Call: +44 (0)7759 277220 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

Alex has added an Oracle exploits page to his site

I got an email from Alex the other day to let me know that he has added an Oracle exploits page to his site. The page is Oracle Exploits / Exploit and seems to be changing regularly. When i took a look a couple of days ago the page had less content than now. So it is a good idea to bookmark it and keep coming back for a look in case new details have been added. Alex starts the page with a brief overview of the products that have exploits available for them and then goes on to say:

"This is not illegal or dangerous. If your database or application server is hardened, all the exploits mentioned here are WITHOUT any effect."

This is good advice, just because Alex has links to these exploits does not mean that they would not be available if he did not have links. The problem is that exploit code is available either easy to find or harder for a lot of Oracle exploits. This means that if you do not patch then you are potentially in trouble.

Alex also adds:

"This page does not contain 0day exploits.

All exploit code on this website is already out there, e.g. in newsgroups, on websites (like bugtraq). Hacker and script kiddies are using such code every day."


And interestingly Alex says he will release a paper about how to search Metalink for exploit code examples. This should be worth seeing!

The page then has links to Listener Exploits, Oracle 8i Exploits, Oracle 9i Exploits, Oracle 10g Exploits and Oracle Application Server Exploits.

Each of these links takes you to a page that lists links to exploit code for various bugs. For instance the 10g exploits link has the following listed:

OS command injection in DBMS_SCHEDULER - [Become DBA]

SQL Injection vulnerability in DBMS_METADATA - [Become DBA]

SQL Injection vulnerability in DBMS_CDC_SUBSCRIBE / DBMS_CDC_ISUBSCRIBE - [Become DBA]
Denial of service vulnerability in Oracle Intermedia [Denial of Service]

This page finishes with some links to other sites that do contain Oracle exploit code. This page should be worth keeping an eye on. If you keep patch sets up to date you should not have an issue with these Oracle exploit codes.

SmartDB Upgrades Oracle Migration Tool

I just came across a news post titled "SmartDB Upgrades Oracle Migration Tool" that discusses the fact that SmartDB Corp has released version 10 of its workbench for integrators to do Oracle migrations and updates. The tool also allows data to be cleansed.

This post interested me first because it was about automated migrations and I have worked on many migrations in the past, using Shell scripts, awk, sed, C programs and Pro*C programs. I have worked on migrations of data from legacy systems and also of applications from one version to another but mainly I worked on defining, designing, cleaning, moving and testing data. This is quite an interesting area of work. But the second reason I was interested b y this news post was because of this quote from Scott Conway :-

"Previously, you had an open interface and direct access to the database. But the latest version of Oracle, 11.5.10, adds a database API loader." The API loader makes it easier to address security issues in data-transfer operations, but, he said, it makes it harder to control the quality of the data."

This is an interesting issue. The article is talking about Oracle Applications but the issue applies to all legacy systems and migrations of the data. The data that is being migrated, whether its still in the legacy system, the new Oracle database or somewhere in between or indeed being reported on is still production data and needs to be secured with as much effort as the data is when it is in the Oracle database itself. Remember when securing Oracle that data is not static, it finds itself appearing in many locations. Take time to understand data and how then to secure it.

Mark has a post about Oracle's talks to buy Siebel

I saw Marks post this evening Oracle In Talks To Buy Siebel, Reports ZDNet (And Other Oracle News) with quotes from 4 news sources about Oracle in talks to by Siebel, Oracle's websphere and more, SAP seals Microsoft deal to fight Oracle and why Microsoft should buy Siebel.

I won't repeat the links, Marks post has them already. These posts whilst not security related make interesting reading for anyone interested in securing Oracle's database and applications. Oracle's portfolio got bigger recently with its purchase of PeopleSoft it could get even bigger and more complex. As new alliances happen current customers will end up with new products from Oracle or from its purchases. These products will eventually need to be considered as part of an Oracle set-up in security terms.

There is a security problem with Critical Patch Update April 2005 and alert #65

I just got an email from Alex to let me know he had received an email from Oracle about a security problem with the latest scheduled patch set CPU April 2005 for the database server for versions 9.2.0.5 and 9.2.0.6. This looks like a standard email to all Oracle customers. I have not received one yet but i guess that I will as I am also an Oracle customer.

The email states that the CPU April 2005 patch set for 9.2.0.5 and 9.2.0.6 for the database server has been reported that causes the fixes for alert #65 to be incomplete.

The email goes on to say that if customers have already applied the patch for alert #65 first then no action is required, if not alert #65 needs to be applied. It can be applied either before or after CPU April 2005 (Don't you wish for a better naming convention?). If alert #65 is already applied then there will be a conflict shown.

So why is this? - I guess it is because CPU April 2005 is supposed to be a cumulative patch for all previous fixes so it looks like CPU April 2005 did not include some of the alert #65 fixes.

If you have applied CPU April 2005 and not alert #65 then you will be vulnerable so take notice of these details.

Critical Patch Update - April 2005 has not been updated since April 13 so does not yet reflect this information. Also Alert 65, Security Vulnerability in Oracle9i Application and Database Servers has not been updated yet either.

Tim Gorman has updated his excellent fileprobe.sh script

I just got an email from Tim to let me know that he has updated his excellent fileprobe.sh script. I have a link to this script and also Tim's other Oracle security shell scripts on my Oracle security tools page which I have just updated to note this change or you can get them on Tim's site.

This script is used to audit operating system files related to the Oracle installation for security issues. It is a shell script so therefore supports Unix / Linux operating systems. It is also a Korn Shell script so if you are on Linux and do not have KSH installed then either install it or use bash instead. You are on your own to run it under bash but it should either work or have simple issues to fix ( I have not tried it myself with bash). The script reports any issues found and also generates a shell script that can be used to fix the issues. As Tim states in the file header:

"# IT IS CRUCIAL THAT THE GENERATED SCRIPT BE CONSIDERED
# ONLY AS A REPORT OF SUGGESTIONS, AND THAT IT BE REVIEWED
# CAREFULLY BEFORE BEING CONSIDERED FOR USE.
#
# All commands in the script are commented out for this reason.
# To actually use the generated shell script, you must first
# edit it to "uncomment" the generated commands, thereby
# taking full responsibility for their use."


Tim has made a few alterations to this script - rather than paraphrase them I will quote the section from the header :

"# Modifications:
# 15apr05 TGorman - added exceptions on SETUID and SETGID checks for
# "$ORACLE_HOME/bin/oracle", "$ORACLE_HOME/bin/dbsnmp",
# and "$ORACLE_HOME/dbs/orapw$ORACLE_SID" files,
# because these files are supposed to have these
# permissions...
# - added exceptions on "owner" and "group" checks for
# "lost+found" directories, which are supposed to be
# owned by "root", not the Oracle software owner...
# - added more disclaimers against running the generated
# shell script without carefully reviewing and
# understanding what the generated commands are intended
# for...
# 27apr05 TGorman - added restriction on check for files/dirs not
# belonging to "dba" group to check only files
# belonging to "oracle" user; intent is to prevent
# unnecessary double-reporting...
# - added more-graceful error handling when SQL*Plus
# errors are encountered (such as Oracle instance
# not running)...
# - added additional check for files and directories
# that are not writable by the Oracle software owner,
# thus potentially causing problems during patching..."


This is an excellent script and if you have been making use of it previously, I suggest that you go on over to Tim's site and download the updated version.

Direct dictionary access again

I read Tom Kytes blog post from a couple of days ago titled "Messed up big time" about his own version of direct dictionary editing. Tom edited the repository of his own AskTom system and managed to blow it up. I posted the other day (Tom talks about direct dictionary editing) about this subject of direct dictionary editing as an issue not just for developers and DBA's to avoid - the consequences are obvious. I also talked about it because of the fact that hackers do not care about the rules that should be followed and also the consequences to your support contract, they may hack the dictionary to gain privileges or to hide their actions.

When I saw Tom's post I thought about it and the problem of editing the dictionary directly is not just a problem of Oracle's dictionary but also a problem of any piece of software that includes its own dictionary/repository/configurations - If a general user or developer or DBA is allowed to access and hack your own applications repositories (include third party apps in this) then just as much havoc can ensue. But importantly the same hackers who may want to gain privileges in the database or hide actions or alter the functionality may do the same to your applications for the same reasons.

To this end ensure that no user has access to hack repositories, ensure audit is in place, ensure recoverability if they do manage to hack it. But also ensure that there are checks in place to confirm the integrity of your own repositories. A similar method to that used in repscan can be employed. That is checksum the source code of the API and programs used to access the repository. Deciding how to protect your own repositories will be dependant on their design, structure and use but combinations of controlling access, audit and check summing can be used.

Ed also talked about Tom and direct dictionary editing

I was browsing Orablogs and noticed Ed Stanglers post about Tom and direct dictionary editing so I took a look. The post is titled "Why You Don't Update The Dictionary". The post is quite short and mentions Tom's blog entry and also talks briefly about an incident that Ed witnessed himself on the same subject. The interesting part for me was the link to one of Tom's comments about a "war story", so I went and took a look.

This has nothing directly to do with security but it got me thinking about how information is often leaked via newsgroup, forum or mailing list posts. I mean detailed information about such things as internal IP addresses, hotsnames, server names, database service names, usernames .... the list goes on. I talked about the same issue here in the past in a post titled "An interesting example of information leakage posted to my blog entry". I was then thinking about how the same issue can occur during presentations, user group meetings and similar. The leakage may not this time occur due to postings on the Net but could occur due to word of mouth. Imagine a group of techies all gathered together because their employers all use the same software. They discuss bugs, issues, war stories and the like. I can think of examples where very detailed exchanges have occurred and data that should not go outside the company is passed freely, if verbally around a group of techies. These friendly situations should not be used to disclose data and details that you would not disclose in mailing lists etc. If your company has a policy for not posting these sorts of information on newsgroups or mailing list etc, then ensure it is extended to situations such as user group meetings face to face gatherings.

Alex has a new paper on Yahoo hacking and Oracle

I noticed the other day that Alex has a new paper on his site titled "Yahoo Hacking of Oracle Technologies". This is a paper in a similar vein to the Google hacking paper Alex already has on his white papers page. This paper is described on Alex's site as :-

"Read how easy it is to find Oracle technology on the web with Yahoo. This document contains several Yahoo-Searchstrings for Oracle products like iSQLPlus, Oracle HTTP Server, Forms, Reports, Webconferencing, ..."

This paper is basically a quick reference guide to find relevant search srings that can be used to find vulnerable sites for lots of possible Oracle products and Oracle based URL's such as admin pages, iSQL*Plus ...

As with the previous Google paper this paper is marked as being not static. If you are interested in the search engine hacking trend, have a look at this new paper.

Alex has a new paper on Yahoo hacking and Oracle

I noticed the other day that Alex has a new paper on his site titled "Yahoo Hacking of Oracle Technologies". This is a paper in a similar vein to the Google hacking paper Alex already has on his white papers page. This paper is described on Alex's site as :-

"Read how easy it is to find Oracle technology on the web with Yahoo. This document contains several Yahoo-Searchstrings for Oracle products like iSQLPlus, Oracle HTTP Server, Forms, Reports, Webconferencing, ..."

This paper is basically a quick reference guide to find relevant search srings that can be used to find vulnerable sites for lots of possible Oracle products and Oracle based URL's such as admin pages, iSQL*Plus ...

As with the previous Google paper this paper is marked as being not static. If you are interested in the search engine hacking trend, have a look at this new paper.

Mark has made an update post on his SOX compliance

I just saw Mark Coleman's new post on his weblog about updates to his SOX and Oracle compliance post - "Oracle and SOX compliance". The new post is titled "Oracle and SOX compliance - update" and covers some good ground. Mark makes a comment about my Oracle default password checker and Oracle default password list.

The interesting part for me of this new post is Marks description of what he has done to improve the security of his developers accessing the database directly with the APPS password. This is Oracle applications 10.7.

This is an interesting post and worth a look.

Mark Coleman talks about Oracle and SOX compliance

I was browsing orablogs last nite and saw Mark Coleman's post to his blog titled "Oracle and SOX compliance". As it is Oracle and security related I took a good look. Mark describes how he has been working towards getting his databases SOX compliant, he gives a good list of things he has done towards this.

Mark goes on to mention Patrik Karlsson's excellent new Oracle security tool oscanner. I also have a link to Patrik's tool on my Oracle security tools page and also his other Oracle tools. Patrik's site is worth checking out for all the other security tools on there.

This was an interesting post.

Alex has added days to fix to his Oracle security advisories

I just got an interesting email from Alex to say that he has added the number of days it took Oracle to fix each of the bugs he has Published Security Alertsfor.

The note at the top of the page state:

"Oracle is really slow in fixing security issues. For our security issues it takes 356 days until Oracle provided a fix for the reported issues. Many issues were fixed without informing their customers"

This figure of 356 days I think refers to either those advisories with no specific number of days to fix or it could be an average (Alex?)

The worse figure quoted by Alex is 656 days for the bug "Buffer Overflow in Create Database Link in Oracle8i - 9i". This is not really on!, why should it take almost 2 years to fix a bug in any software, especially a security bug.

Finally on Alex's "Upcoming Security Alerts" page there are no figures of days to fix, as they are not fixed yet but it does not need too much math skill to see that there are quite a few reported in 2003, the earliest July 2003.

Oracle has made great advances with their advisories content. I hope that they will improve on the number of days to fix security bugs as well.

A new paper on Oracle database passwords

I just noticed that Alex Kornbrust has released a new paper on his site titled "Fact sheet about Oracle database passwords".

This is an interesting short paper. It talks about the designer of the algorithm and also where it can be found and some details of its implementation. It then goes on to talk about the location of the passwords, how to change a password, default password lists, Oracle password policies, Brute force attack timings and also where clear text passwords can be found.

Alex Kornbrust has today released 3 new Oracle security advisories

I just saw on Alex's site this evening that he has written and released three new Oracle security advisories today (26-Apr-2005). These are as follows:

"Webcache Client Requests bypasses OHS mod_access Restrictions" - This bug advises that it is possible to access protected URL's by using webcache. There is a workaround to add "UseWebCacheIP ON" to the httpd.conf file. Alex also informs us that Oracle fixed the issue by adding the UseWebcacheIP parameter to the Oracle HTTP Server but more importantly there was no advisory released by Oracle to tell customers of the fix. It is not clear which version / patch fixed the issue.

"Append file vulnerability in Oracle Webcache 9i" - Alex advises us that it is possible to corrupt any Oracle Application Server installation file by adding garbage to the file such as httpd.conf. Alex provides an example URL. Again Alex tells us that this issue was fixed by Oracle (no version / patch information as to when it was fixed) without informing him or its customers.

"Cross Site Scripting in Oracle Webcache 9i" - Alex tells us that there are many parameters that are vulnerable to XSS/CSS attacks and by combining with the previous bug it is possible to corrupt any Oracle Application Server installation. Alex gives us three example URL's that could be used. Again Oracle have fixed the issue, no version/patch indication is given and again Alex says he was not informed and neither were customers.

Anyone using Oracle's application server and webcache in particular should make themselves aware of these issues.

Tom talks about direct dictionary editing

I was reading Tom's blog entry for yesterday last night titled "The Birth of Asktom" and it got me thinking about some of the security aspects of what he had written. As you may have guessed the blog entry discusses the events that lead to Tom creating his AskTom website, one of these was a tip in an edition of oramag that suggested that it was OK to update the data dictionary directly to rename a column in an 8i version. 9i introduced the rename column command. Tom was obviously not impressed with this.

I have also seen posts on newsgroups from time to time that suggest updating the dictionary directly. This is a bad idea. But the reason I was interested in Tom's post is that I have seen it done but for nefarious reasons not just because of trying to get around the lack of a feature. I know that Alex Kornbrusts Company has released a tool (repscan) that detects just this kind of activity, i.e. direct editing of the data dictionary. If you cannot guarantee the integrity of the data dictionary then you are in trouble.

View privileges

I saw an interesting thread on the Oracle-l mailing list this evening that I thought I would point at here. The thread is titled "view privilege" and the original poster asks why when an "owner" creates a view he must have explicit privileges granted on all the objects referenced in the view and not have had then granted via a role. He asks what the logic is in this design implementation. Paul Drake comes back with some great insights (as usual), such as

Roles, if granted, may or may not be enabled in a user session at runtime.
Roles may have had their sys_privs changed between compile time and runtime


and he follows with a comment

Sounds to me like roles leave holes (for privilege escalation).

Tom then follows with some comments about Oracle being a bit lazy in relation to not checking privileges enabled at run time and preferring to do it at compile time. He also points out that Oracle are consistent.

This is an interesting if quite common subject and question that is posted time and again on mailing lists and newsgroups either related to views or to other PL/SQL code. There is often confusion with this in views and people often write views and wonder why there is a problem when they have been granted access already via a role. I was particularly interested in the thread mainly for Paul's comments though, I thought they summed up the issues very well.

reading redo logs - The hard way

I was looking at the web this evening for a paper for some research and ended up at www.oracletuning.com from a google search string. As it happens the site was not of any use in my research this evening but whilst there i noticed a paper I have read a long time ago. The paper is Dissassembling the Oracle Redolog. It is a little dated now as it was published on 26 September 2000 and was written by Graham Thornton. This is a great paper that gives some great detailed information on how to dump a redo log to trace and also how to interpret it and to look for specific events in the log file. With the advent of the LogMiner this laborious method is out-dated but this paper is still valuable. Using tools such as DBMS_LOGMNR is a great way to read the redo stream and find events but knowing how it works is insightful. I like internals and hard to find info and had forgotten about this paper, it was a joy to re-find it and have a read of it again.

Frank has a good post about security vulnerability reporting

I saw Franks post about vulnerability reporting last week and made a note to and read it when i had a chance. That chance came this evening. Franks post is titled "General security: Security Vulnerability reporting". This post by Frank is very interesting and is based around an article "Security Vendor Pushes the Limits of Ethical Exploit Reporting" written on DevX.com about a company called HexView.

As Frank says this paper is about HexViews policy of disclosing about a vulnerability (an MS Access issue in this case) 24 hours after it was reported to the vendor. Frank grows on to give some great insights based on the recent OWASP conference in London that he attended recently, particularly a keynote on terrorism he heard there. Frank talks in detail about the risks involved in reporting vulnerabilities, writing about them in public forums, writing further about exploits and explaining how they work.

There are some great insights and thoughts in this post. Read it!

Some updated links on my Oracle security papers page

Thanks to Tom for emailing me and letting me know that I have some dead links on my Oracle security white papers page. He pointed out that some papers referenced on govt.oracle.com and osi.oracle.com is no longer valid but all of the papers are still available on asktom.oracle.com. I have updated these affected papers links and reposted the Oracle security papers page. The papers affected are:

Fine Grained Access Control

Autonomous Transactions

How to become another user in SQL*Plus

How to generate random numbers in PL/SQL

How to store a password

These are all quite interesting papers and well worth a second visit even if you have previously read them.

A free version control e-book

I was browsing orablogs and saw a post by Tugdual Grall titled "Free Subversion Online Book". I always have my interest piqued by anything free, especially books or technical stuff. Version control with subversion is an O'Reilly book and is dedicated to this new software that is designed to replace CVS.

Version control is an important part of any software development project; it can also find great use in managing an Oracle database. All configuration files and database and application build scripts for instance should be in a version control system in my opinion. If you do not use version control for your databases you should consider it. A free book like this and free software to match are a great way to get started.

Tom Kyte has started a blog

I was browsing the net tonight and found, in an un-related search that Tom Kyte famous for his Ask Tom site has started a weblog. This looks like it will be good reading, there are four entries already and all quite interesting insights into the world of Tom Kyte. It is good to see Tom not just talking technical but also giving some background thoughts as well. Whilst there are no security specific posts yet, i am sure there will be at some point. Even if there are not it is well worth reading Tom to learn something new about Oracle. Tom's blog is here.

Frank has a good review of a secure coding book

I just saw Frank Nimphius's post to his blog "General Security: Secure Coding - Principles and Practices (book recommendation)" discussing the book Secure Coding by Mark G. Graff & Kenneth R. van Wyk. As Frank points out the book is quite old (2003) but it is quite timeless as it includes few code examples. I have not read the book myself but I will take Franks recommendation on this one and look out for it. It sounds interesting from Frank's review of it.

More insights to CPU 12 April and public exploit code

Alex has just emailed me to say that he has updated his paper "Comments on Oracle Critical Patch Update April 2005" to include clarifications of the patch pre-requisites. He has also added links to Application Security Inc's advisories and also more importantly he has included three examples of exploits from Esteban Mart�nez Fay� site.

These include an exploit to grant DBA to SCOTT by PL/SQL Injecting DBMS_METADATA. This can be found at http://www.argeniss.com/research/OraDBMS_METADATAExploit.txt. Also another exploit to grant DBA to SCOTT via the DBMS_CDC_SUBSCRIBE also by PL/SQL Injecting the package. This can be found at http://www.argeniss.com/research/OraDBMS_CDC_SUBSCRIBEExploit.txt and finally sample Denial of Service attacks via Intermedia which can be found at http://www.argeniss.com/research/OraIntermediaExploit.txt.

If you had not planned to apply this patch set quickly, you had better do so now!

Esteban Martnez Fay releases his security advisories for CPU 12 April

Esteban Martnez Fay just emailed me to let me know that he has released advisories for the bugs he found in Oracle that were patched with the CPU 12 April patch set. His bugs were found for Application Security Inc. Esteban has found five bugs, these can be found on Application Security Inc's Oracle Security Alerts page. The bugs are Denial of Service in Oracle interMedia, Multiple SQL Injection vulnerabilities in DBMS_CDC_SUBSCRIBE and DBMS_CDC_ISUBSCRIBE packages, Multiple SQL Injection vulnerabilities in DBMS_METADATA package, SQL Injection in ALTER_MANUALLOG_CHANGE_SOURCE procedure and SQL Injection in CREATE_SCN_CHANGE_SET procedure.

These advisories are worth reading as they give quite a lot more detail than Oracle's own advisory.

Making Oracle Forms more secure

I made a post yesterday "Frank has a fix for Forms 10.1.2 for the SQL Injection issue" about Franks post to fix Oracle Forms 10.1.2. I left open the window with Franks post in it and when I came to clean up this evening and close down some windows I noticed the link in Franks post to Duncan Mills post "Making Forms Applications More Secure..." so I went to take a look at Duncan's post. This post was made on 5th July 2004 so quite some time ago. Basically Duncan had found the same issue that Alex talks about in his paper (I guess) but he did not give away the details. Quite an interesting post from Duncan!

Jared Still has a new paper on protecting passwords

Jared Still, the author with Andy Duncan of the book "Perl for Oracle DBAs" has just written a paper called "Protect Your Passwords" that is hosted on OraFaq.

The intro for the paper says

"Jared explains how Oracle manages passwords and how "thinking like a hacker" can help you to better protect your databases from potential password theft."

This is good advice for anyone interested in security of their Oracle databases and also something I like to write about and emphasise to people. In this paper Jared talks about password verification functions and their use in enforcing stronger passwords. He also looks at how a password function can be used to steal passwords as users change them. We both came up with this same idea independently quite a while ago. I talked about it in the SANS 6 day hands on Securing Oracle track and some time ago Jared emailed me with the same good idea so when he asked me to review his finished paper I was keen to review it.

This is a very good paper and worth reading.

Interesting analysis of CPU 12 April - "To patch or not to patch"

Alex just emailed me to let me know that he has just released a new paper on his companies web site. This paper is dated 17 April 2005 and is titled "Comments on Oracle Critical Patch Update April 2005".

This is a very interesting analysis of the latest patch fix from Oracle. As Alex said to me "The CPU April 2005 is better than alert 68 but there is still room for improvement.". I have to agree with Alex, Oracle could have provided information like that provided by Alex in this paper. he has analysed the bugs per major version and gave a simple table for DBA's to help decide on whether the patch set should be applied. This is a simple table based on whether the DBA is using certain features or not. So according to Alex for 8.1.7 if you do not use Oracle Internet Directory then you do not need to patch. Alex has done the same for 9iR2 and 10g.

The paper is also significant for a few other reasons which can be summarised as follows:

1. Most DBAs may not need to install patches.

2. Some of the patches are for security issues from 2002/2003.

3. A wrong description in DB10. XMLDB has nothing to do with HTTPS.

4. Additional information on the Oracle HTTP Server security bugs is provided.

The significant thing for me is that out of 24 database server bugs 13 are Oracle HTTP Server (aka Apache) and the oldest of these Apache bugs dates from 2002!! - considering that Alex has about 40 bugs listed on his site that are not yet fixed and Esteban Fayo has over 65. I hope that the next scheduled patch set from Oracle includes fixes for most of these bugs and not a bunch of old Apache bugs (these are still needed of course, but much quicker).

This is an excellent analysis of CPU 12 April and should be read by every DBA. Also I hope that Oracle take note of some of the ideas raised in it and enhance their own future advisories in the same way to aid DBA's who need to deal with these patches.

Frank has a fix for Forms 10.1.2 for the SQL Injection issue

I posted here last week about the recent paper released by Alex Kornbrust talking about a default installation issue with Oracle forms and SQL Injection. I also mentioned the same issue in my post "CPU April 12 - 2005 is released". The problem is that in a default Forms installation there exists a little known pop up query window that allows the possibility of SQL Injection attacks.

Frank Nimphius has posted an entry to his blog titled "Forms: Upcoming change in the default settings of Oracle Forms 10.1.2 to enforce secure Forms application deployment" that talks about a fix for this issue in Oracle Forms 10.1.2. Frank says the fix is in response to my post about Alex's paper and because of Oracle's commitment to more secure default installations of its products.

Frank also gives a fix for current users and also talks about those users who do use the query window.

Take a good look at Franks post if you are a Forms user or implementer and use the advice given.

Amis blog talks about recompling objects

I saw an interesting post on the Amis blog a few days ago and made a note to take a look at it. The blog entry is written by Raymond is titled "Recompiling invalid objects". The post talks about how Raymond had seen someone trying to recompile objects the hard way, i.e. many times! as each time the dependencies are not satisfied.

This is a good post as it discusses three ways to recompile objects in an Oracle database, the utlrp.sql script, the DBMS_UTILITY.COMPILE_SCHEMA procedure and Raymonds own home grown code that works out the dependencies first before calling DBMS_DDL.ALTER_COMPILE.

The comments to this thread are also interesting as a poster points out the home grown solution cannot be used for re-compiling views as DBMS_DDL.ALTER_COMPILE does not work for views. And a second comment poster points out that utlrp.sql is much better nowadays as it calls utlrcmp.sql which works out the dependencies.

So what has this got to do with security? - Firstly I like thorough posts and articles. This short paper covers the subject of re-compiling invalid objects well. Invalid objects are interesting to understand if you are investigating any suspicious activities in your database. If someone has been tampering then objects can become invalid. Quite often it is a good idea to monitor the timestamps in DBA_OBJECTS to understand what objects have changed, been re-compiled or been added. If objects are invalid (and this is not common for your applications) than its good to understand why and also the dependencies involved. reading scripts supplied by Oracle to re-compile objects is educational. The script given by Raymond is also useful.

Another interesting Oracle-l thread on Oracle security auditing

I also saw another interesting thread on the Oracle-L list titled "Security audit of Oracle databases". The poster asks if anyone can give advice for her friend who was having their Oracle database audited by a third party company. She wanted advice on open source software for checking an Oracle database.

The thread has some good discussions and points being made. I penned a few paragraphs to answer the thread and found that i couldn't post to the list. I have been a member for a long time but recently had email troubles so had to re-subscribe. I now see that to post to the list you need to ask Steve the list owner to grant you posting privileges. Anyway the answer I posted there is a bit late now so here it is again:

"Hi Paula,

There are a number of good checklists out there. The first is the CIS
Oracle benchmark that was closely based on the SANS Oracle security
step-by-step guide book. The CIS benchmark and the scoring tool are
free. There is also a good checklist on the SANS website called the
S.C.O.R.E. document. This is also closely based on the SANS Oracle
security SBS. It is in-fact an edited version of the appendix of the
book. There are also a couple of Oracle 9i checklists written by Oracle.

Tools wise there is the CIS benchmark mentioned above, Patrik Karlsons
tools SIDS, OScanner and OAT, the Integrigy listener check tool,
metacortex, nessus, my audit scripts, Geof Ingrams perl script, Tim
Gormans scripts and a few others.

For the checklists you can find links on my Oracle security white papers
page http://www.petefinnigan.com/orasec.htm - see the checklists section
- and for links to the free tools see my Oracle security tools page -
http://www.petefinnigan.com/tools.htm - Also you might want to run the
default password check scripts that are available on my site. These
include passwords for about 600 default users -
http://www.petefinnigan.com/default/default_password_checker.htm
"

An interesting thread on Oracle-l about BBED

I was looking at the Oracle-L mailing list yesterday and saw an interesting thread about BBED, the Oracle block editing tool. The thread index is "How can I get the BBED password?". The poster asked how to find the password for this tool. No one actually gave out the password as it is supposed to be secret and the tool is only to be used by trained Oracle support staff. There were a number of posters who said the tools password can be found easily. I will not propagate the "how" here. I guessed the password at my first attempt when I first tried the tool a few years ago.

The thread was interesting for me for a number of reasons. First BBED is an essentially undocumented tool, I like undocumented tools and information. The thread also has some great posts talking about blocks structure as well. Oracle blocks are documented in a lot of places but not fully anywhere outside of Oracle (I assume?). One posted said that very few people fully understand blocks and BBED and indeed there are only a small handful of them. The poster also said that some of these guys who do know how to edit blocks tend to use their own tools not BBED as its archaic and also that they sometimes need to consult the source code to understand and specify certain block flags.

One interesting point made by someone was that if the BBED password were public and people cause damage with this tool Oracle could remove it from future releases.

This is another issue that interested me. I saw the potential for damage with BBED a few years ago as it could be used not just for fixing corrupt blocks but also for "fixing" blocks for hacking purposes. I raised this as a security issue with Oracle but it is not clear as to the extent of Oracle's actions on this one.

Another CPU April 12 news item from eweek

I just found another news item covering the latest of Oracle's scheduled patch sets. This was released on April 12. The news article is on eweek and is written by Michael Myser and is titled "Oracle Patches Database Vulnerabilities". This is not a bad appraisal of the latest patch release. There are some interesting comments that databases are now becoming more relevant to attackers and criminals alike and so interest in database security is growing. There are some good comments from Ted Julian of Application Security Inc in the article.

CPU 12 April researchers advisories

I saw NGS Software's advisory tonight for the vulnerabilities that they found and were fixed as part of CPU 12 April. The NGS Software advisory is pretty basic (i.e. it doesn't give much away!). The advisory states just versions affected and that details of the bugs found will be held back for three months. This is pretty much standard from NGS now. Integrigy do not seem to have an advisory for Stephen Kosts bugs yet on their site. I also could not find an advisory for Esteban Martnez Fay who is also credited in Oracles advisory. If anyone knows about links to these missing advisories please let me know.

CIS Oracle benchmark has been updated

The Center for Internet Security produced a benchmark document for Oracle some time back that covered 8i and 9i. This was based closely on the SANS Oracle Security Step-by-step guide. The benchmark also inlcuded a scoring tool for Windows, Linux and Solaris.

The CIS Oracle benchmark has just been updated quite a lot. The 8i stuff has been relegated to the original document and this has now been updated to version 1.2. The benchmark scoring tool has also been updated to the same level. CIS has also produced a new document for 9i and 10g - this is versioned at 2.0. The introduction of the 9i/10g document states that it is based on research conducted as part of the 10g program, OTN and various books - it would have been nice to see a list of references - Quite a lot of items are still clearly still derived from the earlier document for instance. The 8i document can confuse though as some stuff in there is still also in the 9i/10g document, that is do not assume that just because an issue is in the 8i paper to ignore it, it can still be relevant in 9i/10g. The 10g scoring tool is due in June 2005 according to the website. The Oracle security benchmarks can be downloaded from the CIS site.

These are both good documents though. I have not had time to read them yet to see what changes have been made since version 1.1. I will read through them both and make further comments here.

InternetNews.com has a news item about CPU 2

I was emailed yesterday before the patch release by Michael Singer who asked if I had any comments on the latest patch release. At the time, before its release I could only note that Alex had just put out a paper on SQL Injection in Oracle forms and I assumed that a fix would be included in the patch release. This proved not to be the case. I also mentioned the issue of researchers having large lists of bugs that have not been fixed. Michael included these points in his news item "Oracle Security Updates Include PeopleSoft Fixes". Michael also includes the fact that PeopleSoft fixes are included in this patch set. Michaels news item is worth reading for his comments on this latest patch set.

SearchSecurity.com talks about the Oracle CPU April 12 patch release

I was contacted by Shawna McAlearney yesterday for some comments on the latest Oracle scheduled patch release. Shawna is the news editor for SearchSecurity.comand she yesterday released a news item about Oracle latest scheduled security patch release. This news item is titled "Oracle releases patches, but not for many known flaws". Shawna details the range of fixes and quotes an Oracle spokesperson. She also then talks about the fact that Alex and Esteban have lists on their sites of over 100 unfixed Oracle security bugs, some of which were reported over 1.5 years ago. She also discusses Alexs paper detailing an Oracle Forms SQL Injection issue.

Oracle ships patches seeded with message digest data

Alex emailed me to point me at a page on Metalink titled "Patches Downloaded from MetaLink will be Seeded with Message Digest Data: March 12, 2005".

This is an interesting change to Oracles patch distribution system as since March 12 all patches are seeded with digest data. This effectively means that patches cannot (or rather it would be much much harder) be altered or tampered with whilst being downloaded. Oracle does not supply tools to verify the digest, some OS's include such tools and there are many that can be downloaded.

This is a very interesting change to the patch release mechanism. Of course the question must be asked, has alteration of patches been a problem? Or is this a belt and braces job from Oracle. We should commend Oracle for including this type of integrity check for the patch release mechanism. This is a sign that Oracle does take security seriously on a few levels.

CPU April 12 - 2005 is released

Oracle has released not long ago the advisory and patch set for the second quarterly scheduled patch fix. This advisory is called "Critical Patch Update - April 2005" and is available from Oracle's security alerts page.

This advisory follows the more detailed information trend started with alert 68 and Critical Patch Update - January 2005 and includes detailed information for each bug (no details on how to exploit or example code) and a risk matrix for each bug. This is good information.

There are a few comments worth making though. The first is that there are quite a lot of fixes aimed at the Oracle HTTP server, the email server and calendar. This means that customers who use these components should be wary of their security posture and should patch quickly.

The second observation is that this advisory and patch set includes fixes for PeopleSoft software; an interesting addition after the recent purchase.

Also the number of people credited with finding bugs this time is low, just three, David Litchfield, Stephen Kost and Esteban Mart�nez Fay�. It is interesting that Alex is not mentioned considering he has just released a paper on a default installation SQL Injection issue in Oracle Forms that was delayed until this CPU presumably because of a fix.

It is also interesting that Alex has a list of 40 Oracle bugs that are not fixed yet, some reported in 2003!, Esteban Mart�nez Fay� also said in a recent paper "Advanced SQL Injection in Oracle databases" that over 65 PL/SQL and SQL buffer overflows had been reported and not fixed yet.

Oracle have made great strides forwards with the amount of information released with their patches and advisories lets hope they can clear this apparent backlog of security fixes now.

Debu has an interesting pointer to an Oracle security paper

I was browsing orablogs and noticed a post by Debu Panda to his blog titled "Prevention is better than cure!" that mostly talks about flu and having a flu jab being the prevention. Debu relates this to Oracle security and talks about the fact that most developers take security as an after thought. He then points us at a paper called "Database Security: Beyond the Password" written by George Jucan. The paper talks about how a database can be made more secure even if an attacker or malicious or curious employee manages to get in via a compromised password. This is the classic least privilege principle. George gives some examples using Row Level Security. He also goes on to talk about encryption and manipulation of encrypted data. He even talks about wrapping PL/SQL and also about auditing.

The paper is not bad but I am concerned about the sentence "It is a good idea to create a separate schema, such as Sec_Manager, without any privilegesnot even CONNECT" that seems to indicate that the author is used to simply granting the CONNECT role rather than the system privilege CREATE SESSION to allow a user to access the database. he goes on to say later that "Even if an intruder with the DBA privilege were to grant the CONNECT privilege to the security objects holder" in order for the intruder to connect as the security package owner and to then read the security authentication packages contents (These were wrapped to prevent this). This indicates a lack of detailed knowledge as again he assumes that CONNECT is a privilege and not a role and that it is necessary to access the database. He also says that an intruder with DBA would grant CONNECT to the security schema owner so that it can be connected as. This would be unnecessary in order to view package contents as they are available via DBA_SOURCE. Maybe the author is limited by trying to get the point across but it does seem like a better explanation of roles and privileges and even access to read package source is needed.

CPU - April 12 is coming?

I have been keeping a watch on Oracle's security alert page this afternoon waiting for Oracles new patch update to be released. The page has stated most of the day that the patch and its advisory would be released at 12:00 PM PDT but it has now changed to say it will be released at 2:00 PM PDT.....

Frank talks about the OWASP security conference

I saw this afternoon Frank Nimphius's post on Orablogs titled "General Security: About the OWASP European Security Conference 2005" and made a note to take a look. Frank gives us an overview of the Open Web Application Security Project (OWASP) held in the Royal Holloway University of London last weekend. Frank gives a good account of the main aspects of the conference. This is an excellent post by Frank and some great security news and advice.

Alex Kornbrust has released a new paper "SQL Injection in Oracle Forms"

I just got an email from Alex to let me know that he has just released a new paper called "SQL Injection in Oracle Forms" that talks about a SQL Injection issue that is inherent in all default installations of Oracle Forms. This is because it is possible to simply pop up a "Query/Where" window that allows the user to enter any SQL statement. Alex demonstrates how this can be used to send results of a query to an external website using UTL_HTTP. Alex also talks about simple fixes to rectify the problem.

The paper is also available in German.

This issue should be fixed in CPU April 12 due very soon!

O'Reilly CodeZoo

I saw Andrej Koelewijn's post on his blog titled "Oreilly CodeZoo" a few days ago and made a note to take a look. This is a great site for anyone who codes in Java, it lists freely available components for many different development areas such as database, scientific, system interfaces, web and of course security. The security page lists a good selection of components that you can download. This page and the others will of course be added to as time goes on.

An interesting post by Mark

I was browsing Orablogs this evening and saw an interesting post by Mark Rittman titled "Tom Kyte : "In Search Of The Truth"" mostly quoting from a post by Tom on his site titled "In Search of the Truth - Or Correlation Is Not The Same As Causation". I have skimmed through Toms post and mostly its about the ongoing discussion between him, Don, Mike and Jonathan.

I was particularly taken by Marks post though as he has pulled some great sections from Toms post that gives some good advice to anyone looking at Oracle and wanting to state some fact about it. Proof and testing is a great leveller (not always, though as the circumstances of the test case can matter) in understanding and also in stating advice on something. These sentiments can be applied to Oracle security, especially Oracle security. If you think something is insecure in the configuration of your database then test the scenario and prove the case to be insecure. I try to use example code whenever necessary in my writings as an example should always prove the case to be true or not and aid understanding.

Read Marks post and Toms as they give good advice to anyone wanting to test a theory (mostly the original posts made by Tom et al is to do with tuning but the sentiments are valid in any endeavour).

Alex Kornbrust has a new paper on google hacking and Oracle

Alex just emailed me to let me know that he has added a new paper to his site about Google hacking. This paper is titled "Google hacking of Oracle technologies V1.02". Alex states that this is not a static document and people should check back for updates. It is inspired by Johnny Long's talk at Blackhat Amsterdam 2005.

This paper is basically a huge collection of search strings specifically related to Oracle products. This is a good addition to Aaron Newmans paper "Search engines used to attack databases" and Johnny Longs database of search strings. Alex's list is of course Oracle related.

SearchOracle has an excellent Oracle security links page

I was browsing and found an excellent page of links and information for Oracle security aficionados. This page dated at the end of 2004 is called "Learning guide: Oracle security" and lists a large amount of links and information about Oracle security. It covers things like, basics, general information on Oracle security, usernames and passwords, restricting access, authentication, securing the listener, encryption, RLS, OID and third party tools.

This is an excellent page and well worth a look.

Amis Blog talks about writable external tables

I saw a very interesting post on the Amis blog this evening by Peter Kok titled "Updateable External Tables". This post starts by setting out the limitations of external tables (that is that they are read only) and then goes on to talk about how they can be made updatable for inserts, updates and deletes. They then suggest that this is an example of how to get around this limitation and that this technique should not be used in a production situation. Also Peter tells us not to confuse updatable external tables with writable external tables that have become possible in 10g. Howard Rogers talks about this in his paper "Writeable External Tables". This 10g function works via the data pump API.

Peter goes on to give some great examples of how to implement updatable external tables via a VIEW and an instead of trigger and some PL/SQL code. The functionality is in the PL/SQL package and this can be downloaded in a zip file.

This article provides some interesting examples and ideas. Well worth reading. It can also be surmised that these techniques would work for altering config files or any other Oracle file that could be accessed via an external table. One more reason to audit directory objects, existing external tables and anyone with system privileges to create such tables.

Pete's audit scripts updated

I have just made a small update to all of my audit scripts that are available on my Oracle security tools page. Norman Dunbar emailed me to let me know that i needed to add "whenever sqlerror continue" at the end of my scripts to prevent any subsequent error from barfing SQL*Plus. So I have added this line to the end of each of the scripts; find_all_privs.sql, who_can_access.sql, who_has_priv.sql, who_has_role.sql and check_parameter.sql. I have also corrected a small spelling mistake in the check_parameter.sql output.

These scripts can be used to audit which roles and privileges a user has, which users and roles can access an object, which users and roles have a particular role and also the users and roles that have a particular system privilege. check_parameter.sql can also list the details of any initialisation parameter.

All scripts can print the results to a file or to the screen. Also each report is hierarchical, so that roles granted to roles etc are displayed.

These scripts have been very popular in terms of download, so if you are using them and find them useful you may want to get the updated versions.

Alex Kornbrusts repscan tested and added to oracle security tools page

I talked about Alex's recent Oracle rootkit presentation last night here in my blog yesterday and also about his companies new tool repscan that can be used to check that a database has not been altered. This is done by generating a baseline of checksum values for each dictionary object. This baseline needs to be generated offline to ensure its security - e.g. so that it is not tampered with and also so that the database used for the baseline can be guaranteed to be clean and not again tampered with.

You can download a trial version of repscan from Alex's site and test it. Before you can run it some configuration is needed first, see repscan.txt for instructions. The databases.xml file and exec.xml file need to be configured. Then run generate.cmd from the command line to generate a baseline. This is held in \signatures. Then run check.cmd to test if the dictionary objects have been changed in anyway. A sample run is here:

C:\petefinnigan.com\blog\repscan>generate
Generating signatures
Signature files location: signatures\
Error messages will be in: errors\gen_errors.txt
Repscan 1.01
Latest version of Repscan is available from

C:\petefinnigan.com\blog\repscan>check
Checking databases
Report file: scanreport.xml
Error messages will be in: errors\chk_errors.txt
Repscan 1.01
Latest version of Repscan is available from

The report is saved as scanreport.xml and can be viewed in a browser. I won't show mine here.

I have updated my Oracle security tools page to include details of repscan.

identity theft and database security

I was browsing TheRegister website and saw an interesting post there by Thomas C Greene titled "ID theft is inescapable". This news item talks about the increase in identity theft disclosures from major concerns with March seeing an explosion in cases. Thomas wants to make a big point of the fact that none of the reported cases involved online transactions. The main problem is the fact that in the US merchants could sell information about you that is held in their databases from data captured during transactions etc. The problem is data is being leaked from databases, critical data. Some of the issues are related to good old dumpster diving and other manual techniques but some are related to the insecurity of the data in the database. This is an interesting news story and also one that should prompt, owners of companies, security admin's, DBA's and anyone else involved with data held in an Oracle database to consider the security of that Oracle database.

Alex Kornbrust has presented at Blackhat Amsterdam on Oracle Rootkits

Alex Kornbrust of Red Database Security Gmbh has made a presentation at Blackhat 2005 Amsterdam last Friday, April 1st. Alex talked about database rootkits, and Oracle rootkits in particular. The presentation is available in English and also in German.

This is a great presentation and is probably the first place that Oracle rootkits have been talked about publicly. Alex first talks about what a rootkit is, giving a wikipedia definition and then relates the OS equivalent components to the database. He then talks about how Oracle resolves the paths to views and code and discusses how a rootkit may be created for Oracle. He then looks at specific examples to hide a database user created by a hacker and also to hide processes and jobs. He then talks about how PL/SQL packages may also be modified. Finally Alex talks about a new product released by his compant called "repscan". Repscan is a repository integrity scanner for Oracle and can be used to check if any components of an installed Oracle database have been modified. You can download a limited trial version of repscan that will scan up to three databases.

Rootkits for Oracle are an interesting concept and will become more prevalent as database hackers become more sophisticated. A true rootkit for an Oracle database would need to be quite huge because there are a lot of views and packages that can expose a hacker user and processes. Creating a true rootkit would be a large task, also there are inherent problems with any DBA who accesses base tables such as SYS.USER$ as they would not be hidden via a rootkit created with hacked views. It may be possible to also hide users in dictionary base tables but this would be far more involved to achieve. A true rootkit for Oracle would also include other parts such as log cleaners and backdoors. Alex talks about some good ideas on how a root kit may be installed by exploiting the glogin.sql script. This is a script executed when a user connects to the database via SQL*Plus. If th file can be modified by a hacker then he can wait for a DBA to execute it for him thereby installing the rootkit (or indeed accomplishing any other hack such as granting DBA to any other user!!).

I have also talked about Oracle rootkits in detail in the new SANS Oracle security track that will be debuted in San Diego from April 7th to April 12th. The link gives details of the Securing Oracle track, a course overview, the authors statement (me) and also details of requirements and details for each day are included in the links on the right of the page. I will talk more about the course in a later blog entry.

New presentation on advanced SQL Injection

I just found that Esteban Martnez Fay has made available presentation that he has written based on a presentation that he has made the G-Con III conference in Mexico City. The page is called "Advanced SQL Injection in Oracle databases" and is a collection of a PDF of the 37 slides that describe new ways to exploit Oracle with SQL Injection including working examples and also how to protect against these threats. The zip file available there includes the pdf and also a number of SQL files and a jsp file.

He covers SQL Injection attacks, exploit examples; how to get around the need for CREATE PROCEDURE, buffer overflow attacks, exploit examples, detection of attacks. Remote web based SQL Injection attacks, web application worms and how to protect against them.

The paper includes some great examples of PL/SQL injections as well as SQL injections. There is also a proof of concept exploit for getting OS Administrator privileges using MDSYS.MD2.SDO_CODE_SIZE and also a proof of concept exploit for creating a SYSDBA user. There is also a buffer overflow exploit example for 10g using the same built-in MDSYS.MD2.SDO_CODE_SIZE. The author also talks about a potential worm that could try and exploit all parameters in web pages supporting an Oracle database.

Anyone interested in Oracle SQL Injection may be also interested to read the two part paper I wrote for Security focus on SQl Injection in Oracle and also a follow up paper on detecting SQL Injection in Oracle. Links to all three are on my Oracle security white papers page.

This is a superb paper / presentation by Esteban Martnez Fay and well worth reading by anyone interested in how vulnerable their database can be due to SQL Injection issues.


A good paper about debugging XSLT

I noticed Shay Shmeltzer's blog post about XSLT debugging the other day on orablogs and made a note to have a look. I like to have a look at all things Oracle security related, some general security stuff, Oracle internals and undocumented Oracle and I am always interested in things like debuggers. Debuggers, whilst being incredibly useful for developers of the languages or environments that they are each aimed at are also useful for security researchers. Debuggers often reveal much more information about structure and form than any normal programming, editing or application interface. If you like to know more about an environment a debugger is a great tool for exploring. So when I saw Shay's post titled "XSLT Debugging" I was interested to read further.

This post leads the reader to a viewlet that shows how to debug an XSLT process with JDeveloper 10.1.3. This is a great webpage that is worth looking at as its very well created and written. It takes you at a reasonable pace through a test session. Nice paper and well worth looking at.