|
||||
|
Title: Oracle Voyager Worm Post by Pete Finnigan on Nov 1st, 2005, 7:22am Hello Yesterday an anonymous poster released the source for an Oracle worm called "Voyager" on the full disclosure mailing list. http://lists.grok.org.uk/pipermail/full-disclosure/2005-October/038290.html The analysis of the worm and some countermeasures are available on my website: If your database is hardened the worm will not work. Regards Alexander Kornbrust --- Red-Database-Security GmbH |
||||
|
Title: Re: Oracle Voyager Worm Post by Pete Finnigan on Nov 1st, 2005, 2:03pm Alexander, What do you mean in step 5 (protection) by : "On Oracle 10g always disable local OS authentication and use a strong password instead." Do you refer to the listener password or oracle account passwords? If you refer to the listener password: how do you disable local OS authentication? Ivan |
||||
|
Title: Re: Oracle Voyager Worm Post by Pete Finnigan on Nov 1st, 2005, 8:49pm Ivan I am referring to the TNS listener password. I found a possiblity to circumvent the local OS authentication (Already reported to Oracle, Oracle bugid: 6454409). If you use a password protected listener (with a strong password) your systems are safe (AFAIK). Set the following value in the listener.ora and restart the listener. LOCAL_OS_AUTHENTICATION_<LISTENER_NAME> = OFF Hope this helps... Regards Alexander |
||||
|
Title: Re: Oracle Voyager Worm Post by Pete Finnigan on Nov 1st, 2005, 9:44pm Alexander, Thank you. I did not know the LOCAL_OS_AUTHENTICATION parameter. regards, Ivan |
||||
|
Title: Re: Oracle Voyager Worm Post by Pete Finnigan on Nov 2nd, 2005, 8:21pm Alexander, I think the "proof-of-conecpt" worm is based on the tnscmd.pl tool and it can't work with against a 10G oracle databases because the TNS header has changed. Using ethereal I've changed tnscmd.pl to work against 10G listeners. Maybe it is off-topic but if people want to play with the "proof-of-concept" worm they have to change the "vRequest" string in the worms code to experiment with 10G databases. If someone wants my adapted version of tnscmd.pl let me know and I'll send it to you. Ivan |
||||
|
Title: Re: Oracle Voyager Worm Post by Pete Finnigan on Nov 4th, 2005, 3:18am It may not be good behaviour to criticize one's host, but I don't understand the lapse of judgement that resulted in describing Voyager a worm. According to both wikipedia (http://en.wikipedia.org/wiki/Computer_worm) and FOLDOC (http://foldoc.doc.ic.ac.uk/foldoc/foldoc.cgi?query=worm&action=Search) a worm needs to be self propagating, which Voyager is not. IMHO, Voyager is not a breakthrough, proof-of-concept worm. Rather Voyager is a very limited and poorly written scanner, which has recieved far more notice than it deserves. We should speak no more of Voyager: There are a number of better scanners available for download from this site. Steven |
||||
|
Title: Re: Oracle Voyager Worm Post by Pete Finnigan on Nov 4th, 2005, 9:12am Ensslen, Don't be afraid of criticize. Don't forget it is a proof-of-concept worm. It can easily be adapted to be self propagated. I agree that there are many requirements to be met before such a worm could be effective: 1) the use of default passwords (i read somewhere an article in which Alexander says that at least 60 percent of all customers have at least a few databases with default passwords!), 2) find a default uc/password combination with enough orivileges to make it self-propagating, 3) an unprotected listener (if people still have default passwords the chances they have unprotected listeners is big), If 1 is met but 2 is not then you could still use 3 to make the worm self-propagating: If they have an unprotected listener then instead of just using it to discover instances you could use it to adapt the glogin.sql for example. Let me show how you can do it with tnscmd.pl: Code:
From the above information I know where to find the glogin.sql file: in /u01/app/oracle/product/10r2/db_1/sqlplus/admin/glogin.sql The above listener is using the default location for the LOGFILE. Using the same tnscmd tool I can reset the listeners LOGFILE to .../glogin.sql and then I can use tnscmd to fill the glogin.sql with the statements to propagate the worm: Code:
After creating and filling glogin.sql I can reset the LOGIFLE to it's original value. The site is now infected with code to make the worm propagate itself. The code that is used by tnscmd is allready inside the "proof-of-concept" worm (except for the adaptations needed by 10G). Another adaptation would be the correct calculation of the subnetmask to scan all the systems in the network. To make it jump to an external network seems very difficult. You hardly see db-links between organizations. But most organizations have many databases. My conclusion is that this proof-of-concept worm deserves to be discussed. Ivan |
||||
|
Title: Re: Oracle Voyager Worm Post by Pete Finnigan on Nov 4th, 2005, 6:02pm ISaez, I am not trying to challenge anyone, I'm just trying to clarify. I agree that there are many different ways of hacking Oracle Databases, and that these can be used to create worms. I also agree that the technique that you describe in your most recent post could be used to make a worm. I may be stubborn, but none of this is news. That Oracle databases have exploits is well publicized. That these exploits could be scripted into a worm is common sense. But Voyager does not prove the concept. Steven (And I would caution you to be careful with what you post. The courts in many jurisdictions are technophobic and may not distinguish between explaining worms and encouraging their development.) |
||||
|
Title: Re: Oracle Voyager Worm Post by Pete Finnigan on Nov 4th, 2005, 6:21pm Steven, I think the concept of a Oracle Worm is new. But it is my opinion and if you don't agree then I respect that. Thank you for you warning but everything I've posted is of public knowledge so I am not disclosing anything. Ivan |
||||
|
Title: Re: Oracle Voyager Worm Post by Pete Finnigan on Nov 4th, 2005, 7:03pm Hi Guys, The post says that it is incomplete and alright it is not actually a worm as it doesn't replicate but the concept is there to show that it is possoble to create an Oracle based worm in a similar veign to the slammer worm that plagued SQL Server. I think it is valid to describe it as a worm as it is a concept only. The other thing to remember is that currently - in my opinion - a slammer type worm could not plague Oracle systems to the same effect as slammer did simply because there is only a fraction of the number of Oracle databases exposed to the net than there was SQL databases. cheers Pete |
||||
|
Title: Advice regarding the so-called Oracle Voyager Wor Post by Pete Finnigan on Nov 5th, 2005, 7:42am Today I've got this email from Oracle. Regards Alex -----Ursprüngliche Nachricht----- Von: Oracle Global Product Security [mailto:replies@oracle-mail.com] Gesendet: Samstag, 5. November 2005 06:23 An: Kornbrust, Alexander Betreff: Advice regarding the so-called ¿Oracle Voyager Worm¿ Dear Oracle customer, Oracle Global Product Security has investigated the recent Internet publication of the so-called ¿Oracle Voyager Worm¿ that is designed to target Oracle databases. In its current form, the code is incomplete and poses no immediate threat to Oracle customers. The code does not expose or attempt to exploit an Oracle product security vulnerability. Instead, the code outlines an attack against Oracle database systems that have been configured insecurely. Oracle considers adherence to industry standard security practices the best way for customers to protect their database systems. A MetaLink note is now available that outlines the minimum essential steps customers should take to mitigate future attempted attacks against their Oracle databases. Customers who already follow industry standard security best practices, including those who have hardened or locked down their database systems, may still benefit from reviewing the MetaLink note. The MetaLink Doc ID is 340009.1: http://metalink.oracle.com/metalink/plsql/showdoc?db=NOT&id=340009.1 Additional references: http://www.oracle.com/technology/deploy/security/db_security/index.html http://www.oracle.com/technology/deploy/security/pdf/twp_security_checklist_db_database.pdf Sincerely, Oracle Global Product Security PLEASE DO NOT REPLY TO THIS E-MAIL. This address is not monitored. ****************** |
||||
|
Title: Re: Oracle Voyager Worm Post by Pete Finnigan on Nov 6th, 2005, 11:30pm It seems (to me) to be a valid proof of concept. Admittedly, the code currently written only attempts to create a table at the end of the DB link, but using DBMS_METADATA (or even simply selecting from user_source) it could easily re-extract its own source code and so create a copy of itself at the destination. The only other major missing component of the worm is that it doesn't attempt to execute anything. A worm should not only try to copy itself but try to get that copy running. DBMS_JOB is the obvious mechanism, and is a prime candidate for lockdown. |
||||
|
Title: Re: Advice regarding the so-called Oracle Voyager Post by Pete Finnigan on Nov 7th, 2005, 8:02am on 11/05/05 at 07:42:29, kornbrust wrote:
To which "industry standard security best practices" is Oracle refering? Ivan |
||||
|
Title: Re: Oracle Voyager Worm Post by Pete Finnigan on Nov 7th, 2005, 2:45pm Hi Ivan, This is an interesting point that you have raised. I am not aware of an industry standard for securing Oracle except perhaps my book or the SANS course or the CIS benchmark. I guess that they might be referring to more high level practices such as least privilege principals, security in depth etc. I talked about the same issue in this forum some time ago and also in my blog - the issue of creating an open standard for securing an Oracle database. I have installed a wiki on this site. It needs some initial configuration and then we can get going. I think that it would be a worthwhile endeavor to produce a list of issues, vulnerabilities, configuration issues, bugs and best practices etc. My idea was to have a main page and then the categories such as configuration, bugs, bext practices, privileges, OS issues, network issues etc. Then each category would list each separate issue and each would have their own page with a short description, fix, issue, what tools already check for the issues and so on. My final thought was to then be able to collate a complete checklist from this / or a standard for hardeing or building Oracle. I chose to use a wiki so that others can collaborate and add to it. cheers pete |
||||
|
Title: Re: Oracle Voyager Worm Post by Pete Finnigan on Jan 22nd, 2008, 1:49pm hi ivan I need help you I work with oracle 10g. when i use "tnscmd10g status ... " i see "ERROR=(CODE=12618" . please help me to change tnscmd10g for work with oracle 10g tanks ghassem g.koolivand@gmail.com |
||||
|
Title: Re: Oracle Voyager Worm Post by Pete Finnigan on Jan 23rd, 2008, 10:21am Ghassem, I'll mail you a copy of tnscmd10g.pl regards, Ivan |
||||
|
Title: Re: Oracle Voyager Worm Post by Pete Finnigan on Mar 16th, 2008, 10:32am Hello Ivan and All, I need tnscmd10g as well, can you send me please to sysprogerz@yahoo.com. I am wondering, can it work for 11g as well?? Thanks, Have a nice day |
||||
|
Title: Re: Oracle Voyager Worm Post by Pete Finnigan on Apr 17th, 2008, 2:38pm Hi Ivan, I'm interested in the 10g version as well. Could you send me a copy as well? patrick . roozen at gmail . com Regards, Patrick |
||||
|
Title: Re: Oracle Voyager Worm Post by Pete Finnigan on Apr 17th, 2008, 6:59pm I've found a link to Ivan's update of tnscmd http://dokfleed.net/files/audit/tnscmd10g.zip I'm not sure if this is the same one as mentioned here so evaluate it before using it. P |
||||
|
Powered by YaBB 1 Gold - SP 1.4! Forum software copyright © 2000-2004 Yet another Bulletin Board |