Call: +44 (0)7759 277220 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

UKOUG tomorrow

I will be at the UKOUG from tomorrow for all three days. I am looking forward to meeting lots of people that I generally only get to talk to on email or messenger some I have met before and some not. I will be going to the bloggers dinner tomorrow evening. Please come and say hello if you see me there. I will be doing session chairing at five talks and also trying to get along to as many others as I can and also wandering around the main hall booths. The talks I will be chairing are:

Monday Oct 31 - How to use 10g to make £9m in 6 hours by Martin Gill at 16:25
Tuesday 1 Nov - Web Application Security in J2EE by Frank Nimphius at 15:10
Tuesday 1 Nov - Data Guard, at what cost? by Carel-Jan Engel at 16:20
Wednesday 2 Nov - Snatches of Eternity by Niall Litchfield at 10:25
Wednesday 2 Nov - Fast track to using Oracle’s Wait Interface (OWI) for Tuning by Geoff Locke at 14:25

see you there!

Oracle Express - friend or foe?

I saw with great interest the post by Wim titled "oracle express edition" stating that a free version of Oracle has finally become available. Its called Oracle Express and is available from "http://www.oracle.com/technology/software/products/database/xe/index.html" and there is a news item about it on news.com. Basically its a free database that is pre-linked and is quite small 180MB, native installers, free redistributable, some restrictions, can use for production (accounting for the restrictions). It comes with HTMLDB pre-installed. This looks like a fantastic idea and great for small businesses.

Its a cut down 10g R2 and is available for Windows and Linux. Sergio has also talked about it in a post titled "Oracle Database 10g Express Edition Comes With HTML DB Pre-configured". Sergio's post includes some useful links to a tutorial and a getting started guide. Niall's post titled "Expressing ones self" is interesting as it includes some screen shots of it installed and running and also discusses some of the restrictions and also a comparison to the new SQL Server Express product (also free).

Howard in his post "Expressly Cold" is not totally impressed and on the whole and thinks Oracle Express will be a distraction. Also the one thing that filled me with fear is the lines in the comments at the bottom of this post from the getting started guide that says " Ensure that both CONNECT and RESOURCE are enabled.". Finally Steve points out in his post "Free Oracle 10g Express Edition" that JDeveloper 10g is a great resource for Java / J2EE development and free on Oracle Express.

I will download it after UKOUG and have a proper look from a security perspective.

Some news stories about the josh oracle password paper

I found a few news stories this evening about the Josh Oracle password paper. These are:

Oracle security undermined yet again
Oracle Password Protection Is Weak, Experts Say - Weaknesses allow hackers with limited resources to obtain database passwords
Researchers: Oracle Database Passwords Can Be Cracked
Researchers: Oracle Database Passwords Can Be Cracked
No more 'Unbreakable' Oracle
Oracle password security contains "a number of weaknesses"
Oracle password system comes under fire

Josh has released a paper about the Oracle password algorithm

I saw a few days ago that Josh was going to give a presentation about the Oracle password algorithm at the LA SANS conference that is going on this week. A news item by Ken Young titled "SANS reveals Oracle hack" talks about the paper and presentation. The paper is titled "An assessment of the Oracle password hashing algorithm" and it discusses various things about the hashing of usernames and passwords in Oracle. Some of this information has been known for some years by quite a few researchers and Oracle watchers but most likely not by everyone. For example the fact that usernames and passwords are contatenated. I wrote about this a few years ago. Also that the ASCII characters are not case sensitive, again I covered this years ago. The algorithm has been public for 12 years on a newsnet posting by its creator Bob Baldwin and Josh has now enhanced this description to cover the details revealed on comp.databases.oracle.server a couple of months ago and reported here. Josh talks about how the hashes can be found and also some ideas on protecting the passwords.

The new information is Josh's excellent example of using rainbow tables to crack Oracle passwords. This is a technique where huge numbers of passwords are hashed before hand and stored in files as rainbow tables. Josh shows how an 8 character password can be found in just over 4 minutes.

This is a good technique to find longer passwords that could be much harder to crack with brute force crackers such as orabf but there are also considerations to be made with this technique. The rainbow tables take some time to create and they are created for just one database user. So whilst setting it up to crack say SYS or SYSTEM will give access as anyone in the database its not a universal solution to crack any password for any user as you would need to create tables for all users but that would not be necessary if the SYS or SYSTEM hashes are available. That said it makes it more critical to not reveal any password hashes to anyone. If a hash for another user is revealed where no rainbow tables are available then its debatable whether a brute force crack or creation of rainbow tables is faster.

This is a good paper that summarises the issues but the new idea is to use rainbow tables. I have known about this for some time as Josh sent me a copy of the paper for review and a copy of the tables a few months ago on DVD, thanks Josh! Also i am aware of others who are actively creating tables for all the default users and have been doing so for quite a long time.

Flaw hunters pick holes in Oracle patches

I found a good article by Joris Evers tonight on ZD Net about Oracle security. Alex also emailed a link to me so its popular!. The article is titled "Flaw hunters pick holes in Oracle patches". It is a four page article and it explores the latest patch from Oracle. David Litchfield has been analysing the patch and has found some holes in it. He is calling for an overhaul of the Oracle patching process. The news item explores the whole process of Oracles patch mechanism and includes comments on both sides of the arguments. It is a very good paper.

Some fight back on Oracle security bugs - old news article

I came across this old news article a few days ago and made a note to mention it here as I don't think i mentioned it when it came out. The article is by Lisa Vaas on EWeek and is titled "Oracle Users Shrug at Security Woes". It talks about the release of advisories recently that were for unfixed bugs and also gives some user / DBA feedback on the situation. An alternate view!

Exploit circulating for newly patched Oracle bug - It can crash an unpatched database server

I just came across Robert McMillan's news story on Computer World. The article is titled "Exploit circulating for newly patched Oracle bug - It can crash an un-patched database server". It talks about the exploit that is circulating the net that i talked about yesterday here. This exploit can be used to crash a database and as Robert says now provides a big incentive for Oracle customers to patch their databases. The article goes on to mention that the exploit can be used via SQL Injection techniques. The bottom line is patch as soon as you can.

Researcher: Oracle Patch Set Flawed Again

I saw a good news article on EWeek yesterday and made a note of it. The article is by Lisa Vaas and is titled "Researcher: Oracle Patch Set Flawed Again". It talks about David Litchfield’s claims that after reviewing the CPU Oct 2005 patch set that some of the bugs he reported are still exploitable. It is not clear whether he means that the actual bugs are not fixed or that the same general issue is still exploitable elsewhere in the same packages. Or could it be a combination of both scenarios. Lisa says that David is still investigating.

An example of using DBMS_CRYPTO

I posted a few days ago about a short article on Francois Degrelle's blog in my post titled "How to encrypt/decrypt strings with the dbms_obfuscation_toolkit package" and in that post i mentioned that would have been nice to see a 10g DBMS_CRYPTO example. Francois has emailed me to let me know that he has added a DBMS_CRYPTO example to the page "How to encrypt/decrypt strings with the dbms_obfuscation_toolkit / dbms_crypto packages". Thanks Francois for the update.

My site was on the BBC 1 breakfast - well a picture of a link to it was!

I watch the breakfast news most mornings on BBC1 unless Emil gets his way and we watch Balamory or some other program on cbeebies instead. Anyway yesterday morning I insisted to watch breakfast for ten minutes as I had seen an advertisement earlier that they were going to interview Alex Tew. He is the guy famous for starting the million dollar home page where he is selling blocks of 10*10 pixels in an attempt to make 1 million dollars and to cover his student fees. He has been incredibly successful so far. As of now he has sold 466,000 pixels. Anway, I bought two squares a couple of weeks ago for a laugh really to feel part of the hype and placed a little logo that just says "Pete". Anyway as they talked to Alex they cut to a picture of his site, in the top left corner right where my little logo is and I saw it there. So PeteFinnigan.com was visible to a few million people but not my url..:-( OK, its a bit off topic, back to Oracle security.

Easy connect identifier

This was a great short post by Sergio that I saw today. Sergio shows us in his post "Learn Something New Every Day: Easy Connect Identifier" how to connect to a remote database without a tnsnames.ora file where any normal connect string can be used except that in this case you also supply the IP Address and the port number and service name as part of the connect string. An example is:


sqlplus pete/finnigan@//127.0.0.1:1521/dev


The components of the syntax are quite obvious. This is a very simple way to connect to remote databases.

An exploit has been published for database security bug DB27

Today someone has published an exploit for one of the bugs fixed in the CPU Oct 18 2005 security patch released by Oracle. The exploit was published to the Full Disclosure list by some remaining anonymous. The post is titled "[Full-disclosure] Exploit Oracle DB27 - CPU Octobre". It is not good that exploits are now in the public domain as anyone who has not patched is now vulnerable. all customers of Oracle should patch promptly.

Alex has posted an excellent analysis of the CPU Oct 18 database security bugs

Late start this evening with blogs. I have just spoken to Alex on a chat session and he has let me know that he has added a great page to his site where he has analysed all of the database bugs fixed in the CPU October 18 2005 patch set. The page is titled "Details Oracle Critical Patch Update October 2005 - V1.00" and it details each package, the function or procedure name affected, which user or role has been granted permissions on the package and also the type of issues. This could be SQL Injection, buffer overflow or other bug. Alex could not map some of the bugs identified by Oracles DBXX numbers, these are listed at the top although I think these will come!

Women who know Oracle and security

I saw Nialls post this evening "New blog to watch" and went for a look as I am always interested to see any new Oracle blog or site. Niall talked about a new blog hosted by a woman that he had seen mentioned on Dougs blog. The blog is called Nomad8.com and is run by Sandy Mamoli. This is a good well written blog and I will be back to see if anything shows up specifically to Oracle security or internals or undocumented Oracle. This is quite a coincidence as I also found a blog this evening written by Girls, three in fact who are interested in security. I came across their blog "IT Security by girls" when I was searching technorati for anything about the CPU October 18 security patch. I found a link that referenced my site and went for a look. Its titled "Maintenant, y'en a marre" and is in French as the author Emilie and her colleagues are French. A translation can be found here. Anyway it’s nice to see more women writing and working in the Oracle and security worlds.

Some news about the CPU October 18 2005 Oracle security patch set

I was surfing this evening for news of the latest Oracle Critical Patch Update and found a few news items to bring you. The first from John Leyden of The Register is titled "Snort plugs Back Orifice as Oracle issues mega-fix". This report details the 85 bug fixes presented by Oracle and describes the patch as an Uber fix. Secunia describes the patch fixes as moderately critical.

The second news item on ComputerWorld written by Peter Sayer is titled "Oracle patches 88 holes with quarterly security update - The patches affect versions of its database software from 8i onward" and covers much the same ground, except that Peter says there were 88 fixes as opposed to the 85 John quotes. No matter it’s still a big patch.

CPU October 18th a few comments

After reading through the CPU advisory again I can make a couple of comments. The first is that the descriptions for all the bugs except for the database section give nothing away whatsoever. The bugs with package or function / procedure names or privileges allow at least some view to be made on whether to patch or not based on whether you use those features. The rest of the issues have no information to make these judgements at all. The risk matrix indicates the level of risk but without a little more detail as to the components involved its difficult to make judgements. My other main comment is that there seem to be much more fixes this time compared at least to the last CPU, July 2005.

Alex has just passed a couple of comments to me on or chat session. His first comment is that they fixed two CSS bugs in the Workflow component that is also sometimes part of the database install. People should be made aware of this as the bugs are currently not listed on the database matrix.

His second comment was that the critical reports server bugs that are remotely exploitable and listed on Alex's site are still not fixed in this CPU. Alex says he reported these 798 days ago and now the next possible fix release date is Jan 2006 CPU which would mean they would be fixed in 889 days.

The good thing is that the patch seems to have covered a good range of bug fixes.

Security Critical Patch Update October 18 is out

The latest quarterly Critical Patch Update CPU October 18 is finally out. I have kept an eye on Oracles site during the day but it’s taken all day for it to arrive. It seems to get later into the evening (GMT) each time before it’s released for UK customers of Oracle anyway.

The patch advisory titled "Critical Patch Update - October 2005" has a slightly different format than the last ones. The start of the CPU breaks down the products into categories from I to III, the first I covers products that are protected by error correction support of extended maintenance support - this includes the database, application server, E-Business Suite and PeopleSoft and JD Edwards, II covers products bundled with category I products, category III products are de-supported as standalone but are bundled as part of some category I products. This bit I never understand. How can a product be supported and de-supported at the same time. The key point to make I suppose is that if you happen to be stuck with one of these then you might be able to take advantage of limited security bug fixes even though it says that these are only supported if bundled with category I products, or maybe Oracle is clarifying this fact in this CPU?

There are a few new names mentioned in the credits list, two guys from SpiDynamics and also Little eArth Corporation Co in Japan. The usual suspects of Alex, Esteban, Stephen and David are also listed.

The list of bugs includes many packages and function exploits. These could be overflows or SQL Injection, no details are given. The ALTER SESSION is shown as exploitable so this is likely a buffer overflow? There are also a number of internet facing bugs listed. The second list for the Application Server gives almost nothing away at all to allow any customer to guess what the issues that were exploitable were, the same applies with the collaboration suite matrix. E-Business Suite lists a lot of bugs and also there is one in the Enterprise Manager. There are 4 PeopleSoft bugs and 2 JD Edwards ones listed including one PeopleSoft workaround. A total of 84 bugs fixed.

comments and how to re-enable them on this blog

I saw Nicholas Goodman's post last week to his blog titled "BLOGS WITHOUT COMMENTS ARE SUPER LAME!". This is quite interesting as I have been looking into how I can re-enable comments on my blog. I disabled them last December and talked about it in a post titled "Comments have been disabled from my weblog". I use Greymatter and it does not support comment moderation. It does support comment throttling and black list checking and link quantity checking all via mods that can be added. Comment moderation would be the better solution as it allows every comment to be checked and approved to ensure that it is not spam. I looked at upgrading to Movable Type or WordPress sometime ago as these both support comment moderation but decided not to for various reasons. I started to re-look at comment moderation last week and decided that maybe the way to do it is to add the functionality to Greymatter myself. I have been through the Perl code and have a plan of how to do it. I discussed my ideas in a thread in the Greymatter Forums titled Comment moderation mod.

Anyways I will keep you posted on progress and hopefully soon I will re-open comments on this blog.

How to encrypt/decrypt strings with the dbms_obfuscation_toolkit package

I saw last night a nice post on Francois Degrelle's blog titled "How to encrypt/decrypt strings with the dbms_obfuscation_toolkit package" that gives some nice example PL/SQL package that includes two functions, one to encrypt, one to decrypt a varchar2 string. The functions use the DBMS_OBFUSCATION_TOOLKIT DESEncrypt and DESDecrypt procedures. Although this package is now old hat and has been replaced by the better DBMS_CRYPTO in 10g. The example shows the problems of padding to 8 characters although doesn't show how to deal with encrypting different data types. Nice example.

Prevention and detection better than cure

I just came across this article by Madeline Bennett, IT Week published on 13 Oct titled "Prevention and detection better than cure - Oracle's CSO explains why the future of IT security is not in patches, but in secure code"

This is a short question and answer session with Mary Ann Davidson, Oracle's Chief Security Officer. There are some interesting questions and answers from Mary Ann. The questions about "Is secure code the key to security?" and "What is Oracle's attitude towards responsible disclosure of flaws?" are worth reading.

WebGoat an application to learn how to hack!

Joel sent me an email last week about an interesting application called WebGoat from the Open Web Application Security Project. This sounded interesting so I went for a look. Basically web application security testing is hard to learn and practice as few have access to real complete web based business applications that they can hack. The WebGoat project provides a full J2EE web application that is designed to be tested for security bugs. The application includes lessons that allow someone to understand and try out various hacks. It includes a lot of different attack vectors including SQL Injection, Cross Site Scripting, hidden form field manipulation, blind SQL and many many more.

A new paper on SQL Injection

I was told last week that David Litchfield had released two new papers, one of which is about SQL Injection. There are three main types of SQL Injection or rather ways to get the data back to the hacker after he has used a SQL injection attack. The first is in-band where the data is returned to the caller via the same query. An example would be a select statement where the hacker manages to add a union and select also the password hashes from the view DBA_USERS for instance. Then there is out of band where the same channel used to send and receive data via the SQL query being abused is not used. This is where a function such as UTL_HTTP or UTL_TCP can be used to send the data back to the hacker via another channel. The third method is inference where its not possible to get the data back through either the original channel or another alternate one. In this case the hacker can influence the database to give clues as to whether a piece of data is there or not or if it has a certain value or not. This can be as simple as causing the server to hang for 5 seconds if the data is there or no hang if not.

David's paper titled "Data-Mining With SQL Injection and Inference" is an excellent introduction to the subject with some great examples of taking the method further and not relying on the old method of adding time delays to infer a value or not. David also gives a good potted history of SQL Injection in this paper. It is well worth a read.

Some more posts on bugtraq about David Litchfields open letter to Oracle

I had a quick look this evening on bugtraq and found a couple of threads that are related to David Litchfield’s open letter to Oracle post the other day. The first is a post by Gadi, who posts some objections to David’s letter. The link on bugtraq I have chosen to link to here is David’s reply to Gadi where he justifies various points and statements and counters Gadi's points.

The second thread of interest is a reply by Alex who agrees with David and Cesar where he gives three examples of dealing with Oracle's security department. These three points are very interesting and worth reading for insight into his dealings with Oracle and also his opinions on the situation.

Slight correction to the HTMLDB advisories

Alex just talked to me to let me know that the two advisories for HTMLDB, "Plaintext Passwords logged during Installation of Oracle HTMLDB" and "Cross-Site-Scripting Vulnerabilities in Oracle HTMLDB" were actually fixed in the April CPU not the July one as I stated.

Red Database Security has released 6 new Oracle security bug advisories

Today Alex Kornbrust of Red Database Security has today released 6 new security advisories for bugs that have been fixed in previous Critical Patch Updates (CPU) but Oracle did not inform Red Database Security that they had been fixed so no advisory was released at the time. The six are as follows:

"Shutdown TNS Listener via Oracle iSQL*Plus" - Alex details how a connect to iSQL*Plus can be used to construct a TNS connect string that includes a STOP command for the listener.

"Shutdown TNS Listener via Oracle Forms Servlet" - Alex demonstrates basically the same issue except that this time the TNS command is sent from Forms

"Plaintext Password Vulnerabilitiy during Installation of Oracle HTMLDB" - Alex points out that the SYS password used to install HTMLDB is logged to a file in plain text

"Cross-Site-Scripting Vulnerabilities in Oracle HTMLDB" - Alex shows how to send a crafted URL that includes SQL that can be executed in the database.

"Cross-Site-Scripting Vulnerability in Oracle iSQL*Plus" - Alex demonstrates a cross site scripting vulnerability that pops up a windows when an SQL statement is executed.

"Cross-Site-Scripting Vulnerability in Oracle XMLDB" - Alex again demonstrates how XMLDB can be used to pop up a window.

All of these 6 bugs are fixed in CPU July 2005.


David Litchfield writes an open letter to the security community and Oracle customers

I have just seen a post to the BugTraq mailing list at Security Focus written by David Litchfield and replied to by Cesar Cerrudo. The post is titled "Re: Opinion: Complete failure of Oracle security response and utter neglect of their responsibility to their customers". Scroll down and read David’s original post first before you read Cesar's comments. This is eye opening for Oracle customers and very interesting reading. David lists issue after issue that was reported years ago in some cases that are still not fixed correctly. He reports bugs not fixed by actually getting rid of the root problem but taping over the hole so to speak. He also talks about bug’s fixed and similar holes a few lines down from the fix having exactly the same issue.

David is calling for Oracle customers to contact Oracle and demand a better security service and those customers should demand fixes. Cesars comments mirror those of David with some comparisons to Microsoft a few years ago and he also threatens to release a 0day remote exploit.

OUG Scotland

I got back today from presenting a paper called "Many ways to become DBA" at the OUG Scotland event in Glasgow yesterday. I have had a quick look around the OUG and UKOUG sites and have not found the papers online yet. I know that they will be at some point so when I find a link I will post it here. I just saw that Doug has also posted about the event in a post titled "OUG Scotland 2005 Conference". It was nice to meet Doug in person and have a good chat with him, Mogens, Julian, James, Rob Squire (I had a good chat with Rob about temporal databases which seems like a fine idea and Rob is an expert on), Peter Robson and many more people. This was a great event.

Good thread on Oracle brute force password cracking and OUG Scotland

I just wanted to mention a good thread on my Oracle security forum titled "Toolcrypt's orabf" again. I mentioned it a week or so ago. There has been some great testing by Marcel-Jan for timings to crack various construction and length passwords with the brute force modes. Also a good discussion on how it would be easier to crack passwords if the hash is know and also the password policy is known as a custom engine could then determine a smaller keyspace map and find passwords quicker. There are some good ideas here and also this emphasises the need to protect the password hashes at all costs. If they become known then it becomes easier to crack passwords. If the password hashes are not available then the only options available are to use connect scripts for attempting access as a particular user for the hacker. Also its important to ensure that password policies are not made public as knowledge of them could reduce the potential keyspace needed to crack a password.

Also I am speaking tomorrow at the OUG Scotland in Glasgow about Oracle security. If anyone is coming along, please come and say hello. Details can be found on the OUG Scotland site.

A couple of papers by Mladen Gogala

I was looking for something on google groups last night and came across a post by Mladen that included a link to his website. As I did not remember him having a site I went for a look. Mladen's site is Mladens home page and it looks quite new. Mladen is writing a book about Oracle and PHP. I found a couple of links on his page that looked interesting. The first is about Direct I/O which I have skimmed over but it looks quite interesting. The second I was more interested in as its about an undocumented utility oradebug. I am always interested in undocumented Oracle. This is not a bad paper, most of the ground is covered in other papers listed on my undocumented Oracle page but its still a good paper. The paper starts with some discussion of what oradebug is and how it works and what other information is available. Mladen goes on to cover starting orabdebug, attaching to an Oracle process, taking dumps, setting events, suspending and resuming and hang analysis.

I have updated my Undocumented Oracle page to include details of this paper.

The Six Dumbest Ideas in Computer Security

I came across a Marcus Ranum paper recently titled "The Six Dumbest Ideas in Computer Security" and made a note of it. The paper starts with a nice paragraph:

"Let me introduce you to the six dumbest ideas in computer security. What are they? They're the anti-good ideas. They're the braindamage that makes your $100,000 ASIC-based turbo-stateful packet-mulching firewall transparent to hackers. Where do anti-good ideas come from? They come from misguided attempts to do the impossible - which is another way of saying "trying to ignore reality." Frequently those misguided attempts are sincere efforts by well-meaning people or companies who just don't fully understand the situation, but other times it's just a bunch of savvy entrepreneurs with a well-marketed piece of junk they're selling to make a fast buck. In either case, these dumb ideas are the fundamental reason(s) why all that money you spend on information security is going to be wasted, unless you somehow manage to avoid them."

It is definatly worth reading this very interesting and informative paper.


Amis has a good post on debugging client side SQL*Net

Although this is not strictly an Oracle security post I was very interested to read Marco Gralike's excellent post to the Amis blog titled "Small introduction to SQL*Net debugging [client side]". This paper shows a good set of checks that can be used to test why a SQL*Net connection does not work. What has it got to do with security? - well if you want to secure your database understanding at various levels what makes network connections to it tick is worthwhile.