Call: +44 (0)1904 557620 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

Two new Oracle root kits

Dennis has made two great posts about Oracle rootkits on his blog. The first is about creating a backdoor into the Oracle binaries and logon process/function by replacing the C library function kziaia() so that if the user presented is "root" - this is meant to be a database username not the Unix user root. Dennis has modified kziaia() so that if "root" is the username you get logged in as SYSDBA by setting the SYSDBA bit in the PGA (Tanel showed how to do this quite some time ago with a debugger) and also importantly the user does not need a password and even more importantly there is little or no evidence that the connection has been made. Also testing for this root kit becomes harder as its traditional modified binaries.

This root kit idea is much more in the style of old school root kits rather than something like modifiying data dictionary views to hide the user.

The first post is titled http://blogs.conus.info/node/36 - (broken link) My Oracle rootkit experiment and is a great read.

Today Dennis has posted a second installment on his blog titled http://blogs.conus.info/node/37 - (broken link) My Oracle TNS Listener rootkit experiment. This post looks at this time modifying the TNS listener binary by intercepting the function snttread() which is like a wrapper around recv() on Unix. This time the magic word is not the username "root" but the string for the command "/bin/sh" - the borne shell. The packet shoulkd include the "magic word" and then the shell is launched instead!!

To exploit this Dennis simply used netcat to connect to the listener port number and he immediately had a shell!, again very interestingly there is nothing written to the log files except that a TNS-12502 is written. This is not totally uncommon so analysing whether this root kit is installed via this error is difficult. Also because if you are clever enough to implement these modifications you can very easily change the C and make it harder to detect. These are traditional rootkit techniques and traditional methods to detect them are needed.

Remember these are backdoors not exploits, you need access to modify the libraries in the first place.

Also its nice to see that Dennis has automated some of the install with pythin scripts. Great posts Dennis!!

Conferences, webinars, trainings, new training dates.....

It has been a very busy last few months; lots of travelling, teaching and consulting. We have also spent time working with our new partners and also working to set up new country partners. PFCLScan has also taken some of my time in terms of development of checks/policies and reports and we have done a couple of really successful demonstrations over the last month or so to get first customers on board.

This is going to be a fairly short blog entry but quite a bit of news. I am going to be teaching my two day Oracle security class next week in Istanbul, Turkey and the week after I will be in Cologne, Germany to speak at the IT-Defense 2010 conference - thats a long awaited engagement for me as I was due to speak at the 2009 event in Potsdam, Berlin but had to cancel at the last minute due to breaking my hand last christmas. This year I am looking forward to speaking there.

I have also just agreed a new public training date in conjunction with Miracle Benelux to be held in Utrecht, Holland onm May 26th and 27th. I have added a link to my Oracle Security public trainings list and will add the registration page link when it becomes available from Miracle Benelux.

I am also going to be doing two webinars with Sentrigo on March 9th at 10am UK time and also March 11th at 6pm UK time. I have added links to my companies home page and will add registration links there when I have them and will also add them hear. Webinars are a good way to hear me speak on the subject of Oracle security without travelling.

Training in York, England and Washington DC and adverts

I have added the registration page for the upcoming Oracle security training - how to perform a security audit of an Oracle database to be held in York on February the 9th and 10th in England. The registration page gives details of the class. Places are limited and in demand so please hurry to register if you want to get one of the remaining places.

I want to also take an oppertunity to remind people about the two day training coming up in Washington DC on March 25th and 26th. The registration page is http://www.1ssa.net/training/tech_training.html - (broken link) here.

The astute readers will also notice that we have removed the google ads from this site and instead added our own banner ads. This is to promote our own public training classes which will increase in number as we take on more partners around the world to help run and promote our training but also to resell our Oracle database security audit services and our Oracle security software products. We now have partners in the states and are in discussions with potential partners in a number of other countries. The removal of the ads is also to allow us to sell very selective ad space to discerning customers and also to help us promote our own partner events as discussed above - this is an advantage to becoming a partner.

If you are interested in renting ad space please contact me in the first instance for terms, pricing and details. We will only be allowing ad space in very limited quantities so that ads are shown on enough page impressions for each customer and yet still allow promotion of our own partner events. We are also only offering ad space in very specific circumstances that will benefit the ad space buyer but will not compete with us or our partners; again for details if you are interested contact me in the first instance.

Hiding password hashes and a new sha1 Oracle password cracker

There was a good blog post titled "The need to ensure that hashed password values are safe" picked up via my Oracle blogs aggregator that discusses Dennis's FPGA cracker and also the importance of not letting the password hashes out of your site.

Laszlo also emailed me today to let me know about http://marcellmajor.com/ - (broken link) Marcell Major's new brute force password cracker for databases that uses the CUDA framework for NVIDIA GPU's to implement the SHA1 algorithm for Oracle 11g database passwords and also SQL Server passwords. The cracker allows a password file to be used and also implements session handling so it can be easily used on security audits of databases. The http://marcellmajor.com/frame_cudadbcracker.html - (broken link) cudadbcracker page is here and the http://marcellmajor.com/cudadbcracker_binaries.zip - (broken link) cudadbcracker binary is here and the http://marcellmajor.com/cudadbcracker_source.zip - (broken link) cudadbcracker course code released under GPLv3 is here.