Call: +44 (0)1904 557620 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "A new variant of the Oracle Voyager worm is in the wild"] [Next entry: "The slashdot effect can be a problem for other sites"]

More detailed analysis of the new Oracle worm



This new variant of the Oracle voyager worm is written in PL/SQL and utilises some of the key built in packages that people like me always tell people to revoke access from PUBLIC from such as UTL_HTTP, UTL_TCP and UTL_SMTP. This is good advice, believe me!

The worm was posted to the Full Disclosure list on 29th December by someone called "kwbbwi at findnot.com". Aaron Newman of Application Security Inc altered myself and Alex to this. Alex has posted a note about it in my Oracle security forum in a post titled "New / Modified Oracle Worm" where he has announced that he has done some initial analysis of the new worm. His page is titled "Oracle Worm Voyager - Analysis of the Proof of concept code" - the worm does these basic steps:

Grant DBA to PUBLIC

create a database login trigger and in it if a random value equals 32 then send a google search request that appears to request the source code from the first site in the search request. If it ran the HTTP request it then appears to install a copy of itself and do it all again. As I said in my last post and also found by Alex this is blocked by Google as a virus. Google are taking this new worm seriously.

It then sends an email to Larry@oracle.com using UTL_SMTP containing all of the password hashes in the database

It then modifies the listener.log to add the command ALTER USER MDYS IDENTIFIED BY MDSYS to the glogin.sql file which is run on the server when SQL*Plus is started on the server.

it creates database links to all the databases it can find on the same network and then guesses passwords

Then it stops the listener using UTL_TCP and techniques learned from tnscmd initially.

This is a much more dangerous version of the Oracle worm but still does not seem to have a replication mechanism that copies the code to another database from the one that it is installed in. What it does do that is worse is potentially email hashes, grant DBA to PUBLIC, create a backdoor with MDSYS and potentially spam Google and download the source and then potentially do it again and again. The probability for this is extremely low though.

This worm has shown how it is possible to download dynamic PL/SQL and load it into the database - this is a bad sign. It also shows more malicious tendencies such as backdoors, privilege escalation, finding more databases, Denial of Service with stopping the listener.

Still a proof of concept in my opinion but more dangerous. I wonder how many people will download and install it and try it, either as a learning exercise or maliciously on employers databases! - now is the time to audit your databases for security issues and harden them.