Call: +44 (0)7759 277220 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

An interesting thread on Alex's DBMS_ASSERT paper

There is an interesting thread on bugtraq about Alex's DBMS_ASSERT bypass paper where David Litchfield has suggested that its not a generic bypass at all. Alex has countered in the thread titled "Re: Bypassing Oracle
dbms_assert
" and given details of 36 bugs reported to Oracle using this technique including bug numbers.

For me I dont thing the semantics of whether its a generic bypass off DBMS_ASSERT or not matter. The fact is its possible to bypass DBMS_ASSERT, Alex has found over 36 examples of exploits using this technique in 10.2.0.1 (you need access to a PL/SQL unwrapper to be able to locate these bugs easily in the 10gR2 PL/SQL built in packages reported to Oracle. It is a bypass technique and it works and previously fixed bugs can be exploited still.

A new Oracle exploit revealed on the bugtraq list

I saw a post on the bugtraq mailing list that details an exploit to cause an ORA-600 using an ALTER SESSION SET EVENTS command. The hack is detailed in a post titled "Oracle 10g R2 and, probably, all previous versions". The poster shows an ALTER SESSION SET EVENTS command with a very long event string that causes an ORA-600. He says that this is not a crash and indeed its not really an exploit but he hints that its possible to create an integer overflow with other "combinations". I guess he means that a different length string will cause an overflow? - There is a reply to the post where a poster found that he could not replicate the bug but that is because the original poster replies on having the ALTER SESSION privilege.

SQL Injection video

I saw a link the other week on Eddie's blog in a post about links titled "0-Day - Simple SQL Injection" which points to a video of someone doing a SQL Injection attack. This is quite an interesting video and worth watching to see how a SQL injection attack against a web site can occur. This is a good post but note that the guy never makes a keystroke error!

There was also another more visual video posted by Marcel-Jan on my Oracle security forum is a post titled "Example of SQL Injection". This video is more gui based than the first.

How to bypass the protection implemented by DBMS_ASSERT

Alex has today released a paper on how to bypass the fix that Oracle has created for a lot of SQL Injection vulnerabilities fixed in recent CPU's. Oracle has used a package DBMS_ASSERT to stop SQL Injection. Alex has detailed in his paper "Bypassing Oracle DBMS_ASSERT" how to bypass this package and make a good proportion of the bugs fixed in previous CPU's exploitable again.

The interesting point in the paper is that Oracle didnt have an issue with Alex publishing this paper and revealing the issues. Why?

Oracle Password Repository

Oracle Password Repository - Laurent has a good post about Jan-Marten and Jasper Spit's open source software Oracle Password Repository. This is a great tool, I have it included on my tools page and also have spoken about it a few times here previoulsy:

Installing Oracle Password Repository (OPR) - a walk through

A new sample installation session for Oracle Password Repository (OPR) version 1.1.8

Oracle Password Repository (OPR) is updated to version 1.1.8

A security issue with OPR version 1.1.7

I have covered it many times, do a search on "site:www.petefinnigan.com OPR" on google for details.

Blackhat Las Vegas 2006 and unwrapping PL/SQL

The two elements of the title of this post are related. I am speaking at the Blackhat USA conference 2006 in Las Vegas next week (August 1st to August 3rd) about how to unwrap PL/SQL. The schedule gives details of all the papers and there are some good ones this year. David Litchfield as usual does not announce in advance what he is speaking about, Alex is talking about 2nd generation root kits for Oracle databases and there are couple more database talks, SQL Injection by truncation and also a talk about how to audit without killing the system. There are lots of other great security papers that are non - Oracle related.

My presentation is all about how PL/SQL is wrapped in 9i and lower and how the wrap mechanism works internally and also about the features and programs shipped by Oracle to allow reading of wrapped code. I will also present a simple proof of concept unwrapper - written of course in PL/SQL. I am also showing that Oracle always knew that PL/SQL could be unwrapped. The 10g mechanisn is also discussed along with some ideas on how to protect your source code. A little more detail is shown in the summary on the blackhat site.

Oracle plugs 65 security holes

Oracle plugs 65 security holes - By Joris Evers, CNET News.com

"As part of its quarterly patch cycle, Oracle on Tuesday released fixes for 65 security vulnerabilities that affect many of its products.

Many of the vulnerabilities are significant; 27 of the 65 bugs could be exploited remotely by an anonymous attacker, Darius Wiles, senior manager for security alerts at Oracle, said in an interview. Oracle has no suggested workarounds for any of the issues. Instead it is urging customers to patch their systems."


Oracle owns up to patching problems

Oracle owns up to patching problems - By Bill Brenner, SearchSecurity.com

"Database giant Oracle Corp. has faced mounting criticism of its security patching process during the last two years.

Its quarterly Critical Patch Updates (CPUs) are typically followed by reports from security researchers of flaws not being fixed as advertised. The Redwood Shores, Calif.-based vendor has also been accused of sitting on vulnerabilities that are more than a year old, and of releasing patch bulletins that are hopelessly difficult to decipher. That criticism will likely continue after the next CPU is released July 18."


This is an interesting interview by Bill Brenner with Darius Wiles and John Heimann who are bith inextricably linked to the buidling, testing and releasing of patches. I thought some of the answers are weak and fluffy. For instance Darius says that they sometimes do not see issues that become later apparent in fixes when they are installed on customer platforms. Why would a customer platform cause a fix to become invalid? do Oracle not install from the same media as customers when testing? - probably not.

Also John suggests that the Oracle code is more complex than the shuttle, I would hope so, its a huge product and the shuttle is around 25 years old, technology has moved on apace.

There are some positive messages, the fact that Oracle is now ficused on standards, training, secure coding, use of tools such as Fortify, also that fact that they are now talking openly to Bill is a good sign that Oracle now recognise (publicly) that there are problems with the patch process, the pace of fix releases. I am also impressed that they are taking on board the issues around the CPU documentation and are considering releasing more details, the audiences and so on. lets see what improves.

Nice article!

Alex has an analysis of CPU July 2006 and also advisories

Alex has released an interesting analysis page for CPU July 2006. The page is titled "Details Oracle Critical Patch Update July 2006 - V1.00" and covers some overview details of what has been fixed and details of the following bug fixes:

"DB21 - SYS.DBMS_STATS"
"DB22 - SYS.DBMS_UPGRADE"
"DB01 - SYS.DBMS_CDC_IMPDP"
"DB03 - SYS.KUPW$WORKER"
"DB06 - DBMS_EXPORT_EXTENSION"

Alex has also indicated that DB05, DB07 and DB16 are his as well but no advisories are there yet.

Also some of the bugs shown here detail the functions or procedures that are at fault.

All database patches are available this time

I am just chatting to Alex and he has checked that all the database patches are this time available but some HTTP patches are missing. This is a much better position than the last CPU where quite a large percentage of database patch sets were delayed for quite some time. The view issue could also be DB20 but time and checking will tell..:-)

Eric Maurice speaks about the July CPU

I just saw Eric's blog entry "July 2006 Critical Patch Update Released" discussing the latest patch update from Oracle. He has made a couple of interesting points. The first that Siebel is not included but should be for the next patch set and also that the documentation set has changed / improved?

Eric is the Manager for Security in Oracle's Global Technology Business Unit.

CPU July 2006 is out

I have just returned home and checked for the July alert on Oracles alerts page and found that its out. I notice that the date on the main alerts page shows July 17 2006 but it should be released today and it has been released today.

The alert "Oracle Critical Patch Update - July 2006" takes the usual form of recent alerts. Credits are given to the usual suspects, Alex, David, Esteban and a couple of newer names to the Oracle security game, Dr. Christian Kleinewaechter and Swen Thuemmler. The alert covers quite a number of bug fixes, 23 database, 4 database client, 10 application server, 1 collaboration Suite, 20 E-Business Suite, 4 OEM, 2 peoplesoft and 1 JD Edwards bugs.

This quite an array of bugs for a company that has recently seemed to be getting on top of security bugs fixing. The database has a few package based bugs, these would be reasonably easy to work out how to exploit by comparing the new updated packages with the old. There is a raft of OCI bugs and also DB2 sounds like the recent 0-day exploit published on Metalink.

when will we see a CPU with one or two fixes?

oh the irony...

I got an email the other night from Nik about my post "Mary Ann speaks - on security testing rules". In his email he told me that if you follow the links in Mary Ann's post to the link "excellent quotes about the US marines" - "http://millennium.fortunecity.com/redwood/352/usmc4.htm" you are hit by a popup that prompts you to install ErrorSafe which is classed as syware - "http://www.symantec.com/avcenter/venc/data/errorsafe.html" - and as Nik said "oh the irony...."

I followed the link myself and I was not hit by the popup. This could be my firewall, IE settings or .... but Nik got it so beware.

Mary Ann speaks - on security testing rules

I just found a new post by Mary Ann Davidson. The post is titled "Let Us Now Praise (Not So) Famous Men and Women" - this is mostly a post rambling on about military stuff that you can mostly skip over. I was interested and singled it out for one reason. There is a passage in the middle of it about a request from a colleague of Mary Ann's to use the ethical hacking team to test a certain product but to conduct the test purely within the boundaries of the described functionallity and policies of the product. I like Mary Ann's quote from her sister "Rules? There are no rules! This is war!" - This is true for any hacker. It is simply crazy to conduct a security test bounded by rules of what the application is supposed to do, hackers will try anything to break the application to try and get it to do something its not supposed to. This is how bugs are found that can be exploited. Hackers will not simply press buttons they use software to try every aspect of an application to break it, and then more.

Good post, I have come across similar cases where some developers tend to think that hackers will only use software in the ways that they have designed it. Its a very blinkered approach and why security is easy to break. Developers need to think like hackers when they are designing and creating new applications. This will help to make more secure applications. You need a devious mind, if you have one then its posisble to think of all of the possible attack scenarios and to code against them.

Nice snippit Mary Ann.

Nice three part article on FGA

Someone emailed me a week or so ago with links to a three part article about Fine Grained Audit (FGA) written by Arup Nanda. This is an oldish set of papers now (there is no date but the URL for the first part includes 2003) but its still very relevant and of course its written by Arup so is well worth reading. The three parts are:

Fine-Grained Auditing for Real-World Problems

Fine-Grained Auditing for Real-World Problems, Part 2

Fine-Grained Auditing for Real-World Problems, Part 3

Nice post by Eddie about undocumented pragmas

I posted some time abck about Eddie's previous posts about undocumented pragmas. Eddie has added another post discussing the meaning of the FIPS FLAGGING. This is an interesting post that confirms the use of the pragma and also the ALTER SESSION SET FLAGGER command. As I suspected it has to do with SQL92 and how to identfy SQL that is vendor specific. Eddie's post if titled "Go ahead, turn your FIPS flagging on"