Call: +44 (0)7759 277220 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

Oracle forensics in a nutshell

I just came across this short paper by Paul titled "Oracle forensics in a nutshell" and thought it worth a link here. The paper is quite short but covers, a definition of forensics, process methodology, core technical tasks and techniques used, main sources of evidence and legal contexts. As is usual for Paul, there are lots of links and references to follow. Worth a read.

I am speaking at the Northern Server Technology day tomorrow 24th April

I will be at the Northern Server Technology Day in Leeds tomorrow 24th April speaking about Oracle security. My paper is titled "Hacking and securing Oracle" and is quite a detailed talk for one hour about Oracle security and covering, what is the issue? - why is your data at risk, some evidence, where you can find out more info, where you can get free tools and more; I then go over quite a number of exploits in 9iR2 and 10gR2 and show how Oracle can be hacked in a number of different ways. I finish off with a discussion on how to use some of the tools and also some details on how you may start to go about securing your Oracle database.

Come along and say hello if you are in the area!

NGS have released an analysis for the April CPU 2007

David has released a detailed analysis of the April 2007 CPU. This page is titled "Database Security Brief: The Oracle critical patch update for April 2007". this is a noce short summary of the issues and complements the coverage made by Alex on his site. David has covered a lot of the database bugs but the first paragraph is of the most interest for two reasons. First David points out that quite a few of the fixes are for very old bugs, one cited was reported in 2002 for instance. He feels that this indicates that Oracle have turned the corner and are finally clearing the backlog. The second point is that David indicates that he, Mark and Paul have reported a further 39 bugs, that is just NGS. Other researchers are obviously also concentrating on Oracle bugs and vulnerabilities. Also there was the announcement from Oracle that the CPU's for some platforms/products are not going be quarterly releases any more. I think the overall impression is that Oracle beleive that they have turned the corner and are clearing the backlog, that said the researchers are doubling their efforts to overturn that, lets see what happens!!

Analysis of April 2007 CPU

Alex has added a page to his site analysing the April 2007 CPU. This page is titled "Details Oracle Critical Patch Update April 2007 - V1.05". This gives an overview of what has been fixed and also summaries information from a number of sources. As usual, access to a "before" patch PL/SQL source and "after" PL/SQL source with the information describing which packages are involved should enable location of the actual bug (of course only where the bug is PL/SQL based).

Alex has also released five advisories:

"Bypass Logon Trigger [DB05] (fixed in CPUApr2007)" - which talks about an issue whereby it is possible to bypass database logon triggers and if these are used to enfore security then that security is broken.

"SQL Injection in DBMS_UPGRADE_INTERNAL [DB07] (fixed in CPUApr2007)" - This package contains SQL injection bugs

"SQL Injection in DBMS_AQADM_SYS [DB04] (fixed in CPUApr2007)" - This package contains SQL injection bugs

"XSS in Oracle Secure Enterprise Search [SES01] (fixed in CPUApr2007)" - A cross site scripting bug in Oracle secure search. An exploit is included

"Shutdown unprotected TNS Listener via Oracle Discoverer Servlet [AS01] (fixed in CPUApr2007)" - It is possible to send TNS stop commands via the discoverer servlet

Analysis: Automated Code Scanners: False Sense of Security?

Analysis: Automated Code Scanners: False Sense of Security?

"Remember when attackers were just out for fame and glory, and application security was someone else's problem? Big targets like Microsoft and Oracle drew the fire. All enterprise IT had to do was apply patches regularly and keep a properly configured firewall.

Those days are gone. Cracking corporate networks is no longer a kid's game, it's a lucrative criminal growth industry. The attackers who stole 45.6 million credit- and debit-card numbers from TJX Companies were professional enough to remain undetected for at least 10 months. Meanwhile, major software vendors, including Microsoft, have improved their security practices, which puts niche and in-house-developed software and Web applications squarely in the bad guys' sights."


Quite a nice paper

Oracle Updates Leave Critical Windows Flaw

Oracle Updates Leave Critical Windows Flaw - By Robert McMillan

"Some Oracle customers using the Windows operating system will have to wait another two weeks to receive a critical software update to their database software, thanks to a glitch that came up in testing the company's latest patches.

On Tuesday, Oracle unveiled its quarterly release of software patches, fixing not only database flaws, but also bugs in a host of other applications. In total, the patches fix 36 vulnerabilities, 13 of which relate directly to the database."


This story is interesting for two reasons, it first points out that one of the most severe bugs has no fix available for Windows customers and secondly that Oracle have announced a scale back in the number of CPU patches for some server and middleware products from the July CPU.

Oracle Critical Patch Update April 2007 is out

The latest in the line of Oracle's Critical Patch Updates, CPU April 2007 is out. The advisory from Oracle is titled "Oracle Critical Patch Update - April 2007" and includes 13 database fixes, one enterprise manager and one workflow cartridge bug. a total of 16 database product related bugs. Two of the database bugs can be remotely exploited without authentication. Two of the database patches affect client only installations as well. There are 5 Application server fixes, one workflow cartridge and one ultra-search fix. Two of these can be remotely exploited without authentication. There is one collaboration suite fix and one workflow again, neither of these can be remotely exploited without authentication. There are 11 E-Business Suite fixes, again two of which can be exploited remotely without authentication. There is also the workflow bug fix again. Enterprise Manager has one fix. There are three PeopleSoft fixes and one JD Edwards fix.

This is a mixed bag, again the patch is critical and needs to be applied quickly because of the remotely exploitable bugs and also because of the recent tendancies for exploits to become quickly available on the net. The numbers are smaller than the last patches but are still excessive in terms of raw security fixes. Have Oracle turned the corner in terms of reducing the numbrs of security bugs? - not sure, it would seem that the numbers are reducing but the recent number of papers on Oracle security and forensics, re;eases of exploits would suggest a renewed effort on the part of researchers to push Oracle further by being more creative in terms of finding security bugs in its products. Let's wait and see if the trend keeps falling in terms of fixes in July.

103 free security apps for Mac, Windows and Linux

Someone emailed me a link to this post and I thought it useful to point to it as many people do run Oracle on Windows and Linux, less on Mac. The post is titled "103 free security apps for Mac, Windows and Linux"

"How many times have you downloaded an app that could supposedly solve all of your computer problems absolutely free of cost? Now ask yourself how many times that app actually did what it was supposed to, or better yet how many times that app was actually free? More often than not your answer is going to be zero.

Unfortunately for all of us, most software providers use gimmicks to sucker consumers in to purchasing their enterprise security apps: Sure, they'll keep your computer virus free for 30 days, but after that you'll need a subscription. Otherwise they'll just scan your registry for bugs but won't fix them for you. Frankly, we're tired of that."

Milw0rm - Oracle exploits

I just wanted to give Milw0rm a shout. I have linked to the site a few times recently as a number of Oracle exploits have been revealed there. This is a good site to watch out for, especially as there is a new CPU, the April 2007 CPU out today. The search facility, if you enter "oracle" lists 25 exploits, a few old ones but mostly current and 2 papers.

A new Oracle Security Apprentice?

I have not been posting much in the last few weeks as we have been busy in the last few weeks of pregnancy and at last after a long labour our second son was born at 10:28 yesterday, 3.9 kilo's and 52 centimeters in height, he and my wife are doing well. Now all that needs to be done is to start to teach him about Oracle..:-)

Oracle Assessment Toolkit

David has released an Oracle Assessment Toolkit on his website. This is a set of tools compiled into binaries that also include the C source code. The real gem is the fact that David has included a C source TNS library. The whole OAK zip is beta so dont expect everything to be perfect and complete, david has said he will complete it, let give him chance.

The kit includes a tool to get oracle versions (this can be seen in the OHH as well for explanations), a tool to enumerate users in a database without authenticating. A password brute force tool, a tool to retrieve the SID's from the listener, a tool to guess SID's and an example of the Jan 2006 CPU DB18 AUTH_ALTER_SESSION hack.

Worth downloading and also keeping an eye on for fixes and updates.

3 new papers on Oracle forensics

David Litchfieldhas released three new papers on Oracle forensics. These are:

Oracle Forensics Part 1: Dissecting the redo logs

This paper includes quite a detailed analysis of the redo log binary file structures and a C program to calculate the block checksums, a C program to decode redo block timestamps, a C program to dump an insert entry plus detailed analysis of the dumps

Oracle Forensics Part 2:Locating Dropped Objects

This paper discusses how fragments of evidence can remain in place after a database object has been dropped.

Oracle Forensics Part 3: Isolating Evidence of Attacks Against the authentication mechanism

Quite an interesting paper that discusses how to spot attempts to brute force database sids, user enumeration attacks, password guessing attacks, spotting brute force attempts against SYS, spotting attempts to abuse the imperva bug (DB18 - Jan 2006 CPU) and attempts to log into the XML DB.

David spotted a gotcha in using database audit to audit connections, he saw that the logoff overwrote the LOGON action in SYS.AUD$ in 8i and 9i. This is not an issue as you can get the logon time from the timestamp column of dba_audit_session and the logoff time is recorded in the logoff_time column. the data is not lost. See "Introduction to Simple Oracle Auditing" a paper i wrote for Security Focus in 2003. An example is here:


SQL> select count(*) from sys.aud$;

COUNT(*)
----------
1

SQL> audit create session by access;

Audit succeeded.

SQL> connect scott/tiger
Connected.
SQL> connect system/manager
Connected.
SQL> select count(*) from sys.aud$
2 ;

COUNT(*)
----------
3

SQL> select username,terminal,action_name,to_char(timestamp,'DDMMYYY:HHMISS') ti
mestamp,to_char(logoff_time,'DDMMYYYY:HHMISS') logoff,returncode
2 from dba_audit_session;

USERNAME
------------------------------
TERMINAL
--------------------------------------------------------------------------------

ACTION_NAME TIMESTAMP LOGOFF RETURNCODE
--------------------------- -------------- --------------- ----------
SCOTT
PETERFIN
LOGOFF 0404007:090339 04042007:090348 0

SYSTEM
PETERFIN
LOGON 0404007:090349 0

USERNAME
------------------------------
TERMINAL
--------------------------------------------------------------------------------

ACTION_NAME TIMESTAMP LOGOFF RETURNCODE
--------------------------- -------------- --------------- ----------


SQL>

Argeniss have released a simple Oracle root kit

Argeniss have, as part of the download from Cesar Cerrudo's recent Blackhat presentation released a simple Oracle rootkit. The code can be downloaded from here. This rootkit as i said is quite simple and includes an installer, a backdoor, some Java code to read and write the file system and a mechanism to run export from within the database and to transfer the data out of the database over a network port. The code also includes a clean up script. Its a long way from a complete kit that would hide a malicious user properly and would clean up after anything but its a start.

Bunker has released a 0-day Oracle exploit

I saw today via Alex, Milw0rm and Bugtraq that Andrea "bunker" Purificato has released a new exploit in DBMS_AQ.ENQUEUE for 10gR1, version 10.1.0.3.0. The [0-day] Remote Oracle DBMS_AQ.ENQUEUE exploit (10g) is written in Perl and the example uses a payload of granting ALL PRIVILEGES and DBA to the supplied Oracle user account. I am a bit confused at the 0-day title as the post also includes a reference to the patch for the Jan CPU 2007 - CVE-2007-0268.