Call: +44 (0)7759 277220 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

BBED - Oracle Block Browser and EDitor - A hacker tool?

I was surfing this evening and came across a great paper by Graham Thornton that explains how to use the BBED Block Browser and EDitor utility to modify blocks in the database data files whether the database is up or down. I have known about this tool for a very long time and even reported its shipping on Windows as an executable and as an object file on *nix as a security bug to Oracle around 4 years ago.

This paper explains how to build the tool on Linux and how each command works. Quite clearly this is a useful tool to get you out of a hole in the case of corruption or incorrect deletions but its also an excellent hacker tool.

Graham shows 5 good examples of the use of BBED, these include "changing data", "recovering deleted rows", "uncorrupting a block", "file header reset" and "recovering deleted, damaged data".

For those of us who think like a hacker this tool has some awesome potential. The tool runs on the OS and doesnt need database authentication. A simple password is hard coded in the binary. If you can gain the possibility to run OS commands as a lowe level user then you can become a DBA, SYS or whatever, it is simple to change the SYS password hash. Remember there would be no audit trail generated no matter the type of database audit used. Or you could read data protected via VPD or OLS, you could change or read critical data in the database without detection, you could install root kits, the possibilities are endless.

This is a dangerous tool in the wrong hands, remove the binary if its there; also remove the object files if they exist so it cannot be rebuilt. If Oracle support or you need to use it, then Oracle will not support you afterwards anyway so there is no impetus to keep the tool.

Graham Thornton's great paper is called "Disassembling the Oracle Data Block - A Guide to the BBED Block Browser and Editor"

Oracle Hackers Handbook

I just received a preview copy of the new book by David Litchfield, "Oracle Hackers Handbook" - ISBN 978-0-470-08022-1. I have skimmed through all pages and now I will start and read it cover to cover. It is a good book and one that should be on the shelf of anyone interested in how hackers can break the security of an Oracle database. Its a short book, some 140 pages of content not including the appendix of default passwords and also not including first chapter which is a primer on Oracle architecture. The book includes details on the Oracle network architecture. David talked about an aspect of this recently in a full disclosure post and I talked about this here in a post "Stealing Oracle passwords from the wire". He goes on to cover attacking the listener, the dispatcher, the authentication process and a lot of detail around PL/SQL, unwrapping, SQL Injection, privileges, triggers, indirect privilege escalation,defeating VPD, Oracle web apps, how to run OS commands, the file system and attacking the network.

This is a good book and anyone serious about securing their Oracle databases should read it.

checkpwd has been updated to 1.22 and is around 30% faster

Alex has just released an update to his excellent Oracle dictionary passwod cracker. Oracle Password Checker (Cracker) is updated to version 1.22. This version has been compiled against the Intel tuned openssl libraries that I talked about the other day. This has made checkpwd around 30% faster. Checkpwd can be used on Linux or Windows. It can also be used standalone (without an Oracle client) and with an Oracle client so that it can connect to the database and extract the usernames and hashes to be cracked.

Alex has also updated his page Benchmark Oracle Password Cracker which shows some benchmark tests of the most popular Oracle password crackers available. This page makes interesting reading. orabf is shown to blow all away on its brute force timings but is slower in dictionary mode. I emailed orabf's author the other day to point out the intel tuning in openssl, i hope that he will respond with a recompiled orabf.

Oracle password crackers just got faster

Alex made me aware of a nice article on Intel's work on tuning the already fast openssl cryptographic libraries. The paper is written by Muneesh Nagpal, server applications engineer, Core Software Division; Gururaj Nagendra, senior software engineer and architect, Software Products Division, SSG; and Alexey Omeltchenko, software engineer, Software Enabling Division, Intel Corp.

The article is titled "Boosting cryptography performance with Intel libraries" and a preview is here:

"This simple optimization walk-through improves an already-optimized sample OpenSSL application's performance by 35 percent using IntelĀ® cryptography library functions. With the increase in e-commerce and other transactions in enterprise applications, the demand for higher-performing, secure, and scalable communications is on the rise. From a hardware perspective, as the communication load increases, load balancing is typically accomplished by adding more processors."

Why is this of interest to us Oracle security types? - well because the current crop of Oracle password crackers are cracking DES and some like orabf and checkpwd use openssl. This means that Oracle password crackers will run around 40% faster simply by recompiling or relinking.

Secure Passwords Keep You Safer

Great paper by Bruce Schneier - Secure Passwords Keep You Safer

"Ever since I wrote about the 34,000 MySpace passwords I analyzed, people have been asking how to choose secure passwords.

My piece aside, there's been a lot written on this topic over the years -- both serious and humorous -- but most of it seems to be based on anecdotal suggestions rather than actual analytic evidence. What follows is some serious advice."

Toolkit of generators and brute force tools

I was emailed a link to 0rm's latest toolkit that includes some Oracle brute force tools. The T2 brute force compilation rev 2 includes a number of Oracle tools. These are:

default.txt - a list of Oracle default passwords
oraclehash - creates an Oracle password hash
orabf - brute force Oracle password cracker
oracr - creates an Oracle SQL*Net 8 challenge response pair
oracrbf - brute forces Oracle SQL*Net challenge response pairs

This is a great tool set and worth downloading

Details Oracle Critical Patch Update January 2007 - V1.02 released

Alex has created an analysis page for the most recent January 2007 CPU. His page is titled "Details Oracle Critical Patch Update January 2007 - V1.02". The page includes links to those bugs that have individual advisories available. There is less information about the database bugs than for the application server. There is also a nice link table for all of the database bugs to their CVE entries. The application server bugs include some brief details for most of the bugs as to what the issues are. As usual the database bugs that are in packages whilst not including details of the actual bug are reletively easy to work out if you have the tools to do it (a PL/SQL unwrapper).

Critical Patch Update January 2007 is out

The latest in the series of Critical Patch Updates, "Oracle Critical Patch Update - January 2007" has just been released by Oracle. The patch provides 51 new security fixes across all products. Because there is a real risk of a successful attack, remember a number of this bugs can be expolited remotely without the need for a username and password. Oracle are recommending that the patch is applied as soon as possible. This, I know from experience is difficult fo some customers. There are a few new names in the credits and a few regulars, Alex and the Litchfields. The matrix's list the bugs per product and the lists get easier read each time. Oracle do seem to be making the advisories easier to read. Lets hope that the numbers of bugs fixed each quarter get less and also the number of remotely exploitable bugs without authentication get less, then we will see really good progress.

Definer rights AS SYSDBA security issue?

I chatted with Alex Gorbachev on email about this issue, privet Alex! and today he has posted the issue to his blog in a post titled "Calling Definer-Rights Procedure as SYSDBA - Security Hole?". This is summed up as an issue where SYS AS SYSDBA seems to default to invoker rights irrespective of whether the procedure it is executing is definer rights. See Alex's examples for details. I suggested some further tests to Alex to find out if its a SYS issue as well and also to create the definer rights procedure as the lower level user rtaher than as SYS owned by the other user (shouldnt matter). I am not convinced its a security issue as the issue is with SYS AS SYSDBA so you canot escalate higher than that.

new paper on oracle as sysdba connection weakness

I saw today that NGS have released a paper "Oracle Passwords and OraBrute" that talks about various weaknesses in Oracle passwords. Most of this is not new and is covered elsewhere. The first issue covers the fact that Oracle passwords can include most of the character map with passwords encased in quotes, i.e. the password is more complex and harder to crack with a crackre like orabf or by rainbow cracking. There was a good post about this on my forum over a year ago titled "Valid characters for Oracle passwords?..." that discussed the issues around the character map. The second area is around the fact that passwords can be grabbed off the wire if the hash is know. I talked about this here recently in a post titled "Stealing Oracle passwords from the wire" that talks about David Litchfields work in this area. The main thrust of the new paper is around the fact that the AS SYSDBA connections cannot be locked out using password management or account locking. I talked about this on my site (prior to the blog) on 02 April 2004 in a paper titled "can SYS be locked out by a failed_login_attempts setting".

All of that said the paper is worth reading, the advice from me is prevemnt remote AS SYSDBA connections by setting remote_login_passwordfile to the recommended value of "none" - this can be an issue if OEM is used as it needs EXCLUSIVE. Also set listener logging and parse the log file for brute forcing of AS SYSDBA connections. Also parse and manage the trace files created in $ORACLE_HOME/rdbms/audit - a seperate trace file per pid will be created. on Windows the records are written to the event log. All AS SYSDBA connections are logged to these trace files. If audit_file_dest is set then the location will not be the default. The paper includes a brute force tool that I dont see much use in an audit situation. A cracker like orabf is better and faster to test hashes in SYS.USER$ and also in the password file and a check for remote_login_passwordfile is quicker and more effective. Also check which users have been granted SYSDBA as they would alwo be affected in the same way. Their passwords for AS SYSDBA connections can be read from the password file as well.

Oracle have announced a CPU pre-release feature

I saw today that Oracle has released its first "Critical Patch Update pre-release announcement" which is a new service that will give advanced news of the forth coming CPU's. The next CPU is due on january 16th. next Tuesday. This first advanced release details CVSS ratings and details of the components that are affected and also the versions affected. There are 52 fixes in the january CPU and ten of them can be remotely exploited without authentication.

This is another good improvement from Oracle and well done to them for this, releasing advanced news of the patch can help customers plan and decide what to do about applying it. Good for Oracle.

Teaching an Old Dog New Tricks

I got an email today to let me know about a good post by Marcus Ranum on his site titled "Teaching an Old Dog New Tricks" which talks about programming, bugs, exploits an most importantly about Fortify in some detail. This is the tool Oracle announced around a year ago that they had bought and were using internally to audit their own source code. This is a source code analizer that looks for bugs or potential bugs in software. The tool supports C and PL/SQL amongst other languages. This is a good tool but there is little information on the net about it, particularly the sorts of checks that it performs. This article is quite revealing in terms of what the tool does. There are a number of other free tools that can check C and C++ but not PL/SQL such as RATS, flawfinder, findbugs, ITS4, Prexis and splint.

If anyone has anymore details on what Fortify does particularly in terms of PL/SQL auditing I would be interested to know.

10 steps to creating your own security audit

I came across this short post describing 10 steps to creating your own security audit and even though its not about Oracle its worth a read to give you some ideas on the scope of an audit.

10 Steps to creating your own IT security audit

"Every business, including yours, has valuable IT assets such as computers, networks, and data. And protecting those assets, requires that companies big and small conduct their own IT security audits in order to get a clear picture of the security risks they face and how to best deal with those threats.

The following are 10 steps to conducting your own basic IT security audit. While these steps won't be as extensive as audits provided by professional consultants, this DIY version will get you started on the road to protecting your own company."

A good blog to watch for Oracle internals and hard to find info

I made a note in my list of things to blog about before christmass about "Fairlie Rego's" weblog. This is a great blog and contains some very nice posts with a great deal of knowledge and skill displayed. I love Oracle internals, undocumented details and so on so when I saw a blogger who wields oradebug or bbed with skill he is well worth watching and reading. His blog is also linked on my Oracle security blogs aggregator.

Stealing Oracle passwords from the wire

I see that David Litchfield has posted a note on freelists titled "Re: Sniffing Oracle authentications" that describes the Oracle authentication mechanism and the fact that if you know the Oracle password hash then its possible to sniff the session key and wait for the encrypted password to be sent to the server. This means that even 30 character passwords using the complete keyspace are vulnerable to attack. David includes a C program to demonstrate this.

This is a detailed discussion by David of the issue that was first covered by Ian Redfern in a paper titled "Oracle Protocol" that was up on the Logica site for a while before being pulled but the web archive has a copy. The example Perl program linked in this paper was there on the web archive for quite some time but this has now gone as well. The Perl program gave an example of how this protocol worked and hinted at this issue. I found the link via Peter K's blog where he also mentions that Paul Wright now has an Oracle security blog. I have added a link to his blog in my Oracle blogs aggregator.

It seems Dizwell has gone, come back (maybe) and gone again

I have followed a few posts on Howards site and others blogs over the last few days and was saddened to see that Howard has decided to pull the plug on running and maintaining his site. I saw the last post that he had decided to ditch the whole site and remove the DNS. The site is not currently there, there are some pages still in the google cache for a while but some like Doug reported that he had relented and some new pages had been posted. This is not the case now as I write this. I for one hope Howard brings back his site in some form or other even if its just as a read only archive. I use Greymatter for this blog and was saddened by a similar issue with the old greymatter forums board that suddenly went down losing tens of thousands of useful posts. I hope that Howard can post some of the useful stuff at leats in read only mode. I specialise in racle security but I use many Oracle sites for Oracle information not just around security so will miss Howards great site.