Call: +44 (0)7759 277220 Call
Forum

Welcome, Guest. Please Login.
Nov 2nd, 2024, 7:17pm
News: Welcome to Pete Finnigan's Oracle security forum
Home | Help | Search | Members | Login
   Pete Finnigan's Oracle Security Forum
   Oracle Security
   Oracle Security
(Moderator: Pete Finnigan)
   Many ways to becom DBA
« Previous topic | Next topic »
Pages: 1  Reply | Notify of replies | Send Topic | Print
   Author  Topic: Many ways to becom DBA  (Read 4570 times)
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Many ways to becom DBA
« on: Nov 23rd, 2005, 12:52am »
Quote | Modify

Hello Pete,
 
I have read with interest your above paper.
 
You provide two techniques for Scott/tiger to become DBA.  The first using validate_stmt and the second usint authid current_user + get_dll.
 
Are you saying that these types of hacks are potential hacks, or real?  If they are real, have they been patched in Oracle?  Are there ways prevent them through configuration?  Or are you saying these have been patched but there are many more like them?
 
Otherwise what you are saying is that Oracle does not, in practice, have meaningful role based security.
 
Thanks,
 
Anthony
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: Many ways to becom DBA
« Reply #1 on: Nov 24th, 2005, 6:50pm »
Quote | Modify

Hi Anthony,
 
Thanks for your comments. Yes both types of attack are real and documented elsewhere. I was careful to not post new exploits, henice I used existing ones. They have both been fixed. The DRILOAD bug is widely published and is in fact the bug that has not been correctly fixed in CPU October (David can jump in here, as he found the issue!).  
 
There are literally hundres more of these types of bugs. Alex has just reported some 250+ of them to Oracle, there are others reported by other researchers as well. There are also quite a lot of others like these that have been fixed and patched.
 
It is not an issue of role based security but vulnerabilities.  
 
cheers
 
Pete
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: Many ways to becom DBA
« Reply #2 on: Nov 24th, 2005, 8:56pm »
Quote | Modify

Hi Anthony
 
the ctxsys.validate_stmt bug is old. I found and reported this bug nearly 2 years ago ( jan-2004).
 
Oracle fixed this bug 7 months later with alert 68.
 
 
More details here
oracle_sql_injection_via_ctxsys_driload.html
 
 
Even in a fully patched Oracle 10.1.0.4  (with CPU October) there are different ways available  for a user like scott to become DBA.
 
Regards
 
 Alexander Kornbrust
 
---
 
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: Many ways to becom DBA
« Reply #3 on: Nov 24th, 2005, 9:18pm »
Quote | Modify

I think I should clarify that Alex found the driload bug but David found that it was still vulnerable in subsequent CPU's for certain operating systems. Basically he found that the fixed package was not installed correctly. If you follow some of the posts in my blog and some of the news articles that are referenced you can research some of the background to this issue.
 
cheers
 
Pete
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: Many ways to becom DBA
« Reply #4 on: Nov 24th, 2005, 11:58pm »
Quote | Modify

Thanks for the clarification.  It is obviously a complex API that has not been thrashed by undergraduate students!
 
I suppose that Oralce security largely depends on the database being behind the firewall and behind an application.  And warehouses have limited data and a small number of users generally can access all of the data.
 
It makes techniques such as TDE and Oracle Vault less appealing.  You really want to encrypt sensitive data before it gets into the database.
 
But I'm glad to here that at least your published holes have been (belatedly) plugged.
 
Thanks,
 
Anthony
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: Many ways to becom DBA
« Reply #5 on: Nov 25th, 2005, 8:13am »
Quote | Modify

on Nov 24th, 2005, 8:56pm, kornbrust wrote:

...
...
Even in a fully patched Oracle 10.1.0.4  (with CPU October) there are different ways available  for a user like scott to become DBA.
 
Regards
 
 Alexander Kornbrust
 
---
 

 
Alex, from a security point of view which Oracle version is better protected against simple accounts like Scott becoming DBA? Oracle 10 release 2?  or perhaps good old 7.3.4?
Or are the problems you mention (users becoming DBA through sql injection, buffer overflow) fundamental problems deep in the Oracle kernel?
 
Ivan
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: Many ways to becom DBA
« Reply #6 on: Nov 25th, 2005, 8:46am »
Quote | Modify

Ivan
 
Using Oracle 10g Release 2 is a good decision from the security perspective. Not 100% secure but not easy to hack.
 
At the moment most approaches to become DBA are SQL Injection bugs in internal Oracle Packages (like ctxsys.driload or dbms_metadata).  Oracle fixed (most of?) these problems in 10gR2.    
 
But even in 10g R2 it is possible to escalate privileges via Oracle programs like the import-utility or htmldb.  
 
 
To harden an old  database (< 10.2.x) you should do at least the following
 
* Sanitize the connect role (just create session and alter session)  
* revoke public privileges from utl_*, dbms_lob, dbms_advisor
* Use the least privilege principle (be careful with the resource role)
* apply the latest Oracle CPU
* set the tns listener password
* change accounts with default/weak passwords
 
 
Regards
 
 Alex
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: Many ways to becom DBA
« Reply #7 on: Nov 25th, 2005, 9:28am »
Quote | Modify

on Nov 25th, 2005, 8:46am, kornbrust wrote:
Ivan
 
Using Oracle 10g Release 2 is a good decision from the security perspective. Not 100% secure but not easy to hack.
 
To harden an old  database (< 10.2.x) you should do at least the following
 
* Sanitize the connect role (just create session and alter session)  
* revoke public privileges from utl_*, dbms_lob, dbms_advisor
* Use the least privilege principle (be careful with the resource role)
* apply the latest Oracle CPU
* set the tns listener password
* change accounts with default/weak passwords
 
 
Regards
 
 Alex

 
 
Alex,  
 
Thank you for responding. I use 10G release 2 at the moment and like very much its new security features.
I've never used the connect and resource role in my instances. I've allways created an own role, application_user, with only create session. And for schema owner an application_owner role with some create <thing> privs.
Yesterday Pete talked about the DOD document in his blog and also about the Oracle security checklist. This two documents are indeed very good and useful and if we add Oracle's Defense-In-Depth Security, Oracle's principle of least privilege, the CIS benchmark, your advices and white papers found on your web-site, Pete's papers/advices, David Litchfield (NGSSoftware) papers/advices, Argeniss papers, etc people have very good material to understand Oracle security and convert pontential security crises into challanges and device an appropiate defence for their Oracle databases.  
But there is allways a last frontier: defeat politics inside an organisation, defeat lack of interest in Oracle security.
Many people think that Oracle security is a synonym of OS/Network security: just throw a firewall into the equeation and you are ready!
So management is  not allways willing to put extra effort (=money) in securing the database.
Oracle databases are more and more communicating with other databases outside the own organisation. Sometime directly, sometime indirectly through (eg) web-services. So it's not enough to just  protect your own database but you must be able to trust some elses database. Therefore people have to speak the same security language. Ergo: we need an Oracle Security Standard!
 
Ivan
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pages: 1  Reply | Notify of replies | Send Topic | Print

« Previous topic | Next topic »

Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright © 2000-2004 Yet another Bulletin Board
  • PFCLScan PFCLScan

    Simply connect PFCLScan to your Oracle database and it will automatically discover the security issues that could make your Oracle database vulnerable to attack and to the potential loss of your data.

  • PFCL Obfuscate PFCLObfuscate

    PFCLObfuscate is the only tool available that can automatically add license controls to your PL/SQL code. PFCLObfuscate protects your Intellectual Property invested in your PL/SQL database code.

  • PFCLCode PFCLCode

    PFCLCode is a tool to allow you to analyse your PL/SQL code for many different types of security issues. PFCLCode gives you a detailed review and reports and includes a powerful colour syntax highlighting code editor

  • PFCLForensics PFCLForensics

    PFCLForensics is the only tool available to allow you to do a detailed live response of a breached Oracle database and to then go on and do a detailed forensic analysis of the data gathered.

  • Products We resell PFCLReselling

    PeteFinnigan.com Limited has partnered with a small number of relevant companies to resell their products where they enhance or compliment what we do

  • PFCLATK PFCLATK

    PFCLATK is a toolkit that allows detailed pre-defined policy driven audit trails for your Oracle database. The toolkit also provides for a centralised audit trail and centralised activity reporting

  • PFCLCookie PFCLCookie

    PFCLCookie is a useful tool to use to audit your websites for tracking cookies. Scan websites in a natural way using powerful browser driven scanner

  • PFCL Training PFCLTraining

    PFCLTraining is a set of expert training classes for you, aimed at teaching how to audit your own Oracle database, design audit trails, secure code in PL/SQL and secure and lock down your Oracle database.

  • PFCL Services PFCLServices

    Choose PFCLServices to add PeteFinnigan.com Ltd to your team for your Oracle Security needs. We are experts in performing detailed security audits, data security design work and policy creation

  • PFCLConsulting PFCLConsulting

    Choose PFCLConsulting to ask PeteFinnigan.com Limited to set up and use our products on your behalf

  • PFCLCustom PFCLCustom

    All of our software products can be customised at a number of levels. Choose this to see how our products can be part of your products and services

  • PFCLCloud PFCLCloud

    Private cloud, public cloud, hybrid cloud or no cloud. Learn how all of our services, trainings and products will work in the cloud

  • PFCLUserRights PFCLUserRights

    PFCLUserRights allows you to create a very detailed view of database users rights. The focus of the reports is to allow you to decide what privileges and accounts to keep and which to remove.

  • PFCLSTK PFCLSTK

    PFCLSTK is a toolkit application that allows you to provide database security easily to an existing database. PFCLSTK is a policy driven toolkit of PL/SQL that creates your security

  • PFCLSFTK PFCLSFTK

    PFCLSFTK is a toolkit that solves the problem of securing third party applications written in PL/SQL. It does this by creating a thin layer between the application and database and this traps SQL Injection attempts. This is a static firewall.

  • PFCLSEO PFCLSEO

    PFCLSEO is a web scanner based on the PFCLScan technology so that a user can easily scan a website for technical SEO issues