Call: +44 (0)1904 557620 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Colin Maxwell talks about WS-Security in JWSDP 1.5"] [Next entry: "Slight update to the default password check scripts"]

An interesting case of information disclosure



I was surfing the http://www.orablogs.com - (broken link) orablogs website the other day and found an http://www.groundside.com/blog/content/DuncanMills/?permalink=9E7B0901D4A16DD6F20CD381B6038F4D.txt - (broken link) entry in Duncan Mills weblog that looked interesting. he writes an Oracle weblog and I noticed a security related post so my interest was piqued. The post is not directly related to Oracle security itself but was in part related. Duncan reported some hacker attempt to get into his site by trying to exploit ssh. The reason that they did this is because of a previous posting to his blog - http://www.groundside.com/blog/content/DuncanMills/J2EE+Development/?permalink=40D11947868C663FA798839E3F72E3D7.txt - (broken link) One thing leads to another that talked about his project to create a JSF based blog application. The final paragraph of this entry talked about how he had set up ssh to access the groundside.com site for people who were going to help in the project. He also announced that he had work to do in tightening the security.

This whole blog entry reminded me of some work I did on the new SANS 6 day hands on "Securing Oracle Track" that I have been writing for SANS. I covered information leakage in one of the modules, indeed i briefly mentioned the same in the book Oracle security step by step - A survival guide for securing Oracle. I did some research into this issue when writing about it for SANS. Quite frankly it is amazing in Oracle database and server terms and application terms what information some companies will leak to the Internet, either in newsgroups, mailing lists or even on corporate websites.

I have seen all manner of information, such as network configurations, usernames, passwords even, IP Addresses, applications used, third party and in-house, job specifications, even security policies and guidelines (very useful for a hacker to know the password policies!). I have even seen the source code for the authentication recently for a web based application that will interact with an Oracle database posted to a newsgroup where one of the developers wanted to ask a question.

This is a key lesson that companies need to learn. If you post details of IP Addresses, usernames, passwords and applications structure and even source code to the Internet or post your policies and working practices to publicly accessible web sites you should not be surprised if you get attacked.

Companies need to educate employees on these issues, its important.

I think in Duncan's case it’s a lot less worrying as it’s a public project anyway and he doesn't have live production data that can be lost to worry about. Also the main point is he understands the issue.

There has been 4 Comments posted on this article


November 19th, 2004 at 09:11 am

Pete Finnigan says:

Is information about Apache under Oracle (at Oracle) a security problem, too?



November 19th, 2004 at 04:54 pm

Pete Finnigan says:

I have just looked at the page you reference on Tom Kytes site. Its an interesting page and includes two comments from Tom in terms of information leakage, The first being that the configuration is taken from an internal server using mod_gzip and mod_plsql - also further down in the example there is an entry from a log file that shows an IP address and a URL. A quick check on www.whois.sc shows that this is probably an external IP Address as it is allocated to Oracle.

So yes, this is a leakage of information that should not really have occured. A server has been identified, the software running on it is identified as are some configuration details.



November 23rd, 2004 at 10:30 pm

Pete Finnigan says:

Of course in my case I could have been a simple port scan that found the SSH port open through the firewall, I assumed it was the Blog posting based on the timing.
The comment will self destruct in 5 seconds...



November 24th, 2004 at 02:50 pm

Pete Finnigan says:

Hi Duncan,

Yes it could have been but usually there is no such thing as a coincidence, probably your posting had something to do with it,

kind regards

Pete