Call: +44 (0)1904 557620 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

Alex has added a page to compare the available Oracle password crackers

Alex emailed me the other day to let me know that he has added a page to his site that does a good comparison of the currently public Oracle database password crackers. The page is called "Oracle Password Cracker" and Alex has added a nice matrix to it, that names the cracker, the author, the OS it runs on the type - dictionary or brute force - , the speed in hashes/second, license, pro's and con's and the URL.

Alex also includes a table of speed comparisons and times to crack various length passwords.

A career change and some site revamping

I have spent quite a few hours this afternoon and this evening making changes to my site. The word "limited" has gone from the logo and all of the commercial services have been removed and my company details have been removed from the contact pages. The biggest change is to the main index page. I have rewritten the index page completely during the last couple of hours.

This is a first attempt so bear with me, it will look more professional after a couple of iterations. The site now gives a more public spirited message to delivering Oracle Security information. The reason for this is that my site will still be updated in my spare time but will no longer have the small commercial bias that it had previously to my own company. This is because from tomorrow I will be employed by Insight Consulting now, part of Siemens Communications based in the UK as a principle consultant specialising in Oracle security, database security and application security.

I have always maintained this site in my spare time and will continue to do so. I have a backlog of stuff to talk about here and also a couple of major updates I have been working on, so watch this space.

1.02 Million hashes/second Oracle dictionary and brute force password cracker available

0rm of Toolcrypt.org emailed me last night to let me know that he has made the full version of his Oracle dictionary and brute force password cracker available to he public. This cracker is the fastest Oracle password cracker that i know of - and I know of more than 10 different Oracle password crackers that are either in commercial tools or are in private hands. It is also probably the best featured Oracle password cracker available.

I have known about this cracker since version 0.32 when it was previously available but its presence was not advertised. The cracker was then removed from toolcrypt and has just now been made available again as version 0.7. You can download orabf version 0.7 here.

Orabf is a dictionary cracker and a brute force cracker. It is possible to define the character set used in the brute force attack. You can choose alpha, alpha+numeric,numeric or the full character set. You can also define the number of characters to check up to for the password. For instance you can check just for 5 character passwords. You can also start a cracking session and stop it and then use the resume feature to restart from the point you left off. The zip also includes a DOS batch script that can be used to attack multiple usernames/hashes in the same run. There is also included a nice tool called permute that can be used to mangle and manage dictionary or wordlists. There is also a word list and a tool to generate password hashes rather than crack them.

0rm has worked on this cracker for some time and he says it is unlikely to get much more work done on it as it is already very fast. I have clocked 1.02 Million hashes per second on a 2.8 gighz pentium 4. He has done some great tuning work on the DES algorithm itself to make this cracker very fast.

Here is a sample run:-

First alter the SCOTT users password so we can do a brute force cracking session.


SQL> alter user scott identified by xfd7h;

User altered.

SQL> select username, password from dba_users
2 where username='SCOTT';

USERNAME PASSWORD
------------------------------ -----------------------
SCOTT 0BF93A124BAD1F02

SQL>


First view the parameters to pass to orabf:


C:\petefinnigan.com\orm_version_7>orabf

orabf v0.7, (C)2005 orm@toolcrypt.org
-------------------------------------

usage: orabf [hash]:[username] [complexity] [{}|maxpwdlen] [{}|'resume']

where complexity is a number in [1..4] or a filename
- read words from stdin
[file] read words from file
1 numbers
2 alpha
3 alphanum
4 entire keyspace

0 < maxpwdlen < 15 (brute force mode only)

resume tries to resume a previous session



Now run the orabf tool to brute force crack the password:


C:\petefinnigan.com\orm_version_7>orabf 0BF93A124BAD1F02:scott 3 5

orabf v0.7, (C)2005 orm@toolcrypt.org
-------------------------------------
Trying default passwords
Starting brute force session

press 'q' to quit. any other key to see status

password found:SCOTT:XFD7H

57871891 passwords tried. elapsed time 00:00:56. t/s:1026442


C:\petefinnigan.com\alex\orm_version_7>


As you can see the 5 character password was cracked in 56 seconds and the cracker ran at 1.02 Million hashes per second.

This is a fantastic tool. Anyone interested in Oracle Security should get it and use it to test password strength in their databases. Of course I have added 0rm's cracker to my Oracle Security Tools page.

Alex has released version 1.1 of Checkpwd - the Oracle dictionary password cracker

Alex has just let me know that he has upgraded Checkpwd his dictionary based Oracle password cracker. It has been upgraded to version 1.1. The changes are summarised as follows:

"History

1.0 - Initial Version

1.1 - Smaller Changes
Show Oracle Account Status (OPEN, EXPIRED, LOCKED)
Check for weak password = username
Linux Version (static, shared and standalone)
Dictionary file can now contain \n or \r\n
Dictionary converted to upper case"


The password cracker page - Oracle Password Checker (Cracker) has been updated with new links for the version 1.1 tools for Windows and Linux.

I have updated my Oracle Security Tools page with the new links.

Full disclosure list: Summary of the password algorithm and a C code plug-in for John The Ripper password cracker

I have just been made aware of a thread on the Full Disclosure mailing list. I saw the first post to the thread earlier today which is a copy of the comp.databases.oracle.server posting. The post is by Jeroen and is titled "[Full-disclosure] HOWTO: Crack Oracle Security like a peanut?".

The second post in the thread is by Simon Marechal and it includes a summary of the Oracle password algorithm in pseudo steps that can be then used to code it up. Simon then includes a C code file called oracle_fmt_c that is a John the ripper (password cracker) plug in for the Oracle password algorithm. The C code by definition reveals how to code the Oracle password algorithm in C using a DES library.

Simon also says the cipher will be shipped with the Bob The Butcher password cracker which is closely based on John the Ripper. Bob the butcher is not available yet. The C code I assume can be added to John the Ripper now.

A correction to the author and URL for orabf.pl

I have just been emailed by crg, whom I thought was the author of orabf.pl that I talked about yesterday. He told me that dab is in fact the author. Sorry to both for the confusion. I have also changed the URL to the tool to another specified by crg.

crg also informs me that they are working on a much faster version 2. I will let you know when I hear about it. I have made the corrections to my Oracle Security Tools page.

A perl script to brute force database connections

I was made aware of this perl script on Digitalsec.net that can be used to brute force an Oracle database connection. The script is called bfora.pl and is described as "Brute force for Oracle databases". It first builds a TNS packet and uses this to interrogate an Oracle listener to get the details of SID and services that are available. Then it uses the SID's found and tries to brute force a connection. I have not done a detailed compare of this script with http://www.jammed.com/~jwa/hacks/security/tnscmd/ - (broken link) tnscmd.pl or with Patriks tools but there are some synergies. This still looks like a useful script that can be used where binaries are not a possibility. I have of course added it to my Oracle Security Tools page.

Alex Kornbrust has released a Linux version of his Oracle password cracker

Alex has just told me that he has released a Linux version of his dictionary based Oracle password cracker. The Linux version only currently supports the standalone mode. The mode where you can connect to the database and audit multiple passwords at once is not available in this version. The stand alone version does not require an Oracle client installation. The standalone version can be used to test one user database account at a time against a supplied default password list and also a 1.5 Million word wordlist. You can of course supply your own word list or do as Alex suggests in the question and answers section at the end of the "Oracle Password Checker (Cracker) page and use John The Ripper to create a much bigger word list by using permutations of an existing list.

The Linux checkpwd v1.0 standalone for Linux Plus default passwords plus big word list is available.

Alex has also added the OpenSSL licence in the checkpwd.txt file that is part of the download.

I have of course added details of this tool to my Oracle Security Tools page.

A second thread on c.d.o.s. about the Oracle password algorithm

There is a second thread on the comp.databases.oracle.server newsgroup that has the same Oracle password transform (algorithm) posted to it by presumably the same guy as the other thread I pointed to last night, this time with a different (abusive) name. The post (I will not repeat the title) includes a second post by the OP that has some C code that looks like it is part of a password check program. The actual encryption routines are not included.

It seems that this guy has been busy as he has also posted the same text to the Unix Documentation Project as http://nixforums.org/files/forum/post-255354.html - (broken link) How to crack an Oracle password info. I have done some quick searches and found that it looks like he has posted this same information 3 times on July 17, August 11 and August 19.

Red Database Security has released more Oracle password algorithm information

Alex has emailed me to let me know that he has updated his page Oracle Database Passwords to update the known details of checking Oracle database passwords based on the new password checker that he has released. He has updated the elapsed times needed to brute force each password of a number of characters. He has added links to his cracker (password checking tool) and also added some useful links at the end of the paper.

Alex has also craeted a new page titled "Oracle Password Checker (Cracker)" which details checkpwd his Oracle password cracker. As I said last night there are two versions of this cracker available. The first has a simple password list, the second a 1.5 million word list. Links are available on Alex's page and I have also added them to my Oracle Security Tools page. Alex gives examples of both methods of running the tool and also mentions that a Linux version will be available soon.

Details of the Oracle password algorithm were revealed by its creator in 1993

I was just emailed by Rajendra to remind me that there is a usenet post describing the Oracle password algorithm posted in 1993 by Bob Baldwin - the presumed creator. The post is titled "Oracle password encryption algorithm?" and it was posted to comp.security.misc. I first came across this post a few years ago - I think in 2001. It gives an overview of the algorithm used, design goals and pseudo code and its flow and text is coincidentally structured similarly to the post on c.d.o.s I mentioned yesterday in my post "Crack Oracle Security like a peanut!".

undocumented Oracle?

There has been a flurry of blog posts from Radoslav, http://oracledoug.blogspot.com/2005/08/jonathan-debunks-another-don-article.html - (broken link) Doug, Jonathan Lewis and from http://tkyte.blogspot.com/2005/08/getting-credible-information.html - (broken link) Tom Kyte all about a paper written by Don titled "Undocumented secrets for super-sizing your PGA" that was recently released.

I like undocumented and hard to find information so I am always interested by papers like this. I won't get into the for and against of this particular article and the opposers, Radoslav has done a good job of summarising the current state of this farce in his post "The Don Burleson's article"

I wanted to highlight this post not for many of the reasons that others have quoted but for one reason in particular. This is that whilst undocumented information is interesting to know it should not be used in production databases under any circumstances, also hidden parameters should never be set unless Oracle support direct you to do so.

Red Database Security has released a standalone Oracle password cracker

Red Database Security has just let me know that they have released a stand alone Oracle password cracker using Eric Youngs DES Encryption library. There are two downloads available. The first is oracle_checkpwd.zip (704KB) which includes the libraries and also a default password list. The second is checkpwd_big.zip (4.7MB) which again includes the libraries and binary and a 1.5 million word dictionary. The tool can be used as follows:


C:\petefinnigan.com\alex\password cracker>checkpwd
Checkpwd 1.00 - (c) 2005 by Red Database-Security GmbH

usage: checkpwd <-quiet>
for example: checkpwd -quiet system/manager@mydbserver default_passwords.txt
or: checkpwd SCOTT:F894844C34402B67 default_passwords.txt


you can connect to the database and get the password hash from there or supply it on the command line. Here is a sample run:


SQL> alter user scott identified by zztop;

User altered.

SQL> select username,password from dba_users
2 where username='SCOTT';

USERNAME PASSWORD
------------------------------ ------------------------
SCOTT C602545F6676B420

SQL>


The password hash can be then be used as input to the tool:


C:\petefinnigan.com\alex\big_password_check>checkpwd SCOTT:C602545F6676B420 pass
word_list.txt
Checkpwd 1.00 - (c) 2005 by Red Database-Security GmbH

opening weak password list file
reading weak passwords list
checking passwords
SCOTT has weak password zztop

Done. Summary:
Passwords checked : 1543885
Weak passwords found : 1
Elapsed time (min:sec) : 0:11
Passwords / second : 140353



It is quite fast at 140,000 passwords per second but not as fast as those crackers in commercially tools available but is leagues better than using PL/SQL based tools to audit passwords with. I will add links to these tools on my Oracle Security Tools page.

New Online MD5 Hash Database

Thanks to Marcel-Jan who has posted a link in my Oracle Security Forum about a post on Slashdot. The post on Slashdot is titled "New Online MD5 Hash Database" and describes a new service offered by http://gdataonline.com/ - (broken link) http://gdataonline.com/ who now have an online database of over 12 million MD5 hashes and the relevant passwords.

This is an interesting idea. The commercial usefulness is dubious as any commercial company is unlikely to submit their password hashes to a website, or maybe some will! - This is not an Oracle database password hash check but it is not inconceivable that this sort of online service could be started for Oracle password checks.

Crack Oracle Security like a peanut!

I came across an interesting post on the comp.databases.oracle.server that describes the Oracle database transform (password algorithm). The post is titled "Crack Oracle Security like a peanut!". It was posted on August 11 by a user claiming to be DA Morgan. The second post in the thread by the real Daniel Morgan refutes this. The final post in the thread suggests actions to find out who has been posing as Daniel.

Radoslav Rusinov's Blog and mod_plsql passwords in clear text

I came across Radoslav Rusinov's blog quite by chance. I had seen Radoslav's name previously as he has posted to threads on my Oracle Security Forum but I did not realise that he had a blog until this evening so I went to have a look. He has not been started long but already has some very good and very detailed posts. Mostly the posts so far are not Oracle security related but he lists one of his interests as security so i guess we can look forwards to some good posts. I found one good security related post so far. This is titled "How to see the MOD_PLSQL passwords in clear text".

This post talks about how easy it is to get at DAD passwords in clear text in pre-10g versions. I was aware of this previously as I mention this in my book and also the SANS course but Radoslav has given a very good discussion of the issue with examples and also tips on how to secure. He also includes a Java program for decrypting the base64 encoded passwords and also a link to an online decoder. This is a great blog so far and well worth watching in the future.

Alex Kornbrusts Black Hat presentation on reverse engineering Oracles encryption packages

This entry is a little late as I have talked about other Black Hat presentations from Esteban and Cesar a couple of weeks ago. I planned to talk also about Alex Kornbusts presentation at the same time but did not get the chance. Alex's presentation was titled "Circumvent Oracle�s Database Encryption and Reverse Engineering of Oracle Key Management Algorithms".

This is a superb presentation and goes into detail on how to easily circumvent the security of Oracles built-in encryption packages by stealing the keys or working out the algorithms used in key management. Alex starts with a detailed look at key management and the issues involved. He then talks about pl/sql wrapping and why it should be used and also shows that Oracle stopped describing it as encrypted PL/SQL in 10g and beyond and that in 10g wrapping simply makes getting at the original source difficult. Alex goes on to show how details can still be gleaned from wrapped code and how those details could be better protected. Alex then talks about how Oracle uses database encryption for 10g Grid Control password management and why this is insecure. He then talks about intercepting encryption package calls to steal the keys used with a lot of superb examples. The discussion then focuses on how to reverse engineer computed keys again showing detailed examples. Alex finishes off with some tips for designing database encryption solutions.

The presentation is also available from Alex's own site as "Circumvent Oracle�s Database Encryption and Reverse Engineering of Oracle Key Management Algorithms". It is worth downloading this version as it has been updated substantially since the Black Hat presentation. It now includes quotes from various books and other sources as well as comments from Oracles director of product management Paul Needham.

There is also a thread on my Oracle Security Forum titled "Alexander Kornbrust - Black Hat 2005 Presentation" that discusses the presentation with some comments from Alex himself.

Doug talks again about ? and catpatch.sql

I saw an interesting post this evening on Doug's blog titled http://oracledoug.blogspot.com/2005/08/more-on-and-catpatchsql.html - (broken link) More on ? and catpatch.sql. This follows on from Doug's previous post " http://oracledoug.blogspot.com/2005/08/shortcut-for-oraclehome.html - (broken link) ? shortcut in sqlplus and my comments in "Some good tips on Dougs blog?".

Doug has been digging through various installations both at home and at work looking for examples of the "?" short cut for ORACLE_HOME in Oracle's scripts. It took some finding but he eventually found one example in catpatch.sql. The fact that he had great trouble finding an example perhaps emphasises the issues discussed before that running a script from a remote client that also has Oracle installed would result in the remote version of the script being run rather than the local one. This could be a serious issue. The fact that Doug found his only example in catpatch.sql is also a worry considering the recent issues with installing patches.

Bell Labs Dept 1127 has finally gone

I just saw a post on the Oracle-l list about an article on the Unix Review website. It is titled http://www.unixreview.com/documents/s=9846/ur0508l/ur0508l.html - (broken link) Dept. 1127: going, Going, GONE! and is written by Unix God Peter H. Salus. The article marks the demise of department 1127 which is where the likes of Ken Thomson (creator of Unix), Dennis Ritchie (Creator of Unix and C), Brian Kernighan (Creator of Awk), Doug McIlroy, Rob Pike and Tom Duff (Famous for his "Duff's Device" in which he implemented loop unrolling using C's switch/case utilising the fact that cases can fall through. This is, quite simply genius C coding and the aforementioned link includes the original 1983 post describing Tom's invention).

Department 1127 was the place of invention of the AT&T dialect of Unix, created by Thompson and Ritchie is 1969 whilst they spent time reviewing their recent experiences of Multics. Unix was written in PDP assembler and later ported to C after Dennis Ritchie created it from B, which was itself created from BCPL (This is a simplistic history!).

It is a sad demise when such a great place of creation has closed. This department was the place of work for many greats in the computer industry.

What has this to do with Oracle Security? - well nothing specifically except a large number of Oracle installations run on systems derived from work these guys did originally a long time ago.

My site and Blog are available again

This morning I got an email from http://doug.burns.tripod.com/oracle/ - (broken link) Doug Burns and then soon after from Marcel-Jan Krijgsman to let me know that my site had been hacked. In fact in the end the hacker had overwritten the index files for my blogs main entry page and also for the archives page. He (she/they) had also overwritten the same files for my web development blog.

This has meant that the whole site has been down all day whilst the ISP http://www.uklinux.net - (broken link) Uklinux fixed the issue. It turns out that the hackers had also done the same to many other sites hosted by by ISP when they had compromised the server.

Anyway my site is back.

OPatch, wherefore art thou?

Josh pointed me at a new news article written by Shawna McAlearney this evening titled http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1115321,00.html - (broken link) OPatch, wherefore art thou? that was published yesterday 15 August 2005. This is an interesting article that talks about the issues of the recent patches that do not work or patches that are incomplete - e.g. fixes that are supposed to be fixed are in fact not.

The article features comments from David Litchfield and makes a good point about regulatory requirements to apply security patches promptly. He also mentions that he will soon release a paper on problems with using OPatch, Oracles patch application tool and also its tool for verifying the patch level of a database. He goes on to discuss the problems of incomplete patches, patches that fail to fix the flaws, the problems with not running post installation procedures, problems with OPatch not updating the registry properly and a problem with rolling back patches where the patch is removed but the inventory is not updated. This leads to the situation where a database looks to be patched but in fact it is not.

This looks like it will be a very interesting paper when released. This article also starts to raise serious worries about the state of the Oracle patching process and tools.

Is it just me or is Orablogs not reachable again?

I have been trying http://www.orablogs.com - (broken link) Orablogs the excellent Oracle blog aggregation site quite a few times this evening but to no avail. I guess Brian is having some DNS issues again.

I would just like to remind anyone who wants to visit Orablogs that the site is still up and can be reached at http://83.170.75.145/orablogs/.

Hashattack 2.0 tool : ooops incorrect link on the tools page

I have had a few emails from people asking me about the hashattack 2.0 tool written by Josh Wright that can be used to pre-compute password hashes from a dictionary of common words for a specific database users. The results stored in a table can then be easily re-used for ongoing checks for the same user in the same database or any other database.

I announced this tool here a few posts ago and added it to my Oracle Security Tools page but unfortunately I got the URL wrong. The URL on my tools page has now been corrected.

There is also currently a thread on my Oracle Security Forum discussing this tool.

Two excellent papers on a new method to combat parameter validation and SQL Injection

Thanks to Ivan for pointing out these two papers to me. One is a short paper titled "Guns and Butter: Towards formal axioms of input validation" by Robert J Hansen and Meredith L Patterson. The second is a presentation called "Stopping injection attacks with computational theory" again by the same two guys. As the URL's give away these are papers from the recent Black Hat briefings in Las Vegas. Both papers present new theories on input validation that promise convenience and security and they talk about the problem of false negatives and false positives and why regular expressions are not the answer, Finite State Automata, and computational theory are.

These are great papers and are worth reading.

Robert shows how easy it is to read data from websites directly into the database

I saw Robert Vollman's post to his blog titled "UTL_HTTP" and decided that it sounded interesting enough for a look. UTL_HTTP is one of the age old built-in database PL/SQL packages that show up in lists of security issues. Why is this you may ask? - simply because of the fact that it is by default available to any database user to use. The script who_can_access.sql can be used to check which database users and roles can access this package:-


SQL> @c:\petefinnigan.com\who_can_access.sql

who_can_access: Release 1.0.3.0.0 - Production on Mon Aug 15 21:47:36 2005
Copyright (c) 2004 PeteFinnigan.com Limited. All rights reserved.

NAME OF OBJECT TO CHECK [USER_OBJECTS]: UTL_HTTP
OWNER OF THE OBJECT TO CHECK [USER]: SYS
OUTPUT METHOD Screen/File [S]: S
FILE NAME FOR OUTPUT [priv.lst]:
OUTPUT DIRECTORY [DIRECTORY or file (/tmp)]:
EXCLUDE CERTAIN USERS [N]:
USER TO SKIP [TEST%]:

Checking object => SYS.UTL_HTTP
====================================================================


Object type is => PACKAGE (TAB)
Privilege => EXECUTE is granted to =>
Role => PUBLIC (ADM = NO)

PL/SQL procedure successfully completed.


For updates please visit /tools.htm

SQL>


As we can see on this sample database execute privilege has been granted to PUBLIC.

Robert shows a very nice example of how stock quotes can be extracted from Yahoo Finance and inserted into the database using this package. I liked his example as it shows a real world case of how you can access external data and read it in. Remember that this package can also be used in the opposite direction and data can be extracted from the database. Also it can be used to load and run hacker SQL or PL/SQL scripts that are stored on an external web site. Beware of default privileges and useful functionality.

The rise of Oracle blogging

I saw an interesting post by Brian Duff (The owner of http://www.orablogs.com - (broken link) Orablogs) this evening titled http://www.orablogs.com/duffblog/archives/001354.html - (broken link) Long Absences and the Rise of Blogging and thought it worth passing on for two reasons. The first is that I have also noticed that there seems to be quite a few new Oracle bloggers recently, or maybe they have always been there but I have noticed them just now? - I think Brian is right though that there is a rise in Oracle blogging. This is a good thing for all of us that are interested in Oracle; to get more information on Oracle quickly.

The second reason for mentioning Brian's post is that it is always worth mentioning http://www.orablogs.com - (broken link) Orablogs from time to time for those people who have not come across it yet. This is a great site to hear about current Oracle information and well worth a daily visit.

Oracle Security expert: More developer education is needed

I came across this interesting news article written by Grant Gross and published on ComputerWorld this evening. The title is "Security expert: More developer education needed - Many programmers don't understand how code errors cause vulnerabilities" - The article starts:

"AUGUST 11, 2005 (IDG NEWS SERVICE) - WASHINGTON -- Software vendors need to create security education programs for their programmers in order to deliver software products that are more secure to their customers, an Oracle Corp. security expert said today.

Developer education and pressure from large buyers such as the U.S. government are two key ingredients in better software security, said Adam Jacobs, Oracle's principal product manager, during a presentation at the InfraGard National Conference in Washington. "


This is a very interesting article for some of the comments. It says just after the above quotes that Jacobs agreed with a Microsoft spokesman that off the shelf software vendors ignore security in favour of ease of use issues at least until recently? Adam Jacobs also agreed that the numbers of security bugs are rising not going down, he goes on to suggest brilliant designs are made insecure by developers. He said that many developers do not understand buffer overflows and SQL Injection and that universities are not teaching much about these subjects and issues. A key insight into Oracles coding strategy is disclosed. Jacobs said developers are rewarded with bonuses for delivering buggy code on time and also for delivering fast code that later has many bugs in it.

He then goes on to say that Oracle have developed a one day internal security training program that all developers go on, he also said a lot of developers complained about the course, why?

He also talks about developers having responsibility for the code they produce. The article finishes with some interesting comments that Oracle isn't going to invest time in making secure products if competitors make cheaper products.

It sounds like an industry truce is needed for all database software vendors where they will all agree to have minimum coding standards for security. That way they can all compete on a level playing field and we can all get secure software.

Prime number researchers put encryption algorithms such as RSA at risk

I was in a position last week where I needed to wait for a meeting with someone for two hours so I bought a bottle of water and the latest copy of New Scientist, which I have not bought for a few years. I used to buy it regularly. I picked it mainly because of one article but I found quite a lot of interesting stuff in there.

The article I was interested in was titled "The prime number hunters close in" by Ian Stewart and it was published 6 August 2005 (in the UK). There is a brief summary of this paper on the link I have just given. To read the rest of the article you need to subscribe or buy the paper copy like I did.

Basically the article says that in the past the hunt for ever bigger prime numbers has hit limits that are basically never going to be passed. The methods used for bigger numbers involve probabilistic checks. The hunt has been on for a better efficient test for the factors of primes. This looks like it could have been found thanks to the brains of Manindra Agrawal and his students Neeraj Kayal and Nitin Saxena at the Indian Institute of Technology, Kanpur. The method looks like it might have a practical implementation some day.

This has implications for cryptography that is based on primes such as RSA. It was thought impossible that a practical method could be found to locate primes but that looks like it was wrong, the same is said of cracking the codes used in algorithms such as RSA, could they also be wrong about this? - could cryptography not be as secure as was previously thought?

New TNS protocol full client available for testing listener security

A new tool is available that can be used to test an Oracle listener. It is called http://www.dokfleed.net/duh/modules.php?name=News&file=article&sid=35 - (broken link) Oracle TNSLSNR Full Client and has been provided by DokFLeed. It is written in C and is free and supports the following commands:

"ping , version , service , status change_password, help, reload, save_config, set connect_timout set display_mode, set log_directory , set log_file , set log_status , show , spawn stop"

The tool also supports full packet crafting (if you know what you are doing) and is based on the previous work by James Abendschan. The protocol has changed in 10g so this tool will be accompanied by a 10g version soon.

I have of course updated my Oracle Security tools page to include this tool.

Hashattack - Oracle password tool update to version 2.0

Josh Wright has just informed us via a thread on my Oracle security forum titled "hashattack a dictionary attack tool for Oracle" that he has updated the tool to version 2.0.

This tool can be used to pre-compute password hashes for an Oracle database user so that a simple repeatable check can be made for weak passwords. This tool is very useful for default accounts such as SYS or SYSTEM or application accounts that would be checked regularly.

Version 2.0 has had some improvements added based on a discussion on my forum. Thanks to Gary for suggestions.

The changes (stolen from Josh’s change log ..:-) ) are:-

"2005-08-11 - 0.2.0
+ Improvements implemented following suggestions from Pete Finnigan and
gamyers in the "hashattack a dictionary attack tool for Oracle" thread at
www.petefinnigan.com.
+ Creates a profile called "HASHATTACK_PROFILE" to limit sessions_per_user,
connect_time, idle_time, failed_login_attempts, password_reuse_max and
password_verify_function to appropriate values. This is necessary because
the default profile should have constraints applied that will hinder
hashattack's performance. You have applied limits to the default profile,
right?
+ Added a check to see if the temp account exists before creating.
+ Properly quoted passwords for alter user syntax.
+ Re-wrote how passwords are collected from the filesystem; instead of
multiple UTL_FILE calls for each word, build an external table that turns
into a database table via CTAS statement, and read words from a cursor."


I have updated my Oracle Security Tools page to include a link to version 2.0.

A good page describing Oradebug

I came across a good page on the Puget Sound Oracle Users Group's web site this evening when looking for something else that describes the ORADEBUG tool. Daniel takes us through all the commands available in the ORADEBUG tool and gives us some good examples and plain speaking. The page is called "Oracle ORADEBUG - Version 10.1" and is written by Daniel Morgan. I have updated my Oracle internals and undocumented Oracle page to include details of this paper.

Some good tips on Dougs blog?

I saw this evening a good post on Doug Burns blog titled " http://oracledoug.blogspot.com/2005/08/shortcut-for-oraclehome.html - (broken link) A shortcut for ORACLE_HOME - Doug shows us how to use the "?" as a substitute for the ORACLE_HOME environment variable saving the need to type complete paths in when running scripts from the Oracle installation. Jeff Hunter piped in with a comment that you need to be careful to not run scripts from a local Oracle Home if you are accessing the database remotely.

This is an interesting point from Doug and Jeff. Short cuts are great for saving time but can also cause heartache if errors like those indicated here occur. This, you might say is not a security issue but it becomes one if the database is trashed by running the wrong scripts. Security should also include the possibilities of errors occurring, either on purpose or maliciously or carelessly. It can become a security issue because it was possible to cause damage whether on purpose or not. This is an issue of privilege level and least privilege principles. The fact still stands though that it is a good time saving tip!

Oracle simplifies SOAs

I just found a news article published on sify.com in Bangalore and titled http://sify.com/finance/fullstory.php?id=13913826 - (broken link) Oracle simplifies SOAs that starts:

"Bangalore: Oracle today announced its new integrated, standards-based business process platform that simplifies the security of the service-oriented architectures (SOAs) and Web services"

I am not sure if this is new news or not as similar news articles were surfacing a few weeks ago.

Joshua Wright has provided a free tool to check Oracle accounts for common passwords

Josh Wright who normally teaches the SECURITY 509: Securing Oracle that I wrote for SANS has written a useful tool called hashattack. This is a set of simple scripts that pre-computes the password hashes for a particular Oracle user such as SYS or SYSTEM. The scripts use a dictionary (you can provide your own) to pre-compute the hashes for a large list of possible passwords. You then can use the database table of password/hash combinations to check if the current password is set to a dictionary word. The list can then be used to check the password for the same user in any number of databases. So whilst it is time consuming to create the hash list once created it can be re0used to great effect.

I have added details of the tool on my Oracle security tools page and extra description there.

10gR2 the CONNECT role has finally been sanitized

I saw on Nialls blog yesterday in an entry titled "Connected Thinking" that the CONNECT role has finally been corrected by Oracle to do what it says on the tin - i.e. simply allow a user granted it to connect. That's right it now only has the system privilege CREATE SESSION. This is a welcome change and as Niall points out it will break a lot of existing third party and home grown applications when they are connected to 10gr2.

I (and a lot of others) have been suggesting this change for years and finally Oracle has listened to us all. Let’s hope that they now do something about the RESOURCE role as well. It was rumoured that the CONNECT and RESOURCE roles had been deprecated and would be removed although I have never found this in writing.

The fact that CONNECT now only has the CREATE SESSION privilege would imply that Oracle have done a lot of testing with all of the default and example accounts that ion the past have been granted this role. Do these examples now work? - Only time will tell.

If you have previously used the CONNECT role then now is the time to start and look at the real privileges your applications need and to correct them.

Database Vendors Shouldn't Kill the Messenger

I saw a good news article on eWeek earlier in the week and made a note to have a look. The article is written by Charles Garry and is titled "Database Vendors Shouldn't Kill the Messenger". The article starts with this opinion:

"Opinion: Hackers are a bigger problem than indiscreet security researchers, and vendors should focus on protecting their databases, not their reputations."

This is quite an interesting article with some good comments on the recent Mary Ann Davidson article that lambasted security researchers.

Esteban Martínez Fayó has a fantastic black hat presentation on SQL Injection

I downloaded Esteban's, Alex's and Cesar's presentations from the Black Hat conference earlier in the week and I just got round to reading Esteban’s presentation titled "Advanced SQL Injection in Oracle Databases". The paper covers SQL injection in definer rights procedures and also current_user procedures. Esteban also talks about how to get around the need to be able to CREATE PROCEDURE to be able to hack with SQL Injection. He also shows how to query the data dictionary to view the exploit code and also the resultant (modified) code inside built-in packages. He also discusses SQL buffer overflows and remote web based attacks. This is a very comprehensive paper and includes excellent examples. In fact I would go as far as saying this is one of the best Oracle security papers (presentations included) I have ever read. Excellent work! - This presentation underlines, if it needed underlining that SQL injection is a real and current threat for Oracle databases and as Esteban points out, he has still a huge number of bugs in built-in packages that he has reported to Oracle that still need to be fixed.

Some response to Mary Ann's article

I have just been looking at some of the comments to Mary Ann Davidsons news article written last week titled http://news.com.com/2010-1071-5807074.html?tag=tb - (broken link) When security researchers become the problem. Someone made me aware of a response to the article and said to go and read it. The comment I was directed at was in response to another comment, so let's talk about this comment first. This is titled http://news.com.com/5208-1071-0.html?forumID=1&threadID=8306&messageID=58650&start=-185 - (broken link) After fact article about Michael Lynn? posted by Walt. I think Walt is not up on current Oracle security events as he assumed that Mary Ann's article is about Michael Lynn going public about cisco bugs. I am not certain she is actually talking about Michael Lynn at all but all that said Walts final comments that it is the vendor’s responsibility to offer patches quickly is the key. The comment I was pointed at is written by Rogue Shoten and is titled http://news.com.com/5208-1071-0.html?forumID=1&threadID=8306&messageID=59434&start=-1 - (broken link) Half the story which takes an interesting angle on the issue of information disclosure.

Demystifying MS SQL Server & Oracle database server security

I downloaded the Oracle related presentations from the Black Hat conference. First I want to highlight Cesar Cerrudo's presentation titled "Demystifying MS SQL Server & Oracle Database Server Security". This is an interesting paper that discusses the question of which of the two databases is perceived as being secured and which not. Cesar then takes us through some history of bugs and other relevant information from 2000 to present day. Then a summary of the bugs found and what’s now outstanding. Cesar then talks about Pro's and con's for MS and Oracle and then provides some facts. This is quite scathing against Oracles response to security issues and is probably not something Oracle wants to hear and it is also quite complimentary towards Microsoft’s efforts in the same timescale towards security fixes. Maybe Oracle should be looking at how Microsoft has dealt with their security issues and how they have dealt with researchers. Maybe Oracle can learn from Microsoft?

Black Hat Confab to Spotlight Database Security

I was just made aware of a news article about the Black Hat conference that took place in Las Vegas last week. The article was written by Ryan Naraine and is titled http://www.eweek.com/article2/0,1895,1840962,00.asp - (broken link) Black Hat Confab to Spotlight Database Security. The article gives a good overview of what was about to occur (has already occurred) at Black hat. There is a mention of David Litchfields 0-day exploits talk - expected to be about Oracle and also there is a discussion about Alex Kornbrusts talk on breaking Oracle's encryption mechanisms. This is a good primer news article. The presentations from the conference are now available on Black Hats site. I will be talking about some of them here soon.

Ingrian DataSecure - A network appliance based encryption solution

I came across an interesting encryption solution today that can work with an Oracle database amongst others. The product is https://www.ingrian.com/products/ - (broken link) Ingrian network Inc'c DataSecure. It is a network appliance that employs redundancy in its components and provides fast hardware based cryptography. The product has three components, one of which is a software adaptor that allows seamless use with database applications. Oracle is supported. I do not know about costs and I have not seen the product in real life but it sounds like quite an interesting solution to the legislation issues currently amongst us. I have added the product to my Oracle Security Tools page in the commercial section and I have added some description of it there. If you are looking for encryption solutions that provide hardware encryption, component redundancy and also FIPS 140-2 level 3 compliancy to provide tamper proof protection of the keys then this product sounds like it’s worth a look.

Security Matters

I read with interest Duncan Mills blog post the other day titled http://www.groundside.com/blog/content/DuncanMills/2005/07/29/Security_Matters.html?page=comments - (broken link) Security Matters. This post talks about Mary Ann Davidson's news article http://news.com.com/When+security+researchers+become+the+problem/2010-1071_3-5807074.html - (broken link) When security researchers become the problem. Duncan makes some good comments about this article and also talks about some of the comments posted against Mary Ann's article. If you read this article some days ago it is worth re-visiting it to read the comments posted.

Whether you are with Mary Ann or with the hackers (actually I think in this case we are talking about researchers) on the issue of full-disclosure / non full-disclosure or anything else that was discussed - is moot as far as I can see. The real issue is why it takes 650 - 700 days to fix a security bug and why is there a backlog of fixes that are known about publicly. These questions were not answered. She talks about the process of fixing bugs and how much work is involved and why she cannot work to timescales imposed by hackers because of such a complex product and large numbers of platforms to support (actually I though Oracle had a platform interface layer - I have read about this before - so that most of the code is platform independent?) but she does not justify why it takes two years to make fixes.

I am also not convinced about Duncan suggesting (with his Forms example) that the way to release information about unfixed bugs is to do it silently. The problem with this is that researchers and hackers are now resorting to Google and other search engines to find security holes that are not initially reported or documented as security holes. Alex did this recently with his Google hacking and Metalink hacking papers.