Pete Finnigan's Oracle Security Forum (http://www.petefinnigan.com/forum/yabb/YaBB.cgi)
Oracle Security >> Oracle Security >> Oracle Voyager Worm
(Message started by: kornbrust on Nov 1st, 2005, 7:22am)

Title: Oracle Voyager Worm
Post by kornbrust on Nov 1st, 2005, 7:22am
Hello

Yesterday an anonymous poster released the source for an Oracle worm called "Voyager" on the full disclosure mailing list.

http://lists.grok.org.uk/pipermail/full-disclosure/2005-October/038290.html


The analysis of the worm and some countermeasures are available on my website:



If your database is hardened the worm will not work.


Regards

Alexander Kornbrust

---
Red-Database-Security GmbH

Title: Re: Oracle Voyager Worm
Post by isaez on Nov 1st, 2005, 2:03pm
Alexander,

What do you mean in step 5 (protection) by :
"On Oracle 10g always disable local OS authentication and use a strong password instead."

Do you refer to the listener password or oracle account passwords?
If you refer to the listener password: how do you disable local OS authentication?

Ivan

Title: Re: Oracle Voyager Worm
Post by kornbrust on Nov 1st, 2005, 8:49pm
Ivan

I am referring to the TNS listener password. I found a possiblity to circumvent the local OS authentication (Already reported to Oracle, Oracle bugid: 6454409).

If you use a password protected listener (with a strong password) your systems are safe (AFAIK).

Set the following value in the listener.ora and restart the listener.
LOCAL_OS_AUTHENTICATION_<LISTENER_NAME> = OFF

Hope this helps...


Regards

Alexander

Title: Re: Oracle Voyager Worm
Post by isaez on Nov 1st, 2005, 9:44pm
Alexander,

Thank you. I did not know the  LOCAL_OS_AUTHENTICATION parameter.

regards,

Ivan

Title: Re: Oracle Voyager Worm
Post by isaez on Nov 2nd, 2005, 8:21pm
Alexander,

I think the "proof-of-conecpt" worm is based on the tnscmd.pl tool and it can't work with against a 10G oracle databases because the TNS header has changed. Using ethereal I've changed tnscmd.pl to work against 10G listeners. Maybe it is off-topic but if people want to play with the "proof-of-concept" worm they  have to change the "vRequest" string in the worms code to experiment with 10G databases.  If someone wants my adapted version of tnscmd.pl let me know and I'll send it to you.

Ivan

Title: Re: Oracle Voyager Worm
Post by ensslen on Nov 4th, 2005, 3:18am
It may not be good behaviour to criticize one's host, but I don't understand the lapse of judgement that resulted in describing Voyager a worm.

According to both wikipedia (http://en.wikipedia.org/wiki/Computer_worm) and FOLDOC (http://foldoc.doc.ic.ac.uk/foldoc/foldoc.cgi?query=worm&action=Search) a worm needs to be self propagating, which Voyager is not.

IMHO, Voyager is not a breakthrough, proof-of-concept worm.  Rather Voyager is a very limited and poorly written scanner, which has recieved far more notice than it deserves.  We should speak no more of Voyager: There are a number of better scanners available for download from this site.

Steven

Title: Re: Oracle Voyager Worm
Post by isaez on Nov 4th, 2005, 9:12am
Ensslen,

Don't be afraid of criticize.
Don't forget it is a proof-of-concept worm. It can easily be adapted to be self propagated. I agree that there are many requirements to be met before such a worm could be effective:
1) the use of default passwords (i read somewhere an article in which Alexander says that at least 60 percent of all customers have at least a few databases with default passwords!),
2) find a default uc/password combination with enough orivileges to make it self-propagating,
3) an unprotected listener (if people still have default passwords the chances they have unprotected listeners is big),

If 1 is met but 2 is not then you could still use 3 to make
the worm self-propagating:

If they have an unprotected listener then instead of just using it to discover instances you could use it to adapt the glogin.sql for example. Let me show how you can do it with tnscmd.pl:


Code:
oracle@Asus:~/Worm > ./tnscmd10g.pl status -h 10.0.0.153 --10G --indent
sending (CONNECT_DATA=(CID=(PROGRAM=)(HOST=linux)(USER=oracle))(COMMAND=status)(ARGUMENTS=64)(SERVICE=LISTENER)(VERSION=169869568)) to 10.0.0.153:1521
writing 181 bytes
reading
.M.......9.........-. ..........
 DESCRIPTION=
   TMP=
   VSNNUM=169869568
   ERR=0

.
........
 DESCRIPTION=
   TMP=
   VSNNUM=169869568
   ERR=0
   ALIAS=LISTENER
   SECURITY=OFF
   VERSION=TNSLSNR for Linux: Version 10.2.0.1.0 - Production
   START_DATE=04-NOV-2005 09:34:03
   SIDNUM=1
   LOGFILE=/u01/app/oracle/product/10r2/db_1/network/log/listener.log
   PRMFILE=/u01/app/oracle/product/10r2/db_1/network/admin/listener.ora
   TRACING=off
   UPTIME=4433
   SNMP=OFF
   PID=13232
   START_DATE_NUM=2005-11-04 09:34:03


From the above information  I know where to find the glogin.sql file: in /u01/app/oracle/product/10r2/db_1/sqlplus/admin/glogin.sql
The above listener is using the default location for the LOGFILE.
Using the same tnscmd tool I can reset the listeners LOGFILE to .../glogin.sql and then I can use tnscmd to fill the glogin.sql with the statements to propagate the worm:


Code:
tnscmd10g.pl -h 10.0.0.151 --10G  --rawcmd "(CONNECT_DATA=((<here your pl/sql code to propagate>"


After creating and filling glogin.sql I can reset the LOGIFLE to it's original value.
The site is now infected with code to make the worm propagate itself.
The code that is used by tnscmd is allready inside the "proof-of-concept" worm (except for the adaptations needed by 10G).
Another adaptation would be the correct calculation of the
subnetmask to scan all the systems in the network.
To make it jump to an external network seems very difficult. You hardly see db-links between organizations. But most organizations have many databases.
My conclusion is that this proof-of-concept worm deserves to be discussed.


Ivan

Title: Re: Oracle Voyager Worm
Post by ensslen on Nov 4th, 2005, 6:02pm
ISaez,

I am not trying to challenge anyone, I'm just trying to clarify.

 I agree that there are many different ways of hacking Oracle Databases, and that these can be used to create worms.  I also agree that the technique that you describe in your most recent post could be used to make a worm.

I may be stubborn, but none of this is news.  That Oracle databases have exploits is well publicized.  That these exploits could be scripted into a worm is common sense.  But Voyager does not prove the concept.  

Steven

(And I would caution you to be careful with what you post.  The courts in many jurisdictions are technophobic and may not distinguish between explaining worms and encouraging their development.)

Title: Re: Oracle Voyager Worm
Post by isaez on Nov 4th, 2005, 6:21pm
Steven,

I think the concept of a Oracle Worm is new. But it is my opinion and if you don't agree then I respect that.

Thank you for you warning but everything I've posted is of public knowledge so I am  not disclosing anything.

Ivan

Title: Re: Oracle Voyager Worm
Post by Pete Finnigan on Nov 4th, 2005, 7:03pm
Hi Guys,

The post says that it is incomplete and alright it is not actually a worm as it doesn't replicate but the concept is there to show that it is possoble to create an Oracle based worm in a similar veign to the slammer worm that plagued SQL Server.

I think it is valid to describe it as a worm as it is a concept only. The other thing to remember is that currently - in my opinion - a slammer type worm could not plague Oracle systems to the same effect as slammer did simply because there is only a fraction of the number of Oracle databases exposed to the net than there was SQL databases.

cheers

Pete

Title: Advice regarding the so-called Oracle Voyager Wor
Post by kornbrust on Nov 5th, 2005, 7:42am
Today  I've got this email from Oracle.

Regards
 Alex

-----Ursprüngliche Nachricht-----
Von: Oracle Global Product Security [mailto:replies@oracle-mail.com]
Gesendet: Samstag, 5. November 2005 06:23
An: Kornbrust, Alexander
Betreff: Advice regarding the so-called ¿Oracle Voyager Worm¿


Dear Oracle customer,

Oracle Global Product Security has investigated the recent Internet publication of the so-called ¿Oracle Voyager Worm¿ that is designed to target Oracle databases. In its current form, the code is incomplete and poses no immediate threat to Oracle customers.  The code does not expose or attempt to exploit an Oracle product security vulnerability.  Instead, the code outlines an attack against Oracle database systems that have been configured insecurely.

Oracle considers adherence to industry standard security practices the best way for customers to protect their database systems. A MetaLink note is now available that outlines the minimum essential steps customers should take to mitigate future attempted attacks against their Oracle databases. Customers who already follow industry standard security best practices, including those who have hardened or locked down their database systems, may still benefit from reviewing the MetaLink note.

The MetaLink Doc ID is 340009.1:
http://metalink.oracle.com/metalink/plsql/showdoc?db=NOT&id=340009.1

Additional references:
http://www.oracle.com/technology/deploy/security/db_security/index.html

http://www.oracle.com/technology/deploy/security/pdf/twp_security_checklist_db_database.pdf

Sincerely,
    Oracle Global Product Security
   
PLEASE DO NOT REPLY TO THIS E-MAIL. This address is not monitored.
******************

Title: Re: Oracle Voyager Worm
Post by gamyers on Nov 6th, 2005, 11:30pm
It seems (to me) to be a valid proof of concept. Admittedly, the code currently written only attempts to create a table at the end of the DB link, but using DBMS_METADATA (or even simply selecting from user_source) it could easily re-extract its own source code and so create a copy of itself at the destination.

The only other major missing component of the worm is that it doesn't attempt to execute anything. A worm should not only try to copy itself but try to get that copy running. DBMS_JOB is the obvious mechanism, and is a prime candidate for lockdown.

Title: Re: Advice regarding the so-called Oracle Voyager
Post by isaez on Nov 7th, 2005, 8:02am

on 11/05/05 at 07:42:29, kornbrust wrote:
Today  I've got this email from Oracle.

Regards
 Alex

-----Ursprüngliche Nachricht-----
Von: Oracle Global Product Security [mailto:replies@oracle-mail.com]
Gesendet: Samstag, 5. November 2005 06:23
An: Kornbrust, Alexander
Betreff: Advice regarding the so-called ¿Oracle Voyager Worm¿

......
Customers who already follow industry standard security best practices, including those who have hardened or locked down their database systems, may still benefit from reviewing the MetaLink note.
....



To which "industry standard security best practices" is Oracle refering?

Ivan

Title: Re: Oracle Voyager Worm
Post by Pete Finnigan on Nov 7th, 2005, 2:45pm
Hi Ivan,

This is an interesting point that you have raised. I am not aware of an industry standard for securing Oracle except perhaps my book or the SANS course or the CIS benchmark. I guess that they might be referring to more high level practices such as least privilege principals, security in depth etc.

I talked about the same issue in this forum some time ago and also in my blog - the issue of creating an open standard for securing an Oracle database. I have installed a wiki on this site. It needs some initial configuration and then we can get going. I think that it would be a worthwhile endeavor to produce a list of issues, vulnerabilities, configuration issues, bugs and best practices etc. My idea was to have a main page and then the categories such as configuration, bugs, bext practices, privileges, OS issues, network issues etc. Then each category would list each separate issue and each would have their own page with a short description, fix, issue, what tools already check for the issues and so on.

My final thought was to then be able to collate a complete checklist from this / or a standard for hardeing or building Oracle. I chose to use a wiki so that others can collaborate and add to it.

cheers

pete

Title: Re: Oracle Voyager Worm
Post by koolivand on Jan 22nd, 2008, 1:49pm
hi ivan

I need help you

I work with oracle 10g. when i  use "tnscmd10g status ... "  i see "ERROR=(CODE=12618" .

please help me to change tnscmd10g for work with oracle 10g

tanks

ghassem
g.koolivand@gmail.com

Title: Re: Oracle Voyager Worm
Post by isaez on Jan 23rd, 2008, 10:21am
Ghassem,

I'll mail you a copy of tnscmd10g.pl

regards,

Ivan

Title: Re: Oracle Voyager Worm
Post by sysprogerz on Mar 16th, 2008, 10:32am
Hello Ivan and All,

I need tnscmd10g as well, can you send me please to sysprogerz@yahoo.com.

I am wondering, can it work for 11g as well??

Thanks,
Have a nice day

Title: Re: Oracle Voyager Worm
Post by pcroozen on Apr 17th, 2008, 2:38pm
Hi Ivan,

I'm interested in the 10g version as well. Could you send me a copy as well? patrick . roozen at gmail . com

Regards,

Patrick

Title: Re: Oracle Voyager Worm
Post by Patrick Roozen on Apr 17th, 2008, 6:59pm
I've found a link to Ivan's update of tnscmd http://dokfleed.net/files/audit/tnscmd10g.zip
I'm not sure if this is the same one as mentioned here so evaluate it before using it.

P



Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright © 2000-2004 Yet another Bulletin Board