Pete Finnigan's Oracle Security Weblog
This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.
The paper includes a section titled "30-Minute release 11i security: Keeping the bad guys away" - by Randy Giefer. The article is excellent and does a good job of overviewing the security settings of E-Business Suite. An interestimng angle of the paper is the fact that the author targets the fact that most security is built for expernal attack prevention but the FBI has published that 80% of attacks are done by insiders. This is one reason that security must work for all attack possibilities, internal or external.
Ivan points out in the above post a Chinese post titled "How teaches you to intercept the Oracle database connection password" which details how to intercept Oracle database passwords when translated with Babelfish.
"Oracle native authentication protocols are typical challenge-response protocols. After some negotiation the client sends the username. If the user exists the server sends an encrypted key. The client uses the key to encrypt the user's password and sends it to the server. One of the protocols is documented quite well in [1.]. On reading that description it is quite obvious that the protocol is vulnerable against the off-line brute force attack. Oracle changed the algorithm
in 9i and changed it again in 10g. If we use the OCI driver, our programs will use these newer protocols, but thin drivers use the older version, thus implementing an off-line brute forcer is not
absolutely pointless (if you can sniff the connection you can conduct several other attacks of course). The servers and the clients support the older version of the protocol, thus it is worth a research whether downgrade attack is possible.
This article describes four versions of the Oracle native authentication. These information are based on [3.]. This description is shorter than [3.] and just emphasizes those differences that could
be important in a downgrade attack againts the (SEEMS TO BE stronger) newer authentication protocols.
We do not disclose the details of the downgrading. In the Downgrading chapter you can find screenshots about a successful attack to prove that downgrading is possible."
"How to change Oracle SYS password without having to login into a database? Possible?
Yes. All you need is some knowledge about Oracle internals.
This document is to be used only for testing purposes and not to be used in production environment. Purpose is to show audience how hackers can gain access to your system without knowing it and how to prevent it.
As I said earlier I am not going to use SQL to access production database. In order to get necessary information about SYS user I will copy production system datafile to my test server using rcp, sftp or any other utility (assumption here is that we already have gained access to database server)."
I have updated my Oracle internals and undocumented Oracle page to include this paper.
David Litchfield will talk about Advanced Oracle Attack Techinques but as is usual with David he never releases details of his talks before hand. I would guess that this talk will explore some of the advanced exploit techniques covered in the recently published Oracle Hackers Handbook. Indirect attacks via triggers, timing based attacks or multi-stage / multi-component attacks.
Cesar Cerrudo will reveal at least one Oracle 0-day vulnerability and exploit code at Black Hat 2007 Washington DC. His presentation is called Practical 10 Minute Security Audit: The Oracle Case. He will demonstrate how to audit software to see if it can be trusted using free tools and point and clikc techniques. He will show how to locate a dozen or so local 0-day vulnerabilities and will demonstrate how vulnerabilities can be easily located in dissassembled code and he will demonstrate and explain a 0-Day exploit.
Me, I would like to be there but we have our second baby due at around the time of this conference so I will have more important things to do than get excited about Oracle security!
"A vulnerability research company in Argentina has fitted an Oracle database rootkit into its zero-day exploit pack, adding a stealthy new danger to enterprise systems.
The rootkit, which is available for sale in the Argeniss Ultimate 0day Exploits Pack, can be used to hide a malicious database user once a database server is compromised. The rootkit can also be used to hide activities that might set off alarm bells — running processes, opened connections, logins created, etc."
This is interesting. I can see how you may conclude that buying zero day exploits can be useful for manufactures of security tools so that they can test if their tools perform correctly in detecting any exploit that may occur, not just the known ones. A rootkit for Oracle though? I am not convinced there are any in the wild. I know Alex has talked about them at BlackHat and I have been aware of the idea of Oracle rootkits for much longer but I have not heard of one in the wild yet. There could be value for the same tool and product manufacturers in testing if audit tools can detect firstly a root kit and secondly a compromised system that includes a level of hiding using a root kit. The Oracle root kits that Alex has discussed are not honed and slick by any means (no disrespect to Alex intended) but I guess the security tools are also not honed to test for root kits yet. I have no idea of the complexity of the Argeniss rootkit but suspicions would be that it may fool some existing products but it would not fool someone who know how to check if one is installed.
Argeniss should share their research on this, or at least let us see the level of complexity of the rootkit. It would be useful in progressing free and commercial tools capabilities BUT it would also help develop more cunning Oracle root kits.
Interesting all the same!
"SAN FRANCISCO -- Oracle Corp. CEO Larry Ellison likes to boast that his company's products are unbreakable, but he apparently is not.
Ellison, who was scheduled to give a keynote speech at RSA Conference 2007 Wednesday, was a no-show, thanks to what Oracle officials said was a bad case of the flu."
"REDWOOD SHORES, Calif., Feb. 7 /PRNewswire-FirstCall/ -- In response to customer demand, Oracle (Nasdaq: ORCL - News) today announced that Oracle® Database Vault, the industry's most advanced security product designed to protect and limit access to sensitive data and applications, is now certified with Oracle's PeopleSoft Enterprise applications"
That Oracles Database Vault is now certified with PeopleSoft 8.4 and later. Database vault looks like a really good addition to the Oracle database as it finally solves the issue of preventing DBA and any other maintenance staff accessing the data they are looking after in an Oracle database. The product enforces segregation of duties and helps with compliance. I saw a presentation last year in March at the PSOUG event in Seattle by Steve Enevold about Database Vault and Audit Vault and was immediately impressed. You can find out more about Oracle database vault here.
will the world of rootkits transfer to Oracle databases at some point soon and will we need to create similar tools to check for and remove rootkits from Oracle databases?
I have upgraded my blog to Greymatter 1.7.1 and this has allowed me to re-enable comments in my blog. i disabled them 2 years ago amd talked about it in a post titled "Comments have been disabled from my weblog". Greymatter has recently got a new lease of life and a few people including me are involved in its development. A couple of simple changes has added a requirement to add a phrase to allow comments to be posted. I am also finally starting to work on a comment moderation queue for Greymatter so that should make commenting easier to manage. For now I have decided to open comments for new posts on this blog and see how it goes. Comments will be closed as posts move off the main page.
I did a simple test to show how to use CREATE SCHEMA:
SQL> get afiedt.buf
1 connect system/manager@oradev
2 drop user t3 cascade;
3 create user t3 identified by t3;
4 grant create table to t3;
5 grant create session to t3;
6 grant unlimited tablespace to t3;
7 connect t3/t3@oradev
8 create schema authorization t3
9 create table a (colour varchar2(10))
10* grant select on a to t1
As you can see it created the table and did the grant and simply reported back "Schema created". It would be a useful addition to Oracle to actually create schemas that are seperate to user accounts. I.e. you could create a bunch of tables / views etc that are in a schema but no one can log in to it. This would remove, in E-Business Suite the need to have hundreds of default accounts that need to have default passwords changed and locked etc.