Call: +44 (0)7759 277220 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

Oracle Security Back to basics slides available

I presented at the Back to basics event organised by the UKOUG in the Paddington area of London. The event was very well attended and was hosted by Lisa Dobson. Tom Kyte, myself, Jonathan Lewis and Julian Dyke all presented at the event. This was a great event aimed at bringing each presenters specialities back to basics. Of course I was speaking about security and I tried to home in on the core issues related to Oracle security. This was fun to do and quite an interesting challenge as it quickly becomes evident that its easy to go too deep and baffle people sometimes. It was really interesting to pull out some of the basic core issues and talk about them, its also interesting to realise that if a small number of basic issues are taken care of how much better the security of a particular database would be.

As usual I have provided a pdf of my slides, Oracle Security Basics and also a second pdf with 6 slides per page - Oracle Security Basics - 6 Slides.

Speaking events, SQL Hashes and clever password crackers

I have managed, last week to update my speaking events list on my sites home page to include all the presentations I will be giving over the next couple of months. I am speaking this Thursday at the UKOUG back to basics event in London and I am looking forwards to that. Come and say hello if you are coming along to any of the events.

I was doing some research for a project last week and made a note of a new package DBMS_SQLHASH that some sites are marking as new for 11G but it's also there in 10gR2. This is an interesting package that allows the use of cryptographic hashes such as HASH_MD4, HASH_MD5, or HASH_SH1 (From DBMS_CRYPTO) to hash the result set of a SQL statement to allow the checking of data integrity. This allows data to be checked to see if it has been changed. The package with the function GETHASH can also be used to test the integrity of dictionary objects in a similar fashion to some of the commercial database scanners that are available. The package can of course be used to select the source of packages, triggers, views and more and hashes can be calculated and stored for later comparison.

Finally Lazslo sent me an interesting link to the methods Elcomsoft are using to make password crackers run at 20 times the normal speed by passing off the repetitive calculations to the parallel hardware available in graphics cards such as NVIDIA GeForce8 graphics boards. The page is titled "Elcomsoft Distributed Password Recovery"

Oracle Defending Against SQL Injection Tutorial

I posted yesterday about Mary Ann's post that mentioned the internal Oracle Security coding standards and Kris made a post to my blog about a very nice Oracle Corp tutorial (really a CBT) called Defending Against SQL Injection Attacks. This was posted to Lutz's blog first.

This tutoral is on Oracle's website and can be run from there. The page is titled "Tutorial on Defending Against SQL Injection Attacks!". Ther is also a link on the same page to download the tutoral so that you can run it locally. I would recommend grabbing it to ensure that you have a copy.

This is a superb tutoral, well written and positioned just right. The tutorial starts with a note that the three worst issues reported in a 2006 report by Fortify are Cross Site scripting (21.5%), SQL Injection (14%) and PHP includes (9.5%). The tutorial starts by explaining what SQL Injection is with some good flash examples and how to avoid SQL Injection. It includes first order and second order attacks and also discusses reducing the attack surface, removing API's, use of invoker rights, reducing arbitary inputs and more. The tutorial goes on to talk about avoiding dynamic SQL, how to use static SQL and what to do if you must use use dynamic SQL.

A good section discusses the use of bind variables and also covers what to do if its not possible to use binds. A detailed lesson also covers the use of DBMS_ASSERT and this is one of the most detailed I have seen. It also includes for the first time an explanation of the DBMS_ASSERT.NOOP function. This, we can now clarify is used to mark a piece of code that is not to be tested by automated test tools (presumably Fortify) as this function does nothing except return the string passed unchanged.

There is also a discussion on identifiers and writing your own filters and also a section on designing code so that its not vulnerable in the first place. The testing section is excellent as it discusses the need to have code reviews, static analysis and also fuzzing for dynamic analysis. The best parts are an insight into the 300 page document as there is a code checklist and a nice names test case list for testing.

Each section also includes a nice quiz. This is a good document and one of the best security documents I have seen from Oracle.

A hint of Oracle's coding standards

I saw Mary Ann's interestingly titled post "Lies, Damn Lies, and Statistics" and had a read. The interesting part for me was the short discussion of the genesis and development around the Oracle secure coding standards that currently sits at 300 pages and has driven training classes and more. Its unclear what languages this is for, mostly C and PL/SQL I would guess. As a lot of customers code customisations for Oracle Applications, APEX and the Forms and Reports products and also write their own applications with PL/SQL, OCI and Pro*C and more it would be good if these standards could be accessed and used by all customers. Afterall Mary Ann states in the post that third party aquisitions are brought into line with these standards. If these are the standards defined by the vendor we would all like to get to the same level and also help improve them for the benefit of all.

Oracle security conferences, illness and ....

It's been a few days since my last blog entry and not many over the last few weeks...:-) Business has been taking off spectacularly so I have been very very busy; burning the candels at both ends as they say. This all had to slow down last week due to a very bad cold, badly infected ear and throat and a very bad unshiftable cough. Now I have been on pain killers and anti-biotics and more potions and lotions for 4 days. This has slowed me down to just client work during normal hours and no internal work / projects in the mornings or evenings..:-)...

A few speaking update; I am speaking at the UKOUG beginners day at the end of this month (28th Feb) in London, which I am looking forward to. I am also going to be speaking at the OUG Ireland Oracle User Group at Croke Park on 11th March and also at the OUG Scotland event on April 30th in Edinburgh and finally (for now) I am going to be speaking in Oslo on May 23rd at the Mnemonic security conference, called RISK 2008.

The interest in our how to audit an Oracle database training course has been superb for on-site clients and I have also been working with a number of companies in Europe and the states and this course and can announces that it will also be available as a public even on a number of occasions; more details to follow soon.

I have also been busy getting my companies services, partners, products and more added to the site. There are a couple of things still to complete; mainly some product descriptions and also i need to add the rest of our consultancy services. They can all be accessed via the services menu on every page.

A default password script and a cracker helper script

I subscribe to the pentest list on security focus and a recent thread around Oracle password crackers threw up links to a couple of small scripts that are worth a mention simply to keep a record of them here.

The first is a default password script that uses a similar style to the one I originally wrote for pentest and that Mark took over. It also uses the contents of my Oracle default password list from this site. For completeness i would also include the contents of the Oracle default password check script.

The twist is that it generates an alter script that is then run at the end that prompts you for a password for each default user found. The script is called Oracle-chngdef.sql and is available from the US military stigs site. A sample output from a test system here generated:

set verify off
alter user CTXSYS identified by &CTXSYS;
alter user DBSNMP identified by &DBSNMP;
alter user HR identified by &HR;
alter user HR identified by &HR;
alter user MDSYS identified by &MDSYS;
alter user ODM identified by &ODM;
alter user ODM_MTR identified by &ODM_MTR;
alter user OE identified by &OE;
alter user OLAPSYS identified by &OLAPSYS;
alter user ORDPLUGINS identified by &ORDPLUGINS;
alter user ORDSYS identified by &ORDSYS;
alter user OUTLN identified by &OUTLN;
alter user PM identified by ±
alter user QS identified by &QS;
alter user QS_ADM identified by &QS_ADM;
alter user QS_CB identified by &QS_CB;
alter user QS_CBADM identified by &QS_CBADM;
alter user QS_CS identified by &QS_CS;
alter user QS_ES identified by &QS_ES;
alter user QS_OS identified by &QS_OS;
alter user QS_WS identified by &QS_WS;
alter user RMAN identified by &RMAN;
alter user SH identified by &SH;
alter user WKPROXY identified by &WKPROXY;
alter user WKSYS identified by &WKSYS;
alter user WMSYS identified by &WMSYS;
alter user XDB identified by &XDB;

The second script is a helper script by Marco Ivaldi to run check_pwd and to parse out the results at the end of the run. Its a simple shell script and it simply removes all the additional text generated by the cracker. I have a similar manual process that i use on orabf or worauthbf depending on which I used at the time. I use cygwin for a command line so that I have access to a bash shell on Windows. The script is called oracrack. Limited becomes UK partner for Sentrigo Hedgehog Limited recently agreed to be the first UK partner for Sentrigo, the producer of the Hedgehog Enterprise™ and Hedgehog IDentifier™ and Limited will resell these products in the UK.

The press release is here: Limited to offer Sentrigo’s Hedgehog solution to customers worldwide

WOBURN, Mass.â€"February 4, 2008â€"Sentrigo, Inc., an innovator in database security software, today announced that Limited, the world-renowned Oracle security consultancy headed by Pete Finnigan, has become a Sentrigo partner and will resell the Hedgehog Enterprise™ and Hedgehog IDentifier™ products. Sentrigo works with numerous international partners to reach customers worldwide; Limited is Sentrigo’s first partner based in the U.K. and will offer Hedgehog to customers in that country and beyond. Limited, based in York, England, specializes in Oracle database security audits and training, and offers detailed Oracle security IT health checks and remediation.

“There are several products on the market that aim to protect corporate databases, but I believe Sentrigo’s is the first to really address the problem,” said Finnigan. “Other database activity monitoring products monitor network traffic, but this is simply of no help in spotting and stopping direct intrusions from company insiders who can readily bypass firewalls and network appliances. Hedgehog’s ease of use, configurability and design make me excited to offer the product to my own clients.”

Nathan Shuchami, Sentrigo’s CEO, said: “Pete Finnigan is one of the most widely respected domain experts in the world and we’re honored that an individual of his caliber would choose Sentrigo as a partner. We look forward to collaborating with him to provide a very usable yet powerful solution to customers worldwide.”

Sentrigo’s Hedgehog software is a new solution for real-time database monitoring, auditing and breach prevention. It can be downloaded and installed directly on the database in minutes and configured to provide the precise level of protection and alerts desired. Hedgehog is currently available for Oracle, with additional database support available later this year. Hedgehog Enterprise; Hedgehog IDentifier, which associates database actions with individuals in pooled connection environments; and Hedgehog Standard™, which may be freely downloaded and deployed, are available at

About Limited Limited is an Oracle database security consultancy specializing in Oracle database security consulting and security audits and Oracle security training for enterprises in the U.K., Europe and North America. Designed by acclaimed Oracle database security veteran Pete Finnigan, the firm’s security audits and training programs are targeted at database administrators, security personnel and developers entrusted with Oracle security.

Oracle database exploits available for January 2008 CPU fixes

I keep an eye on Milw0rm as its a great source of exploits and saw the other day that 4 new posts had been made on there. These are exploits for bugs fixed in the January 2008 CPU.

This is a wake up call to anyone who is not decided about applying the patches for the January 2008 CPU. Once exploits are readilly available you are more at risk. Also a number of recent surveys suggest that insider attacks are much more likely than external attacks so its vital that companies running Oracle realise that these expoits work much better from an employees PC connected to your network than externally, as they already have access to the network and databases in a lot of cases. If the figures for internal attacks are to be beleived then this makes the issuance of exploits a big issue.

The exploits are written by Alexandr Polyakov (sh2kerr). The first is a DoS / Poc - which is an Oracle 10gR1 XDB.XDB_PITRIG_PKG.PITRIG_TRUNCATE buffer overflow that causes the database to crash. This is similar to the exploit I talked about in a post titled "Exploit code to crash an Oracle database posted" back in November 2007.

Then Alexandr posted three local exploits. These are:

Oracle 10g R1 xdb.xdb_pitrig_pkg PLSQL Injection (change sys password)
Oracle 10g R1 pitrig_truncate PLSQL Injection (get users hash)
Oracle 10g R1 pitrig_drop PLSQL Injection (get users hash)

A new version of woraauthbf - The Oracle password cracker is released

Today Laszlo has released a new version of his Oracle password cracker woraauthbf. The latest version includes a number of new features and also some bug fixes. The version 0.21 features and fixes taken straight from the release.txt file are:

Main errors

* It calculated the possible number of password in the bf mode as
26^6 instead of 26+26^2+26^3 ... etc. It checked less than the
possible number of passwords.

* There was a problem in the bin to hex conversation function. It
caused problems with certain hashes and affected the authentication
functions. It did not affect the hash function.

* There were some problems in the concurrent data access in the
authentication functions. It was found when more than three threads
were running.


* Test the user names and permutations of the user names as password
* If there is a default.txt it loads and checks it as the list of default
passwords. The included default.txt was generated from the site

The binary version of woraauthbf is available here for Windows and the source code of woraauthbf is available here.