Call: +44 (0)7759 277220 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

2 new exploits for Oracle

Alex let me know that his exploits that I talked about the other day were not based on the Bunker Perl exploits talked about here previously as Alex found these bugs originally. As it happens Bunker has released two new Oracle exploits based on two of the ones Alex released. He has released these on the MilW0rm site. The two exploits are:

Remote Oracle KUPM$MCP.MAIN exploit (10g)


Remote Oracle KUPM$MCP.MAIN exploit (10g)

Again they are both in Perl!

Cesar Cerrudo shows how to find more than 5 local 0-days in Oracle

Cesar Cerrudo spoke at the recent Blackhat Federal conference in Washington with a paper titled "Practical 10 Minute Security Audit: The Oracle Case" which describes how to soend 10 minutes and a few free tools to find at least 5 local 0-days in Oracle. These tools are Process Explorer, WinObj from SysInternals and pipaclTools from bindview. Cesar also includes a white paper of the same name and also an Oracle exploit. The paper is not bad, the bugs are all local so exploiting them would be limited to those with local access and as I said the other day they are all related to NULL DACL issues which David spoke about on the Oracle-L list last year and also in his recent book.

The value in the presentation though is the fact that free tools can be still used to find security bugs in Oracle (and indeed in any software), this indicates that the battle is not over by any means for Oracle, they may be on top of the SQL Injection to some extent but they need to make headway on the core issues in the software. I wonder if Fortify finds these types of issues?

Site downtime

Appologies to anyone trying to access my site over the last couple of days. I have had some downtime yesterday and also this evening (UK time) as my site is hosted by UkLinux on a dedicated server in the Manchester University data center/ Due to the recent changes at the data center most servers have had to make a move, mine included. I hope that the downtime is now over smile

4 new Oracle exploits released

Alex has added 4 new exploits to the exploits section of his website. These are for bugs that have been fixed in recent CPU's. The exploits are:

"SQL Injection via Oracle KUPV$FT in Oracle 10g R1" - This is an interesting exploit based on the Bunker exploit on the same function. The interesting thing is the IDS evasion technique used to translate the calls into meaningless text using the translate function. It can be used to gain DBA privileges

"SQL Injection via Oracle KUPM$MCP in Oracle 10g R1" - Similar to the exploit above but without the IDS evasion techniques

"SQL Injection via Oracle KUPW$WORKER in Oracle 10g R1 - again similar to the first exploit and again based on the bunker exploit and also showing again the IDS evasion techniques.

"Local Privilege Escalation in Oracle 10g R2" - This exloit can be used to gain DBA privileges locally on a Windows box. This is Cesar Cerrudo's recent exploit, the C code is based on the NULL DACL issues that David Litchfield revealed on the Oracle-L list and also in his recent book.

Interesting post on previous values in datafiles

I saw Paul's post today on his blog titled "dbf records previous state of each row" which shows that a simple table with a set of simple update statements retains the previous values of data so that a history of the previous values of the data can be seen in the data file. Whilst this is interesting and may prove useful in some circumstances i would suspect like Gary Myers who commented that its unlikely to be universally useful due to to the fact that Paul's example is too simplistic is right. The way Oracle adds rows to a datablock is from the end of the block up, the row headers are increased downwards. If an update cannot fit in the origianl space its added in a new row in the block. This presumably also marks the row for reuse. I would guess as a table is filled and hence blocks filled then the space in the blocks will be re-used. This is logical otherwise an Oracle database would need to be sized to include all data ever added to it without reusing any space for records deleted or updated. That said I can see that recent values in some circumstances could be read but it is unlikely to be consistent. A real database does not have tables with single columns residing in empty blocks. I would like to see a more comprehensive and realistic example Paul.

Oracle forensics, UKOUG and blog troubles

I made a note to post a link to Paul Wrights Oracle Forensics blog the other day as i saw a useful post that reminds us that 10gR2 allows the standard database audit trail, the one normally written to SYS.AUD$ can be written directly by the database to syslog. Paul's post is titled "Central SYSLOG host for Oracle" This is a very useful addition to 10gR2 as it means that the audit trail can be written to a secure source in real time. This is often a legal requirement in large organisations. 11g will have 24 core database audit settings enabled by default around login, user, role and system privilege use. These audit events should not happen in a normal system on a regular basis so there should be no performance impact and 11g should be much faster in the audit area anyway according to recent posts by people testing it.

Lisa Dobson contacted me a few days ago to ask if I would speak at the upcoming Northern Server Technology Day, on April 24th, this year its going to be in Leeds, last year I spoke at the same event in Manchester. Not sure what my subject will be yet, I will post here when I have it confirmed, it will be Oracle security related of course.

Finally I have not posted for a week nearly here because I have had blog trouble. I also spend some of my spare time working on the GreyMatter weblog software that i use for this weblog and my other weblogs. We released a new version, 1.7.2, of Greymatter and I almost immediatly found that there was a crash when trying to rebuild the blog. I have spent most of the last weeks evenings restoring back to 1.7.1 and testing to find the issue. This prevented me from posting here until it was fixed. sad, its fixed now so back to posting and also to writing the RSS/ Atom feed code for Greymatter.

Nice paper on BBED in French

I found a nice paper in French on the BBED tool a few weeks ago and made a note of the URL to report it here. The paper is called "Gestion interne des blocs Oracle grâce à BBED" by Mohammed Bouayoun. If you know some French then you can read it direct, because the paper is about a tool that runs in English a lot of it is readable anyway, otherwise use Google to translate it.

More Oracle exploits

Andrea Purificato has a site called RawLAB that is quite useful. It has a good list of Oracle exploits written in Perl. These include the following exploits written to use cursor injection:

and those that use traditional PL/SQL injection:

Plus a couple of tools, the first to execute remote OS commands - and a tool to extract Oracle password hashes -

nice site!

Researcher charts new, more dangerous Oracle attack

Researcher charts new, more dangerous Oracle attack - The flaw could increase the dangers for unpatched systems -

"February 27, 2007 (Computerworld) -- In a paper he plans to discuss Wednesday at the Black Hat DC 2007 conference, noted database security researcher David Litchfield is expected to outline a new attack method against Oracle databases that boosts the danger to unpatched systems.

Litchfield, the managing director of U.K.-based NGSSoftware (Next Generation Security Software), has found a way to exploit Oracle vulnerabilities without requiring system privileges. The new tactic, which he spelled out in "Cursor Injection: A New Method for Exploiting PL/SQL Injection and Potential Defences (download PDF), increases the threat risk of many Oracle-disclosed bugs."

New attack technique puts Oracle in crosshairs

New attack technique puts Oracle in crosshairs - by Joris Evers

"A new attack technique increases the risk of commonly found bugs in Oracle's database software, a security researcher has warned.

It was previously thought that an attacker needed high-level privileges on the database to exploit so-called PL SQL injection vulnerabilities. With a new attack technique, that's no longer true, David Litchfield, a database security expert with NGS Software, said on Thursday at the Black Hat DC event in Arlington, Virginia."

Oracle exploits available

I saw from an email from Ivan today that there is an exploit on Milw0rm today for Oracle. The exploit is a Perl script that exploits the dbms_export_extension bug using the cursor injection technique that David has talked about recently. The script is written by Andrea "bunker" Purificato. Enjoy!

New and Improved Oracle Exploits Coming at Black Hat

"New and Improved Oracle Exploits Coming at Black Hat" - by Lisa Vaas,

"Oracle's slated to be the whipping boy in two Oracle-specific Black Hat briefings and will be among the clump of databases faulted in one general database communication protocol weakness briefing. Expect at least one zero-day exploit and an entirely new class of attack technique, all with Oracle in their crosshairs.

Oracle's up for being a whipping-boy at Black Hat 2007 Washington, Feb. 28-March 1, with two briefings dedicated to Oracle security and/or insecurity."

Sorry I got Lisa's request for comment late on BH and also Davids paper but this is because our son has not been well for the last week and a half - he is getting better now. Lisa commented that I thought David's hack was cool but the detail of why was not reflected well in my post. The bit I thought was cool was the fact that you can pre-compile any valid cursor as any user who has only CREATE SESSION and then inject this precompiled cursor into a vulnerable PL/SQL package/function, i.e. taking advantage of cursor snarfing / injection / dangling issues. This makes previously minor SQL Injection bugs found much more useful to a hacker.

I have not seen the presentations from Cesar and David but as far as I know Cesar was talking about using simple free tools such as sysinternals process explorer to find bugs in software such as Oracle and I beleive he was highlighting the NULL DACL issue discussed in David's new book and also in the Oracle-L list previously - I am not sure if this was the intended 0-day or not, if it was then its not totally 0-day.