Call: +44 (0)7759 277220 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

11i Security papers available

I got an email from someone (Sorry I am writing this without access to my email and I cannot remember the persons name) who sent me a link to the Oracle applications user group (OAUG) insight fall 2006 paper. I have been a fan of them for a while as besides being well into Oracle database security I have also spent quite a lot of time in the last few years getting up to speed with Oracle E-Business Suite (Oracle Applications) security.

The paper includes a section titled "30-Minute release 11i security: Keeping the bad guys away" - by Randy Giefer. The article is excellent and does a good job of overviewing the security settings of E-Business Suite. An interestimng angle of the paper is the fact that the author targets the fact that most security is built for expernal attack prevention but the FBI has published that 80% of attacks are done by insiders. This is one reason that security must work for all attack possibilities, internal or external.

More on Oracle hacking techniques

I posted about the Blackhat DC conference that is coming up soon a few days ago in a post titled "Oracle 0-day exploit to be released - Blackhat Washington DC database security presentations" and talked about David Litchfields presentation and surmised what it may be about. Well David will talk about a new Oracle attack vector that involves dangling cursors and will show how a user with only CREATE SESSION privileges can execute any SQL, PL/SQL or DDL in the database. This is quite a cool attack technique.

Hacking Oracle, but not in English

I saw a great post on my Oracle security forum titled "Oracle security and other languages" that highlights the fact that some researchers and hackers do not publish in English. This is a very good point and if you are interested to learn as much as possible about hacking and securing Oracle then its worth looking at non-English sites.

Ivan points out in the above post a Chinese post titled "How teaches you to intercept the Oracle database connection password" which details how to intercept Oracle database passwords when translated with Babelfish.

Oracle TNS Protocol downgrade attacks

Laszlo Toth has just published an excellent paper on downgrading the Oracle authentication protocol. The paper is called "Downgrading the Oracle native authentication"

"Oracle native authentication protocols are typical challenge-response protocols. After some negotiation the client sends the username. If the user exists the server sends an encrypted key. The client uses the key to encrypt the user's password and sends it to the server. One of the protocols is documented quite well in [1.]. On reading that description it is quite obvious that the protocol is vulnerable against the off-line brute force attack. Oracle changed the algorithm
in 9i and changed it again in 10g. If we use the OCI driver, our programs will use these newer protocols, but thin drivers use the older version, thus implementing an off-line brute forcer is not
absolutely pointless (if you can sniff the connection you can conduct several other attacks of course). The servers and the clients support the older version of the protocol, thus it is worth a research whether downgrade attack is possible.

This article describes four versions of the Oracle native authentication. These information are based on [3.]. This description is shorter than [3.] and just emphasizes those differences that could
be important in a downgrade attack againts the (SEEMS TO BE stronger) newer authentication protocols.

We do not disclose the details of the downgrading. In the Downgrading chapter you can find screenshots about a successful attack to prove that downgrading is possible."

How to hack SYS password without logging into the database

I have just posted a new paper to my website written by Miladin Modrakovic and titled "Fixing SYS for hacking purposes" which details how the SYS password hash can be changed in the database without logging into the database. This is of course done using the BBED tool. The paper starts:

"How to change Oracle SYS password without having to login into a database? Possible?
Yes. All you need is some knowledge about Oracle internals.

This document is to be used only for testing purposes and not to be used in production environment. Purpose is to show audience how hackers can gain access to your system without knowing it and how to prevent it.

As I said earlier I am not going to use SQL to access production database. In order to get necessary information about SYS user I will copy production system datafile to my test server using rcp, sftp or any other utility (assumption here is that we already have gained access to database server)."

I have updated my Oracle internals and undocumented Oracle page to include this paper.

Oracle 0-day exploit to be released - Blackhat Washington DC database security presentations

I have just seen that the washington DC Blackhat conference 2007 has been released. I have spotted a number of database security presentations. The first is Amichai Shulman who will talk about Danger From Below: The Untold Tale of Database Communication Protocol Vulnerabilities. He will talk about database communication protocols and he mentions in his brief that manufacturers build in backwards compatibility and how it fuels the fire for security vulnerabilities. So I can guess that he will concentrate on how to make the client and server of a later database talk in an earlier protocol version that is easier to exploit or where even earlier version bugs are available. I have been aware of this issue in Oracle for a couple of years and I know that other researchers have working code for this.

David Litchfield will talk about Advanced Oracle Attack Techinques but as is usual with David he never releases details of his talks before hand. I would guess that this talk will explore some of the advanced exploit techniques covered in the recently published Oracle Hackers Handbook. Indirect attacks via triggers, timing based attacks or multi-stage / multi-component attacks.

Cesar Cerrudo will reveal at least one Oracle 0-day vulnerability and exploit code at Black Hat 2007 Washington DC. His presentation is called Practical 10 Minute Security Audit: The Oracle Case. He will demonstrate how to audit software to see if it can be trusted using free tools and point and clikc techniques. He will show how to locate a dozen or so local 0-day vulnerabilities and will demonstrate how vulnerabilities can be easily located in dissassembled code and he will demonstrate and explain a 0-Day exploit.

Me, I would like to be there but we have our second baby due at around the time of this conference so I will have more important things to do than get excited about Oracle security!

Argeniss are now selling Oracle rootkits!

Alex pointed out a news item this evening titled "Oracle DB rootkit for sale in exploit pack" by Ryan Naraine

"A vulnerability research company in Argentina has fitted an Oracle database rootkit into its zero-day exploit pack, adding a stealthy new danger to enterprise systems.

The rootkit, which is available for sale in the Argeniss Ultimate 0day Exploits Pack, can be used to hide a malicious database user once a database server is compromised. The rootkit can also be used to hide activities that might set off alarm bells — running processes, opened connections, logins created, etc."

This is interesting. I can see how you may conclude that buying zero day exploits can be useful for manufactures of security tools so that they can test if their tools perform correctly in detecting any exploit that may occur, not just the known ones. A rootkit for Oracle though? I am not convinced there are any in the wild. I know Alex has talked about them at BlackHat and I have been aware of the idea of Oracle rootkits for much longer but I have not heard of one in the wild yet. There could be value for the same tool and product manufacturers in testing if audit tools can detect firstly a root kit and secondly a compromised system that includes a level of hiding using a root kit. The Oracle root kits that Alex has discussed are not honed and slick by any means (no disrespect to Alex intended) but I guess the security tools are also not honed to test for root kits yet. I have no idea of the complexity of the Argeniss rootkit but suspicions would be that it may fool some existing products but it would not fool someone who know how to check if one is installed.

Argeniss should share their research on this, or at least let us see the level of complexity of the rootkit. It would be useful in progressing free and commercial tools capabilities BUT it would also help develop more cunning Oracle root kits.

Interesting all the same!

Oracle Database Vault is certified with PeopleSoft

I just saw a news item tonight on Yahoo titled "Oracle(R) Database Vault Delivers Unrivaled Secure Data Access Control for PeopleSoft Applications" -

"REDWOOD SHORES, Calif., Feb. 7 /PRNewswire-FirstCall/ -- In response to customer demand, Oracle (Nasdaq: ORCL - News) today announced that Oracle® Database Vault, the industry's most advanced security product designed to protect and limit access to sensitive data and applications, is now certified with Oracle's PeopleSoft Enterprise applications"

That Oracles Database Vault is now certified with PeopleSoft 8.4 and later. Database vault looks like a really good addition to the Oracle database as it finally solves the issue of preventing DBA and any other maintenance staff accessing the data they are looking after in an Oracle database. The product enforces segregation of duties and helps with compliance. I saw a presentation last year in March at the PSOUG event in Seattle by Steve Enevold about Database Vault and Audit Vault and was immediately impressed. You can find out more about Oracle database vault here.

Detecting rootkits

I saw a nice paper at the weekend titled "Thoughts about cross-view based rootkit detection" that discusses detecting rootkits by using low level access routines to compare a low level view of the file system with a high level view. I immediatly thought about the Oracle equivalent. If someone installed an Oracle rootkit in a database and for instance hid a hackers user account by modifying dictionary views such as DBA_USERS then you would check for this user by comparing the number of users in SYS.USER$ with those in DBA_USERS or more likely doing set arithmatic to check for differences. This would be a direct analogy of this Windows based paper. An other technique is to create a "clean" database and to checksum everything in the database, objects, views, tables, code etc and to then store the checksums and use them to compare future checks against.

will the world of rootkits transfer to Oracle databases at some point soon and will we need to create similar tools to check for and remove rootkits from Oracle databases?

Comments are enabled on this blog again

Hi All,

I have upgraded my blog to Greymatter 1.7.1 and this has allowed me to re-enable comments in my blog. i disabled them 2 years ago amd talked about it in a post titled "Comments have been disabled from my weblog". Greymatter has recently got a new lease of life and a few people including me are involved in its development. A couple of simple changes has added a requirement to add a phrase to allow comments to be posted. I am also finally starting to work on a comment moderation queue for Greymatter so that should make commenting easier to manage. For now I have decided to open comments for new posts on this blog and see how it goes. Comments will be closed as posts move off the main page.

Users and Schemas

I saw Andrew Clarke's blog entry today titled "USER != SCHEMA" and read it with interest. I did quite a detailed blog post about CREATE SCHEMA over a year ago. The post is titled "CREATE SCHEMA - does it do what it says on the tin?" where I looked into CREATE SCHEMA in Oracle. Basically Oracle supports Schemas but they are tied directly to users. You can use the CREATE SCHEMA command to create a schema for an existing users account (you must be logged into that account for it to work) and it allows you to create tables, views and grant privileges all in one command, so creating a schema in one go. It doesnt create a seperate schema to the user account that already exists it simply creates a set of objects along side any existing ones.

I did a simple test to show how to use CREATE SCHEMA:

SQL> get afiedt.buf
1 connect system/manager@oradev
2 drop user t3 cascade;
3 create user t3 identified by t3;
4 grant create table to t3;
5 grant create session to t3;
6 grant unlimited tablespace to t3;
7 connect t3/t3@oradev
8 create schema authorization t3
9 create table a (colour varchar2(10))
10* grant select on a to t1
SQL> @afiedt.buf

User dropped.

User created.

Grant succeeded.

Grant succeeded.

Grant succeeded.


Schema created.


As you can see it created the table and did the grant and simply reported back "Schema created". It would be a useful addition to Oracle to actually create schemas that are seperate to user accounts. I.e. you could create a bunch of tables / views etc that are in a schema but no one can log in to it. This would remove, in E-Business Suite the need to have hundreds of default accounts that need to have default passwords changed and locked etc.