Pete Finnigan's Oracle Security Weblog
This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.
Why is there a need to do this when previously the Center For Internet Security have done this with the Oracle Security Benchmark. This benchmark, or the first version at least was closely based on my book "Oracle Security Step-by-Step (Version 2.0)". I was not involved with the CIS Oracle benchmark but I understood from people who were that Oracle people were on the team.
I think I would agree with Mary Ann that there needs to be a standard for securing Oracle that everyone can work to. I also feel Oracle should be involved but not control its contents. As with anything like this it would be fluid and moving due to the nature of security risks and issues being found day to day. But for core issues i agree it could be fixed. I have some great ideas of what should be included.
If NIST want to involve me then please feel free to contact me. If others think we should have an open standard or community effort not organised by NIST then I would be happy to be involved in such a team / effort or even organise the effort here. I have started a thread on my Oracle security forum to discuss creating an open standard for securing Oracle. I have also installed MediaWiki in anticipation that others might like to join in and create a community standard for securing Oracle. If anyone has any thoughts / interest about this then please voice them initially on the thread above.
I started out on 20 September 2004 with some ideas about how I would write for the blog and how often I would post to it. I planned to cover news items, papers, short and long and tools and basically anything Oracle Security related. I also said I would update it every few days. I think I have performed well on both counts. I have been able to post almost every day, I went for about a period of three months at one time without missing a day I believe. I also think I managed 6 or possibly 7 posts in just one day once (I am not going to look now to check but I think it was at least 6). I have posted 560 posts including this one in one year and 4 days. Not bad going.
I have enjoyed writing this blog and keeping it going over the period. I thought when I started that I would not find enough things to write about to post regularly but I underestimated this by far. I have a large backlog of things to write about now (in excess of 30 items) for instance. The thing now is finding the time to add entries. The blog is going to continue into its second year in much the same way. I still plan to write as regularly as before.
What have been the highlights for me? - Probably the news stories that broke about the various CPU releases and the problems with them. It was great to be there at the forefront passing the new on. Also the recent disclosures by Alex of unfixed bugs. I think this had to happen sooner or later, whether it was Alex or someone else. There are large amounts of unfixed security bugs listed on various researchers site so as I said it was bound to happen. I was quite shocked at the level of news interest in that particular story. For me I think the news items have been exciting and also the recent disclosure of the password algorithm on comp.databases.oracle.server by some guy was interesting and has led to some great free tools coming out.
The one regrettable thing for me was the necessity to turn off comments due to spammers. Also my recent troubles with referral spammers has made running a site more tedious..:-( I plan to upgrade the blog software at sometime to some product that supports comment throttling and also comment moderation as I would really like to have comments enabled. When I have time..:-)
The stats for my site have gone from strength to strength. I started out last year on about 10,000 visitors per month and 363 per day and about 20,000 page views per month. This has grown to about 2100 visitors per day and about 64,000 visitors per month and page views growing to around 250,000 per month. I have served up 1.5 million page views and seen 0.5 milion visits in the last year. The stats are still growing strongly month on month.
OK, thats it for a brief summary, back to Oracle security!
This means that to ensure that you have harder passwords to crack you need to use digits and special characters or ideally the whole key space for your passwords.
The thread is titled "Toolcrypt's orabf" and the post is at the end.
This is the bug whereby the desname parameter can be used to overwrite any system file. This is a great paper and well worth reading if you have or run Oracle Reports. Dirk has studied the issue in great detail and has proposed a sound solution using mod_rewrite rules.
"Oracle's acquisition of PeopleSoft and Retek for more than $11 billion in recent months, together with the planned purchase of Siebel for $5.88 billion, will transform the company into an enterprise software giant.
But there are signs of danger ahead for the Redwood Shores, Calif. company as reports of a backlog of unfixed software holes and buggy product patches cause some to wonder whether the database software pioneer is headed for a security crisis.
In the last year, Oracle Corp. was muddied by a series of mishaps and missteps that include faulty product patches and withering criticism from independent security researchers, who charge that the company lacks security discipline."
This is an interesting news item that tells us that
"The tools let corporations offer partners and customers access to their internal applications, while keeping them out of files and other information they don't want to share."
"The suite of tools, based on specifications written by the OASIS SAML (define) and the Liberty Alliance Project, has been designed to craft applications that run on Oracle Application Server 10g Release 2, launched earlier this year."
The tools are based on federated identity where policies define whether users can access data or not. The access to the data is granted via passwords or / and other credentials. These new tools are needed to weave security into the Service Oriented Architectures (SOA) Oracle and its rivals are pushing. The tools are part of the Oracle Fusion Middleware brand.
Alex goes on to state that all Reports products since version 2.0 using "lexical references" are vulnerable. These could be self developed or for instance part of an Oracle application such as E-Business Suite.
Alex states that it is not possible to fix this issue by setting a parameters but only possible by fixing every report by adding input validation for all parameters. Oracle has not released a fix for this issue.
This is clearly a very big issue and a serious issue as potentially there are a large amount of vulnerable reports out there.
Alex then describes the problem in detail and includes an example vulnerable report that demonstrates how database usernames can be read using SQL Injection techniques. Alex then repeats that the issue is a big problem if you have a lot of reports using "lexical references" and gives a history of when he reported the bug to Oracle.
Great paper and well worth a read.
I have also spent some time yesterday looking at the problem of referrer spammers. I have been getting these people spamming me for a long time now but it’s now picking up to a much bigger issue. They use bots probably on compromised PC's that sent out requests to sites with forged referrer fields so that they can get either click through or increase their Google PR. A good paper on it is "Proposal on referrer spam: Background and blacklists". The problem is that I don't publish either blog referrer lists (links) or statistics that include referrer lists. These people seem to use a scatter gun approach and just spam blogs anyway. I guess this is the case as they are spamming my Web development site which has a blog. There again they have also been requesting pages from another site of mine that doesn’t have any content yet and also does not have a blog. Although I have said on its index page that i will add a blog. Google hacking is probably being used to find sites to spam. They are a real problem. One particular IP has sent 30,000 hits in the last few days. It doesn't increase my visitor numbers much so doesn’t really skew the figures I am interested in but the hits and the download sizes are getting ridiculous. These people consume a lot of bandwidth. The problem is hard to solve though. I have been working on some solutions yesterday, which I won't discuss the details of here for obvious reasons. Anyway normal Oracle security service should now resume!
Nice paper by KK Mookhey and Nilesh Burghate - Detection of SQL Injection and Cross-site Scripting Attacks
DUDE can be used to extract data from database instances that cannot be started and that are effectively scrap. It can also be used as a fast method to extract data. I would not recommend this for production though as you are unlikely to be supported. As a crash recovery tool though it is a lifeline to some people.
Kurt has now started a site called ORA-600 to promote DUDE as jDUL is now known. There is a good introduction to DUDE on the front page of the site that includes a list of all of the features supported. It works with Oracle 8,8i,9i and 10g, the dictionary can be recreated, missing SYSTEM tablespaces can be dealt with, most data types are covered, whole tablespaces can be recovered, pl/sql, most major platforms are supported, chained, migrated rows, trailing NULL's and partitioned tables are supported. Version 2.0 will include IOT's LOBS and RAW's soon.
If you have a dig around Kurt's site, you will find a nice description of the tool, a history page and also details of the services offered. Miracle AS, Mogens company are the preferred resellers to contact if you need to hire this tool.
Kurt has also includes a nice paper DUDE 2.0 primer that details how DUDE can be used to extract data from your Oracle database.
It is possible to get a demo version from Kurt, follow the links on his site and use Kurt's security protections. You need to fill in a config file and run DUDE_PROBE.jar against your database and then it is possible to get a demo that will dump just two tablespaces DUDE and SYSTEM.
I have updated my Oracle Internals page to add details of Kurt's paper and I have also added an Internals section to my Oracle Security Tools page to include this tool.
That said some sites do run without archivelog mode enabled but the big difference is that its a proper decision and they know the consequences and also know how to get all their data back. This is sometimes a solution in data warehouses.
Also don't forget that there are some tools available that can help open a corrupted database and get some data out of it. Oracle has the Data UnLoader (DUL) tool. This is a tool closely guarded jewel in Oracles crown and if you have a crashed database and no other way to get the data out then you can call Oracle in to help with this tool. There are at least a couple of private tools out there that can be used as an alternative, one of which i will tell you about in a post tomorrow.
I have just added a couple of links to my Oracle Internals page about Data UnLoader (DUL), one is a link to the user guide for DUL and another link to a post about its use and some examples.
Nice blog entry though, useful to see how it was done. Its not too difficult to see how any encryption that uses a key generated by Eddies package might be broken with knowledge of the time frame it was encrypted and the seed value.
Oracle inform customers to install the new version of the patch if it has not been installed already, if it has been installed then it needs to be rolled back and the new version applied.
Congratulations to Mark!
There is also a good discussion going on over on my Oracle Security forum about 0rm's Oracle password cracker.