Call: +44 (0)1904 557620 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

Oracle publishes out-of-cycle security fix

http://www.networkworld.com/news/2006/022706-oracle-security-fix.html - (broken link) Oracle publishes out-of-cycle security fix - By Robert McMillan

"Oracle has released a critical security patch to the company's E-Business Suite software. The patch, which was released nearly two months ahead of Oracle's next regularly scheduled security updates, fixes a number of vulnerabilities in the Oracle Diagnostics troubleshooting component of the company's E-Business Suite 11i."

Oracle issues security patch

Oracle issues security patch - by Dawn Kawamoto

"E-Business Suite 11i has been given a specific security patch to deal with issues in its diagnostics module

Oracle has issued an upgrade to its E-Business Suite 11i diagnostics module containing a number of the security fixes, according to an alert from applications security firm Integrigy"


Oracle releases an out of step security patch for E-Business Suite

Oracle has released what some are calling a stealth security patch. They normally only release security patches as part of the Critical Patch Update process on a quarterly basis. It is common however to include security fixes in upgrades that are then included in the next CPU but Oracle do not normally publicise the security fixes.

In this case Oracle has released a Diagnostics support pack February 2006 with Oracle Diagnostics RUP A. This is an upgrade to Oracle E-Business Suite diagnostics. It is unusual for Oracle to publicise the fact that security fixes are included with an upgrade and to encourage customers to apply the patch. Cynical observers may think that Oracle are encouraging customers to upgrade to make support easier by encouraging the application of the patch. This patch and some comments and bug information are included in an excellent paper by Integrigy called "Security Analysis - Diagnostic support pack February 2006 patch E-Business Suite impact"

Lewis has a paper on Oracle security as well.

I just noticed that Lewis has also released a paper on Oracle security titled http://hosteddocs.ittoolbox.com/LC100705.pdf - (broken link) Oracle 10g security and audit - A white paper by Lewis R Cunningham that his presentation is based on. The paper is very well written and covers mostly the same ground as his presentation but it covers it in a more descriptive way. Nice paper.

Nice presentation by Lewis on Oracle Security

Today I saw on Lewis's blog that he was talking about a presentation that he had just done on the Desktop conference 2006 titled http://blogs.ittoolbox.com/oracle/guide/files/20-Conningham-Lewis.pdf - (broken link) Implementing Oracle 10g Security. This is a pdf of the presentation slides and it covers good ground on Oracle security and securing an Oracle database in general. This is a good presentation and worth a look.

Pete Finnigan's blog is back on blogs.oracle.com

I saw this morning that last night my blog was added back to Oracle's new blogging site blogs.oracle.com. It seems that Oracle have had a change of heart and included my blog again. The text at the bottom of this new site has changed to be much stronger in terms of saying that Oracle do not validate any information given by any sites or any sites that they link to. This is a sensible solution to the issue I was told my blog had.

Thanks to all the many many people who emailed me and supported my site and also those other bloggers who talked about this situation in favour of me in their own blogs and also thanks to Oracle and those in Oracle who made it possible for adding my blog back again.


Security's Heaviest Hitters

Security's Heaviest Hitters - Dennis Fisher

"In my five years covering security for eWEEK, I was privileged to meet and get to know some of the brightest and most dynamic people in the industry, many of whom helped create and define the security community as we know it today. So when I got an e-mail from the folks running the RSA Conference, which takes place this week in San Jose, Calif., asking me to help them choose the 15 most influential people in the security industry, I jumped at the chance."


Securing Data Warehouses With OID, Advanced Security And VPD

I found this arcticle on Marks blog this evening when looking for something else and thought it worth a mention for a re-read. This is an excellent short paper by Mark:

"Once the domain of a small group of knowledge workers within an organization, data warehouses are increasingly becoming a critical part of an overall I.T. infrastructure. Organizations have come to depend on the information held in data warehouses and data marts, and often the warehouse is the only source of information within an organization that provides a complete, 360 degree view of customers and partners . In the rush to build a data warehouse, however, one thing that is often neglected is putting in place a proper security system." - Read more here

Tom has a great post about continuity of operations

There is a great post on Tom's blog about continuity, failover, DR. This is an excellent post titled http://tkyte.blogspot.com/2006/02/so-what-was-answer-part-iv.html - (broken link) So what was the answer, part IV. If you are contemplating DR, failover and continuity then this is an interesting read, particularly the comment from Kevin Loney. Have a read!

Andrew Clarke has a post about Google hacking Oracle

I saw today a post on Andrew's blog titled "Oracle...Most Insecure Database!" which relates the story of an Oracle forums post that is now not working, most likely removed!. The post talked about a person who had been reading an excellent paper on Application Security Inc's site titled "Search Engines used to attack databases" and then apparently applying what he had learned to hacking Oracle databases. Andrew had confirmed with the OP that he had in fact attacked his own Oracle databases.

This post prompted me to re-read Aaron's paper which is excellent.

Security experts see vulnerabilities in embedded databases

Security experts see vulnerabilities in embedded databases - How serious the flaws are, and how easy they are to exploit, remains unclear - by Eric Lai

"With Oracle Corp.’s purchase last week of open-source embedded software maker SleepyCat Software Inc., at least one security analyst believes that Oracle -- which has come under fire for security vulnerabilities in its core database -- could be adding more potential problems."

OASIS stamps approval on WS-Security 1.1

OASIS stamps approval on WS-Security 1.1 - by John Fontana

"A standards body on yesterday gave final approval to a security specification that is recognized as a foundation for securing distributed applications and Web services.

The Organization for the Advancement of Structured Information Standards (OASIS) approved WS-Security 1.1 as an official standard. The designation is the highest level of ratification within OASIS."

Secure the OEM Encryption Key

I saw an interesting post by Alan Nolan-Davis the other day on his blog and I made a note of it. I have seen a few good posts recently by Alan on what seems to be a new and interesting blog. It also looks like he will talek about security quite a bit, which always grabs my attention. His post the other day is titled "Secure the OEM Encryption Key" and is well worth a read.

I have also added Alan's feed to my new Oracle blogs aggregator.

New Oracle blogs aggregator

I have added a new Oracle blogs aggregator to my website. I don't have as many feed URL's linked as other sites yet but that will change as I find more. If anyone who has an Oracle related blog would like to be included then please email me at pete_at_petefinnigan_dot_com and I will gladly inclued you.

pssst, want to read something secret?

OK, its not a secret but it got your attention didn't it!

I was pleased to see the recent addition of a new sub-domain to the oracle.com site, blogs.oracle.com that is to be the home of Oracle blogging. My site had been listed for around a year on the blogs & community link that existed previously and I was keen to see if my blog appeared on the new Oracle blogging home page. At first it was listed as it was clear that the list of blogs included was the same as the old blogs & community page. I then noticed a couple of days later that my blog had dissapeared.

I questioned why this had happened and was it simply an oversight? - the answer was no, it was deliberately removed because i regulary refer to security products and advice that is not endorsed by Oracle. The concern was that anyone following links from this new blogging community site to my own blog and then onto other sites that I have linked to that offer security advice would be assumed to be endorsed by Oracle. So my blog had to be removed.

But on a different level the new site cannot be thought of as an Oracle blogging community when one of the most prolific Oracle related blogs is not included. I am not sure if others are missing. I know Edward Stangler posted yesterday in a post titled "Oracle Gets Sleepy" that he had been removed as well. A comment on there suggests how vital it is that orablogs keeps going so that the full Oracle blogging community is catered for

I am of course still listed on http://www.orablogs.com - (broken link) Orablogs site, Thanks Brian! and I am also included in a number of other blog aggregator sites.

I guess other Oracle bloggers in the community who are listed on blogs.oracle.com should beware that they should not post links to sites or stories that offer security advice, workarounds or exploits otherwise they too would likely be banned!

If there is a burst of security postings on various blogs that follow the well known trend for blogs - linking to each others posts - then we could end up with a situation where a lot of blogs are banned and the "community" grows towards zero members..:-)

Inside job

Inside job - By Natalie Hanman of the Guardian.

"Attacks by computer hackers cost businesses billions of pounds. But now firms are recruiting a new, ethical breed of technological wizards to fight back. By Natalie Hanman"

This is an excellent short article / interview, well worth reading, thanks to Duncan for letting me know about it.

Good paper on password policies

I saw a good post by Lewis Cunningham the other day and made a note to check it out and mention it here. The post is titled http://blogs.ittoolbox.com/oracle/guide/archives/007632.asp?rss=1 - (broken link) How to Ensure a Strong Oracle Password and it makes some recommendations on using a password verification function and also on setting password profile values. Good short paper.

Brian Duff announces that blogs.oracle.com is live

I saw with interest tonight that Brian of http://www.orablogs.com - (broken link) Orablogs has announced that the new Oracle blogging site is live. The post is titled http://www.orablogs.com/duffblog/archives/001662.html - (broken link) Yep, Oracle are Officially Blogging" and it gives some insight into the new site. Brian has been helping OTN move some of the Oracle employees blogs over to the new Oracle blog site blogs.oracle.com. The home page currently lists a lot of the home pages of popular Oracle blogs. Brian also announced that he will keep orablogs going as long as he has the time. I would like to say a big thanks to Brian for putting orablogs together and for keeping it running. it has been a great resource for anyone wanting to follow up to date information about Oracle.

The big questions I have are, will blogs.oracle.com include natively non employee blogs like Orablogs does now. Of course there are a lot of non Oracle employee Oracle blogs out there anyway independant of orablogs but some authors originally hosted their blogs on Brian's site.

The second question I have is will Oracle implement a blog aggregator like orablogs on its new blog.oracle.com site, I hope that it does, I think that it should, I also hope that they invite all the current crop of bloggers, e.g. copy across Brians opml file and ping all the blogs as Brian does. This would be a great resource for everyone.

Oracle defends security record

Oracle defends security record - By Munir Kotadia

"Oracle has shrugged off criticisms of its recent security record, saying that one of the company's biggest security concerns is that its customers are so used to being secure that they are not used to applying patches."

Interesting listener.ora / listener password and VMS error

I saw this evening on my Oracle security forum a post titled "listener.ora password" where the poster has been trying to set and save a listener password on VMS with 9iR2 but it failed with errors:

TNS-12570
TNS-12560
TNS-00530

He says the issue is becuase they are using something called host naming to connect to the database and they have a blank listener.ora file. A quick check on Google failed to find a solution to the issue but I did find a very nice paper called "Security best practice: Host Naming and URL conventions" written by Gunter Ollmann. If anyone has any ideas to solve taupirho's problem please log onto my Oracle security forum and let him know.

Interesting thought on security advisories

I was browsing Niall's blog the other day and made a note about a post titled "Security as Marketing" which i thought gave quite a good view point of someone who is not as avid a security watcher as me and it is interesting to see how others see the latest security news and viewpoints.

Oracle have released a FAQ to counter the mod_plsql 0-day bug

Alex emailed me yesterday morning to let me know about a new FAQ released by Oracle on metalink about the recent 0-day bug in mod_plsql released by David Litchfield. The FAQ is here. Thanks also to Doug for emailing me to let me know about his post http://oracledoug.blogspot.com/2006/02/faq-for-oracle-plsql-gateway-security.html - (broken link) FAQ For Oracle PL/SQL Gateway Security Issue Released by David Litchfield which is about the same document but the link is slightly different on Metalink.

A great snort rule to detect the mod_plsql 0-day bug

I was emailed on Thursday evening by Richard Quintin who wrote to tell me that he had read my post about the DB18 exploit code being made available. He said that he had written a snort rule that will catch the bug being exploited as he figured if it is that easy to exploit the bad guys will be at it.

Anyhow Alex Kirk responded with a more efficient rule and Richard thought i might like to post it here for the benefit of all of those who read this blog and who want to protect their databases from this issue. All credit goes to Alex Kirk. Here is the rule:


alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE
AUTH_ALTER_SESSION exploit attempt"; flow:to_server,established;
content:"AUTH_ALTER_SESSION"; nocase;
pcre:"/AUTH_ALTER_SESSION(?!.{1,10}ALTER\s+SESSION\s+SET)/smi";
reference:http://www.imperva.com/application_defense_center/papers/oracle-dbms-01172006.html;
classtype:attempted-admin; )
tag:session,5,packets; )


Oracle aims to tone security muscle with Fusion

http://news.com.com/Oracle+aims+to+tone+security+muscle+with+Fusion/2100-7355_3-6034662.html?tag=st.prev - (broken link) Oracle aims to tone security muscle with Fusion - By Joris Evers

"REDWOOD SHORES, Calif.--Billions of dollars worth of acquisitions have bought Oracle a perhaps unexpected bonus: security lessons.

Last year, the technology maker bought more than a dozen companies. Now it's picking up tips from those operations and using them in a major overhaul of its business applications software, an initiative called Project Fusion. Other products and processes are benefiting, too."


The really interesting quote for me in this artiel is the mention that Oracle in 11g will secure the database product out of the box rather than the current completely open status the database products enjoy by default now. This is very welcome news for all customers of Oracle. I have been writing about the problems of the Oracle database being open by default for years. I remember I had an email from Mary Ann Davidson a couple of years or so ago where she asked what i thought was an off the cuff theorectical question about what i would secure first in Oracle, also we discussed a secure out of the box version of Oracle, I think I suggested using a wizard to help secure the product by default. I don't or one minute think Mary Ann took notice of me particularly but I do welcome the fact that she is taking notice of the main issues and doing something to fix them. Great news, thanks Joris!

leaking information about Oracle databases could be a dangerous thing

I got an email from a someone last week (I wont reveal his name as I didn't ask him if it is OK to mention it here) who said he had found an interesting link whilst looking for something else and he thought I would find its contents interesting. The link is "Welcome to ITEC's Orasnap reports". This page has a lot of links to detailed reports generated by some tool called OraSnap v3.0.0 that reveals a lot of details about a lot of databases. An example is here.

Whilst it might not be possible for a hacker to access to these databases, some of the information is recent and detailed. The person who sent me this link said I should take a look as its interesting to see the details some sites reveal. The message here is check what your own websites reveal about your own Oracle installations. Don't send out a calling card inviting hackers to come in.

patch set 10.1.0.5 does not include latest security fixes!

The patch set 10.1.0.5 released yesterday does not include the latest security fixes released in the January Critical Patch Update 2006. This metalink note confirms this. To make matters worse it is also mentioned that the Jan 2006 CPU is not available for 10.1.0.5 until February 10th.

his makes it impossible for anyone to seriously contemplate applying this upgrade until at least February 10th especially due to the bug DB18 having exploit code available for it.

Out of interest there are also still some platforms that do not have CPU Jan 2006 available for them yet. Thanks to Alex for this information.

Alex has described a new work around for the mod_plsql 0-day bug

Alex yesterday released an update to his page "SQL Injection via mod_plsql". In ths update Alex describes a new workaround for this issue that has been suggested by Vladimir Zakharychev from Webrecruiter. This works by setting the parameter always_describe to ON up to 3.0.9.x.x and in higher versions the parameter PlsqlAlwaysDescribeProcedure to ON.

When this is ON, mod_plsql describes all procedures before running them, so if a hacker tries to inject code it will fail the describe. Alex warns that there are performance issues with enabling this parameter.

Stephen Kost (www.integrigy.com) has released an analysis of the mod_plsql 0-day bug / workaround

Tonight Steve Kost has emailed me to let me know that he has released an analysis of the recent mod_plsql 0-day bug / workaround. His analysis is very thorough and concentrates mostly on Oracle Applications / E-Business Suite. His findings indicate that the proposed work around suggested by David Litchfield is very simplistic and will in fact break most Oracle Applications implementations if it is followed.

Steve's paper is titled "mod_plsql security bug disclosure and workaround - Oracle E-Business Suite impact=critical". It first gives background to the disclosure and also describes why the bug is critical for E-Business Suite and that 11i is vulnerable. He goes on to say that the workaround will cause problems and is simplistic.

Steve tals about the role of mod_plsql in E-Business Suite and also about the built in validation for access to key packages that works in front of mod_plsql. He goes on to describe the bug as classic SQL Injection and failure to block unauthorised packages. Quite interestingly on page 3 he describes that the bug is more insideous than first described as any PL/SQL could be executed and that it would be executed as APPS who has access to all Oracle Applications data and packages.

He then goes on to describe how easy it would be to create a working exploit as mod_plsql has built in features to enable an exploit to be easily written.

Steve then analyses the NGS workaround in detail. He says that the rewrite rules suggested will break Oracle Applications and says why. He also says that there could be more issues as no placement for the rules is suggested and he goes on to explain why this is an issue. He finally says that the rewrite rules only block GET requests and that POST's can also be used and these will not be processed. Steve then says that the NGS workaround should not be used.

Steve then gives detailed workarounds for a number of different scenarios. This is an important analysis and should be read if you are using the Oracle HTTP server and mod_plsql. It is called "mod_plsql security bug disclosure and workaround - Oracle E-Business Suite impact=critical" and is well worth reading.

10.1.0.5 is available

I saw this evening that Laurent has announced the arrival of 10.1.0.5 in his blog. I guess it includes all the recent fixes in the January CPU? - anyone confirm?

exploit code released for the DB18 AUTH_ALTER_SESSION bug - how to make any user a DBA

I just found this page on René Nyffenegger's website. The page is dated 24th January, so it has been there for a week or so. I have not seen anyone else pick up on this yet though, that is not to say theyt have not done so. The page is titled http://www.adp-gmbh.ch/blog/2006/01/24.php - (broken link) On a breakable Oracle and it describes in detail how to exploit the DB18 bug that Imperva found in the TNS / O3Logon process. This is where after verifying the user/password the Oracle client sends strings such as ALTER SESSION SET NLS_LANGUAGE='%s". The guys at Imperva discovered that these strings can be replaced by any other valid string such as GRANT DBA TO PUBLIC. The key to the issue is that in an un-patched system these statements are executed as SYS.

René details a Perl script that uses a Perl proxy that he also provides. He creates an Oracle suer with nothing but CREATE SESSION and then proceeds to grab the packets as they are sent to the database as part of an authorisation. He finds the string ALTER SESSION SET NLS_... and then works out its position in the packet and also the string end identifier. René then presents another perl script that also uses his proxy but this time the Perl script intercepts the packet and replaces the ALTER SESSION SET NLS... with the code to create a new user. He then starts his proxy and injects the code and connects to SQL*plus as his simple user. The trick is then repeated to grant DBA to this user. A final check in the data dictionary confirms that it has worked.

This is quite a complex exploit to demonstrate how this could work. It can be done much more simply.

As René points out in his article, patch immediately!!