Call: +44 (0)1904 557620 Call
Forum

Welcome, Guest. Please Login.
Aug 11th, 2022, 12:07am
News: If you would like to register contact the forum admin
Home | Help | Search | Members | Login
   Pete Finnigan's Oracle Security Forum
   Oracle Security
   Oracle Security
(Moderator: Pete Finnigan)
   Oracle Voyager Worm
« Previous topic | Next topic »
Pages: 1 2  Reply | Notify of replies | Send Topic | Print
   Author  Topic: Oracle Voyager Worm  (Read 20284 times)
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Oracle Voyager Worm
« on: Nov 1st, 2005, 7:22am »
Quote | Modify

Hello
 
Yesterday an anonymous poster released the source for an Oracle worm called "Voyager" on the full disclosure mailing list.
 
http://lists.grok.org.uk/pipermail/full-disclosure/2005-October/038290.h tml  
 
 
The analysis of the worm and some countermeasures are available on my website:
 
 
 
If your database is hardened the worm will not work.
 
 
Regards
 
 Alexander Kornbrust
 
---
Red-Database-Security GmbH
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: Oracle Voyager Worm
« Reply #1 on: Nov 1st, 2005, 2:03pm »
Quote | Modify

Alexander,
 
What do you mean in step 5 (protection) by :
"On Oracle 10g always disable local OS authentication and use a strong password instead."
 
Do you refer to the listener password or oracle account passwords?
If you refer to the listener password: how do you disable local OS authentication?
 
Ivan
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: Oracle Voyager Worm
« Reply #2 on: Nov 1st, 2005, 8:49pm »
Quote | Modify

Ivan
 
I am referring to the TNS listener password. I found a possiblity to circumvent the local OS authentication (Already reported to Oracle, Oracle bugid: 6454409).
 
If you use a password protected listener (with a strong password) your systems are safe (AFAIK).
 
Set the following value in the listener.ora and restart the listener.
LOCAL_OS_AUTHENTICATION_<LISTENER_NAME> = OFF
 
Hope this helps...
 
 
Regards
 
 Alexander
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: Oracle Voyager Worm
« Reply #3 on: Nov 1st, 2005, 9:44pm »
Quote | Modify

Alexander,
 
Thank you. I did not know the  LOCAL_OS_AUTHENTICATION parameter.
 
regards,
 
Ivan
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: Oracle Voyager Worm
« Reply #4 on: Nov 2nd, 2005, 8:21pm »
Quote | Modify

Alexander,
 
I think the "proof-of-conecpt" worm is based on the tnscmd.pl tool and it can't work with against a 10G oracle databases because the TNS header has changed. Using ethereal I've changed tnscmd.pl to work against 10G listeners. Maybe it is off-topic but if people want to play with the "proof-of-concept" worm they  have to change the "vRequest" string in the worms code to experiment with 10G databases.  If someone wants my adapted version of tnscmd.pl let me know and I'll send it to you.
 
Ivan
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: Oracle Voyager Worm
« Reply #5 on: Nov 4th, 2005, 3:18am »
Quote | Modify

It may not be good behaviour to criticize one's host, but I don't understand the lapse of judgement that resulted in describing Voyager a worm.
 
According to both wikipedia and FOLDOC a worm needs to be self propagating, which Voyager is not.
 
IMHO, Voyager is not a breakthrough, proof-of-concept worm.  Rather Voyager is a very limited and poorly written scanner, which has recieved far more notice than it deserves.  We should speak no more of Voyager: There are a number of better scanners available for download from this site.
 
Steven
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: Oracle Voyager Worm
« Reply #6 on: Nov 4th, 2005, 9:12am »
Quote | Modify

Ensslen,
 
Don't be afraid of criticize.  
Don't forget it is a proof-of-concept worm. It can easily be adapted to be self propagated. I agree that there are many requirements to be met before such a worm could be effective:  
1) the use of default passwords (i read somewhere an article in which Alexander says that at least 60 percent of all customers have at least a few databases with default passwords!),  
2) find a default uc/password combination with enough orivileges to make it self-propagating,
3) an unprotected listener (if people still have default passwords the chances they have unprotected listeners is big),
 
If 1 is met but 2 is not then you could still use 3 to make  
the worm self-propagating:
 
If they have an unprotected listener then instead of just using it to discover instances you could use it to adapt the glogin.sql for example. Let me show how you can do it with tnscmd.pl:
 
Code:
oracle@Asus:~/Worm > ./tnscmd10g.pl status -h 10.0.0.153 --10G --indent
sending (CONNECT_DATA=(CID=(PROGRAM=)(HOST=linux)(USER=oracle))(COMMAND=status)( ARGUMENTS=64)(SERVICE=LISTENER)(VERSION=169869568)) to 10.0.0.153:1521
writing 181 bytes
reading
.M.......9.........-. ..........
  DESCRIPTION=
    TMP=
    VSNNUM=169869568
    ERR=0
 
.
........
  DESCRIPTION=
    TMP=
    VSNNUM=169869568
    ERR=0
    ALIAS=LISTENER
    SECURITY=OFF
    VERSION=TNSLSNR for Linux: Version 10.2.0.1.0 - Production
    START_DATE=04-NOV-2005 09:34:03
    SIDNUM=1
    LOGFILE=/u01/app/oracle/product/10r2/db_1/network/log/listener.log
    PRMFILE=/u01/app/oracle/product/10r2/db_1/network/admin/listener.ora
    TRACING=off
    UPTIME=4433
    SNMP=OFF
    PID=13232
    START_DATE_NUM=2005-11-04 09:34:03

 
From the above information  I know where to find the glogin.sql file: in /u01/app/oracle/product/10r2/db_1/sqlplus/admin/glogin.sql
The above listener is using the default location for the LOGFILE.  
Using the same tnscmd tool I can reset the listeners LOGFILE to .../glogin.sql and then I can use tnscmd to fill the glogin.sql with the statements to propagate the worm:
 
Code:

tnscmd10g.pl -h 10.0.0.151 --10G  --rawcmd "(CONNECT_DATA=((<here your pl/sql code to propagate>"

 
After creating and filling glogin.sql I can reset the LOGIFLE to it's original value.
The site is now infected with code to make the worm propagate itself.
The code that is used by tnscmd is allready inside the "proof-of-concept" worm (except for the adaptations needed by 10G).  
Another adaptation would be the correct calculation of the  
subnetmask to scan all the systems in the network.
To make it jump to an external network seems very difficult. You hardly see db-links between organizations. But most organizations have many databases.
My conclusion is that this proof-of-concept worm deserves to be discussed.  
 
 
Ivan
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: Oracle Voyager Worm
« Reply #7 on: Nov 4th, 2005, 6:02pm »
Quote | Modify

ISaez,
 
 I am not trying to challenge anyone, I'm just trying to clarify.
 
  I agree that there are many different ways of hacking Oracle Databases, and that these can be used to create worms.  I also agree that the technique that you describe in your most recent post could be used to make a worm.  
 
 I may be stubborn, but none of this is news.  That Oracle databases have exploits is well publicized.  That these exploits could be scripted into a worm is common sense.  But Voyager does not prove the concept.  
 
Steven
 
(And I would caution you to be careful with what you post.  The courts in many jurisdictions are technophobic and may not distinguish between explaining worms and encouraging their development.)
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: Oracle Voyager Worm
« Reply #8 on: Nov 4th, 2005, 6:21pm »
Quote | Modify

Steven,
 
I think the concept of a Oracle Worm is new. But it is my opinion and if you don't agree then I respect that.
 
Thank you for you warning but everything I've posted is of public knowledge so I am  not disclosing anything.
 
Ivan
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: Oracle Voyager Worm
« Reply #9 on: Nov 4th, 2005, 7:03pm »
Quote | Modify

Hi Guys,
 
The post says that it is incomplete and alright it is not actually a worm as it doesn't replicate but the concept is there to show that it is possoble to create an Oracle based worm in a similar veign to the slammer worm that plagued SQL Server.  
 
I think it is valid to describe it as a worm as it is a concept only. The other thing to remember is that currently - in my opinion - a slammer type worm could not plague Oracle systems to the same effect as slammer did simply because there is only a fraction of the number of Oracle databases exposed to the net than there was SQL databases.
 
cheers
 
Pete
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Advice regarding the so-called Oracle Voyager Wor
« Reply #10 on: Nov 5th, 2005, 7:42am »
Quote | Modify

Today  I've got this email from Oracle.
 
Regards
  Alex
 
-----Ursprüngliche Nachricht-----
Von: Oracle Global Product Security [mailto:replies@oracle-mail.com]  
Gesendet: Samstag, 5. November 2005 06:23
An: Kornbrust, Alexander
Betreff: Advice regarding the so-called ¿Oracle Voyager Worm¿
 
 
Dear Oracle customer,
 
Oracle Global Product Security has investigated the recent Internet publication of the so-called ¿Oracle Voyager Worm¿ that is designed to target Oracle databases. In its current form, the code is incomplete and poses no immediate threat to Oracle customers.  The code does not expose or attempt to exploit an Oracle product security vulnerability.  Instead, the code outlines an attack against Oracle database systems that have been configured insecurely.
 
Oracle considers adherence to industry standard security practices the best way for customers to protect their database systems. A MetaLink note is now available that outlines the minimum essential steps customers should take to mitigate future attempted attacks against their Oracle databases. Customers who already follow industry standard security best practices, including those who have hardened or locked down their database systems, may still benefit from reviewing the MetaLink note.  
 
The MetaLink Doc ID is 340009.1:
http://metalink.oracle.com/metalink/plsql/showdoc?db=NOT&id=340009.1
 
Additional references:
http://www.oracle.com/technology/deploy/security/db_security/index.html
 
http://www.oracle.com/technology/deploy/security/pdf/twp_security_checkl ist_db_database.pdf
 
Sincerely,  
     Oracle Global Product Security  
     
PLEASE DO NOT REPLY TO THIS E-MAIL. This address is not monitored.
******************
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: Oracle Voyager Worm
« Reply #11 on: Nov 6th, 2005, 11:30pm »
Quote | Modify

It seems (to me) to be a valid proof of concept. Admittedly, the code currently written only attempts to create a table at the end of the DB link, but using DBMS_METADATA (or even simply selecting from user_source) it could easily re-extract its own source code and so create a copy of itself at the destination.  
 
The only other major missing component of the worm is that it doesn't attempt to execute anything. A worm should not only try to copy itself but try to get that copy running. DBMS_JOB is the obvious mechanism, and is a prime candidate for lockdown.
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: Advice regarding the so-called Oracle Voyager
« Reply #12 on: Nov 7th, 2005, 8:02am »
Quote | Modify

on Nov 5th, 2005, 7:42am, kornbrust wrote:
Today  I've got this email from Oracle.
 
Regards
  Alex
 
-----Ursprüngliche Nachricht-----
Von: Oracle Global Product Security [mailto:replies@oracle-mail.com]  
Gesendet: Samstag, 5. November 2005 06:23
An: Kornbrust, Alexander
Betreff: Advice regarding the so-called ¿Oracle Voyager Worm¿
 
......
 Customers who already follow industry standard security best practices, including those who have hardened or locked down their database systems, may still benefit from reviewing the MetaLink note.  
....

 
 
To which "industry standard security best practices" is Oracle refering?
 
Ivan
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: Oracle Voyager Worm
« Reply #13 on: Nov 7th, 2005, 2:45pm »
Quote | Modify

Hi Ivan,
 
This is an interesting point that you have raised. I am not aware of an industry standard for securing Oracle except perhaps my book or the SANS course or the CIS benchmark. I guess that they might be referring to more high level practices such as least privilege principals, security in depth etc.  
 
I talked about the same issue in this forum some time ago and also in my blog - the issue of creating an open standard for securing an Oracle database. I have installed a wiki on this site. It needs some initial configuration and then we can get going. I think that it would be a worthwhile endeavor to produce a list of issues, vulnerabilities, configuration issues, bugs and best practices etc. My idea was to have a main page and then the categories such as configuration, bugs, bext practices, privileges, OS issues, network issues etc. Then each category would list each separate issue and each would have their own page with a short description, fix, issue, what tools already check for the issues and so on.  
 
My final thought was to then be able to collate a complete checklist from this / or a standard for hardeing or building Oracle. I chose to use a wiki so that others can collaborate and add to it.
 
cheers
 
pete
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: Oracle Voyager Worm
« Reply #14 on: Jan 22nd, 2008, 1:49pm »
Quote | Modify

hi ivan
 
I need help you
 
I work with oracle 10g. when i  use "tnscmd10g status ... "  i see "ERROR=(CODE=12618" .
 
please help me to change tnscmd10g for work with oracle 10g
 
tanks
 
ghassem
g.koolivand@gmail.com
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pages: 1 2  Reply | Notify of replies | Send Topic | Print

« Previous topic | Next topic »

Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright © 2000-2004 Yet another Bulletin Board
  • PFCLScan PFCLScan

    Simply connect PFCLScan to your Oracle database and it will automatically discover the security issues that could make your Oracle database vulnerable to attack and to the potential loss of your data.

  • PFCL Obfuscate PFCLObfuscate

    PFCLObfuscate is the only tool available that can automatically add license controls to your PL/SQL code. PFCLObfuscate protects your Intellectual Property invested in your PL/SQL database code.

  • PFCLCode PFCLCode

    PFCLCode is a tool to allow you to analyse your PL/SQL code for many different types of security issues. PFCLCode gives you a detailed review and reports and includes a powerful colour syntax highlighting code editor

  • PFCLForensics PFCLForensics

    PFCLForensics is the only tool available to allow you to do a detailed live response of a breached Oracle database and to then go on and do a detailed forensic analysis of the data gathered.

  • Products We resell PFCLReselling

    PeteFinnigan.com Limited has partnered with a small number of relevant companies to resell their products where they enhance or compliment what we do

  • PFCLATK PFCLATK

    PFCLATK is a toolkit that allows detailed pre-defined policy driven audit trails for your Oracle database. The toolkit also provides for a centralised audit trail and centralised activity reporting

  • PFCLCookie PFCLCookie

    PFCLCookie is a useful tool to use to audit your websites for tracking cookies. Scan websites in a natural way using powerful browser driven scanner

  • PFCL Training PFCLTraining

    PFCLTraining is a set of expert training classes for you, aimed at teaching how to audit your own Oracle database, design audit trails, secure code in PL/SQL and secure and lock down your Oracle database.

  • PFCL Services PFCLServices

    Choose PFCLServices to add PeteFinnigan.com Ltd to your team for your Oracle Security needs. We are experts in performing detailed security audits, data security design work and policy creation

  • PFCLConsulting PFCLConsulting

    Choose PFCLConsulting to ask PeteFinnigan.com Limited to set up and use our products on your behalf

  • PFCLCustom PFCLCustom

    All of our software products can be customised at a number of levels. Choose this to see how our products can be part of your products and services

  • PFCLCloud PFCLCloud

    Private cloud, public cloud, hybrid cloud or no cloud. Learn how all of our services, trainings and products will work in the cloud

  • PFCLUserRights PFCLUserRights

    PFCLUserRights allows you to create a very detailed view of database users rights. The focus of the reports is to allow you to decide what privileges and accounts to keep and which to remove.

  • PFCLSTK PFCLSTK

    PFCLSTK is a toolkit application that allows you to provide database security easily to an existing database. PFCLSTK is a policy driven toolkit of PL/SQL that creates your security

  • PFCLSFTK PFCLSFTK

    PFCLSFTK is a toolkit that solves the problem of securing third party applications written in PL/SQL. It does this by creating a thin layer between the application and database and this traps SQL Injection attempts. This is a static firewall.

  • PFCLSEO PFCLSEO

    PFCLSEO is a web scanner based on the PFCLScan technology so that a user can easily scan a website for technical SEO issues