | Next topic »
Pages: 1 2  Reply | Notify of replies | Send Topic | Print
   Author  Topic: Oracle Voyager Worm  (Read 10831 times)
kornbrust
PeteFinnigan.com Newbie
*





   
View Profile |

Gender: male
Posts: 27
Oracle Voyager Worm
« on: Nov 1st, 2005, 7:22am »
Quote | Modify

Hello
 
Yesterday an anonymous poster released the source for an Oracle worm called "Voyager" on the full disclosure mailing list.
 
http://lists.grok.org.uk/pipermail/full-disclosure/2005-October/038290.h tml  
 
 
The analysis of the worm and some countermeasures are available on my website:
 
 
 
If your database is hardened the worm will not work.
 
 
Regards
 
 Alexander Kornbrust
 
---
Red-Database-Security GmbH
« Last Edit: Sep 17th, 2009, 4:38pm by Pete Finnigan » IP Logged
isaez
PeteFinnigan.com Junior Member
**



Ivan

   
View Profile |

Gender: male
Posts: 76
Re: Oracle Voyager Worm
« Reply #1 on: Nov 1st, 2005, 2:03pm »
Quote | Modify

Alexander,
 
What do you mean in step 5 (protection) by :
"On Oracle 10g always disable local OS authentication and use a strong password instead."
 
Do you refer to the listener password or oracle account passwords?
If you refer to the listener password: how do you disable local OS authentication?
 
Ivan
IP Logged

regards,

Ivan
kornbrust
PeteFinnigan.com Newbie
*





   
View Profile |

Gender: male
Posts: 27
Re: Oracle Voyager Worm
« Reply #2 on: Nov 1st, 2005, 8:49pm »
Quote | Modify

Ivan
 
I am referring to the TNS listener password. I found a possiblity to circumvent the local OS authentication (Already reported to Oracle, Oracle bugid: 6454409).
 
If you use a password protected listener (with a strong password) your systems are safe (AFAIK).
 
Set the following value in the listener.ora and restart the listener.
LOCAL_OS_AUTHENTICATION_<LISTENER_NAME> = OFF
 
Hope this helps...
 
 
Regards
 
 Alexander
IP Logged
isaez
PeteFinnigan.com Junior Member
**



Ivan

   
View Profile |

Gender: male
Posts: 76
Re: Oracle Voyager Worm
« Reply #3 on: Nov 1st, 2005, 9:44pm »
Quote | Modify

Alexander,
 
Thank you. I did not know the  LOCAL_OS_AUTHENTICATION parameter.
 
regards,
 
Ivan
IP Logged

regards,

Ivan
isaez
PeteFinnigan.com Junior Member
**



Ivan

   
View Profile |

Gender: male
Posts: 76
Re: Oracle Voyager Worm
« Reply #4 on: Nov 2nd, 2005, 8:21pm »
Quote | Modify

Alexander,
 
I think the "proof-of-conecpt" worm is based on the tnscmd.pl tool and it can't work with against a 10G oracle databases because the TNS header has changed. Using ethereal I've changed tnscmd.pl to work against 10G listeners. Maybe it is off-topic but if people want to play with the "proof-of-concept" worm they  have to change the "vRequest" string in the worms code to experiment with 10G databases.  If someone wants my adapted version of tnscmd.pl let me know and I'll send it to you.
 
Ivan
IP Logged

regards,

Ivan
ensslen
PeteFinnigan.com Newbie
*



I love YaBB 1G - SP1!

   
View Profile |

Posts: 2
Re: Oracle Voyager Worm
« Reply #5 on: Nov 4th, 2005, 3:18am »
Quote | Modify

It may not be good behaviour to criticize one's host, but I don't understand the lapse of judgement that resulted in describing Voyager a worm.
 
According to both wikipedia and FOLDOC a worm needs to be self propagating, which Voyager is not.
 
IMHO, Voyager is not a breakthrough, proof-of-concept worm.  Rather Voyager is a very limited and poorly written scanner, which has recieved far more notice than it deserves.  We should speak no more of Voyager: There are a number of better scanners available for download from this site.
 
Steven
« Last Edit: Nov 4th, 2005, 3:19am by ensslen » IP Logged
isaez
PeteFinnigan.com Junior Member
**



Ivan

   
View Profile |

Gender: male
Posts: 76
Re: Oracle Voyager Worm
« Reply #6 on: Nov 4th, 2005, 9:12am »
Quote | Modify

Ensslen,
 
Don't be afraid of criticize.  
Don't forget it is a proof-of-concept worm. It can easily be adapted to be self propagated. I agree that there are many requirements to be met before such a worm could be effective:  
1) the use of default passwords (i read somewhere an article in which Alexander says that at least 60 percent of all customers have at least a few databases with default passwords!),  
2) find a default uc/password combination with enough orivileges to make it self-propagating,
3) an unprotected listener (if people still have default passwords the chances they have unprotected listeners is big),
 
If 1 is met but 2 is not then you could still use 3 to make  
the worm self-propagating:
 
If they have an unprotected listener then instead of just using it to discover instances you could use it to adapt the glogin.sql for example. Let me show how you can do it with tnscmd.pl:
 
Code:
oracle@Asus:~/Worm > ./tnscmd10g.pl status -h 10.0.0.153 --10G --indent
sending (CONNECT_DATA=(CID=(PROGRAM=)(HOST=linux)(USER=oracle))(COMMAND=status)( ARGUMENTS=64)(SERVICE=LISTENER)(VERSION=169869568)) to 10.0.0.153:1521
writing 181 bytes
reading
.M.......9.........-. ..........
  DESCRIPTION=
    TMP=
    VSNNUM=169869568
    ERR=0
 
.
........
  DESCRIPTION=
    TMP=
    VSNNUM=169869568
    ERR=0
    ALIAS=LISTENER
    SECURITY=OFF
    VERSION=TNSLSNR for Linux: Version 10.2.0.1.0 - Production
    START_DATE=04-NOV-2005 09:34:03
    SIDNUM=1
    LOGFILE=/u01/app/oracle/product/10r2/db_1/network/log/listener.log
    PRMFILE=/u01/app/oracle/product/10r2/db_1/network/admin/listener.ora
    TRACING=off
    UPTIME=4433
    SNMP=OFF
    PID=13232
    START_DATE_NUM=2005-11-04 09:34:03

 
From the above information  I know where to find the glogin.sql file: in /u01/app/oracle/product/10r2/db_1/sqlplus/admin/glogin.sql
The above listener is using the default location for the LOGFILE.  
Using the same tnscmd tool I can reset the listeners LOGFILE to .../glogin.sql and then I can use tnscmd to fill the glogin.sql with the statements to propagate the worm:
 
Code:

tnscmd10g.pl -h 10.0.0.151 --10G  --rawcmd "(CONNECT_DATA=((<here your pl/sql code to propagate>"

 
After creating and filling glogin.sql I can reset the LOGIFLE to it's original value.
The site is now infected with code to make the worm propagate itself.
The code that is used by tnscmd is allready inside the "proof-of-concept" worm (except for the adaptations needed by 10G).  
Another adaptation would be the correct calculation of the  
subnetmask to scan all the systems in the network.
To make it jump to an external network seems very difficult. You hardly see db-links between organizations. But most organizations have many databases.
My conclusion is that this proof-of-concept worm deserves to be discussed.  
 
 
Ivan
IP Logged

regards,

Ivan
ensslen
PeteFinnigan.com Newbie
*



I love YaBB 1G - SP1!

   
View Profile |

Posts: 2
Re: Oracle Voyager Worm
« Reply #7 on: Nov 4th, 2005, 6:02pm »
Quote | Modify

ISaez,
 
 I am not trying to challenge anyone, I'm just trying to clarify.
 
  I agree that there are many different ways of hacking Oracle Databases, and that these can be used to create worms.  I also agree that the technique that you describe in your most recent post could be used to make a worm.  
 
 I may be stubborn, but none of this is news.  That Oracle databases have exploits is well publicized.  That these exploits could be scripted into a worm is common sense.  But Voyager does not prove the concept.  
 
Steven
 
(And I would caution you to be careful with what you post.  The courts in many jurisdictions are technophobic and may not distinguish between explaining worms and encouraging their development.)
IP Logged
isaez
PeteFinnigan.com Junior Member
**



Ivan

   
View Profile |

Gender: male
Posts: 76
Re: Oracle Voyager Worm
« Reply #8 on: Nov 4th, 2005, 6:21pm »
Quote | Modify

Steven,
 
I think the concept of a Oracle Worm is new. But it is my opinion and if you don't agree then I respect that.
 
Thank you for you warning but everything I've posted is of public knowledge so I am  not disclosing anything.
 
Ivan
IP Logged

regards,

Ivan
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: Oracle Voyager Worm
« Reply #9 on: Nov 4th, 2005, 7:03pm »
Quote | Modify

Hi Guys,
 
The post says that it is incomplete and alright it is not actually a worm as it doesn't replicate but the concept is there to show that it is possoble to create an Oracle based worm in a similar veign to the slammer worm that plagued SQL Server.  
 
I think it is valid to describe it as a worm as it is a concept only. The other thing to remember is that currently - in my opinion - a slammer type worm could not plague Oracle systems to the same effect as slammer did simply because there is only a fraction of the number of Oracle databases exposed to the net than there was SQL databases.
 
cheers
 
Pete
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
kornbrust
PeteFinnigan.com Newbie
*





   
View Profile |

Gender: male
Posts: 27
Advice regarding the so-called Oracle Voyager Wor
« Reply #10 on: Nov 5th, 2005, 7:42am »
Quote | Modify

Today  I've got this email from Oracle.
 
Regards
  Alex
 
-----Ursprüngliche Nachricht-----
Von: Oracle Global Product Security [mailto:replies@oracle-mail.com]  
Gesendet: Samstag, 5. November 2005 06:23
An: Kornbrust, Alexander
Betreff: Advice regarding the so-called ¿Oracle Voyager Worm¿
 
 
Dear Oracle customer,
 
Oracle Global Product Security has investigated the recent Internet publication of the so-called ¿Oracle Voyager Worm¿ that is designed to target Oracle databases. In its current form, the code is incomplete and poses no immediate threat to Oracle customers.  The code does not expose or attempt to exploit an Oracle product security vulnerability.  Instead, the code outlines an attack against Oracle database systems that have been configured insecurely.
 
Oracle considers adherence to industry standard security practices the best way for customers to protect their database systems. A MetaLink note is now available that outlines the minimum essential steps customers should take to mitigate future attempted attacks against their Oracle databases. Customers who already follow industry standard security best practices, including those who have hardened or locked down their database systems, may still benefit from reviewing the MetaLink note.  
 
The MetaLink Doc ID is 340009.1:
http://metalink.oracle.com/metalink/plsql/showdoc?db=NOT&id=340009.1
 
Additional references:
http://www.oracle.com/technology/deploy/security/db_security/index.html
 
http://www.oracle.com/technology/deploy/security/pdf/twp_security_checkl ist_db_database.pdf
 
Sincerely,  
     Oracle Global Product Security  
     
PLEASE DO NOT REPLY TO THIS E-MAIL. This address is not monitored.
******************
IP Logged
gamyers
PeteFinnigan.com Administrator
*****



I love YaBB 1G - SP1!

   
View Profile |

Posts: 80
Re: Oracle Voyager Worm
« Reply #11 on: Nov 6th, 2005, 11:30pm »
Quote | Modify

It seems (to me) to be a valid proof of concept. Admittedly, the code currently written only attempts to create a table at the end of the DB link, but using DBMS_METADATA (or even simply selecting from user_source) it could easily re-extract its own source code and so create a copy of itself at the destination.  
 
The only other major missing component of the worm is that it doesn't attempt to execute anything. A worm should not only try to copy itself but try to get that copy running. DBMS_JOB is the obvious mechanism, and is a prime candidate for lockdown.
IP Logged
isaez
PeteFinnigan.com Junior Member
**



Ivan

   
View Profile |

Gender: male
Posts: 76
Re: Advice regarding the so-called Oracle Voyager
« Reply #12 on: Nov 7th, 2005, 8:02am »
Quote | Modify

on Nov 5th, 2005, 7:42am, kornbrust wrote:
Today  I've got this email from Oracle.
 
Regards
  Alex
 
-----Ursprüngliche Nachricht-----
Von: Oracle Global Product Security [mailto:replies@oracle-mail.com]  
Gesendet: Samstag, 5. November 2005 06:23
An: Kornbrust, Alexander
Betreff: Advice regarding the so-called ¿Oracle Voyager Worm¿
 
......
 Customers who already follow industry standard security best practices, including those who have hardened or locked down their database systems, may still benefit from reviewing the MetaLink note.  
....

 
 
To which "industry standard security best practices" is Oracle refering?
 
Ivan
IP Logged

regards,

Ivan
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: Oracle Voyager Worm
« Reply #13 on: Nov 7th, 2005, 2:45pm »
Quote | Modify

Hi Ivan,
 
This is an interesting point that you have raised. I am not aware of an industry standard for securing Oracle except perhaps my book or the SANS course or the CIS benchmark. I guess that they might be referring to more high level practices such as least privilege principals, security in depth etc.  
 
I talked about the same issue in this forum some time ago and also in my blog - the issue of creating an open standard for securing an Oracle database. I have installed a wiki on this site. It needs some initial configuration and then we can get going. I think that it would be a worthwhile endeavor to produce a list of issues, vulnerabilities, configuration issues, bugs and best practices etc. My idea was to have a main page and then the categories such as configuration, bugs, bext practices, privileges, OS issues, network issues etc. Then each category would list each separate issue and each would have their own page with a short description, fix, issue, what tools already check for the issues and so on.  
 
My final thought was to then be able to collate a complete checklist from this / or a standard for hardeing or building Oracle. I chose to use a wiki so that others can collaborate and add to it.
 
cheers
 
pete
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
koolivand
PeteFinnigan.com Newbie
*



I love YaBB 1G - SP1!

   
View Profile |

Posts: 1
Re: Oracle Voyager Worm
« Reply #14 on: Jan 22nd, 2008, 1:49pm »
Quote | Modify

hi ivan
 
I need help you
 
I work with oracle 10g. when i  use "tnscmd10g status ... "  i see "ERROR=(CODE=12618" .
 
please help me to change tnscmd10g for work with oracle 10g
 
tanks
 
ghassem
g.koolivand@gmail.com
IP Logged
Pages: 1 2  Reply | Notify of replies | Send Topic | Print

« Previous topic | Next topic »

Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright © 2000-2004 Yet another Bulletin Board