Call: +44 (0)7759 277220 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

orabf the Oracle password cracker">0rm has updated orabf the Oracle password cracker

I just saw that 0rm has updated his excellent Oracle password cracker orabf to version 0.7.4. The cracker has had some new features added. These can be summarised as follows:

An option has been added to allow arbitary character sets to be specified from a file
An option has been added to try Oracle passwords, i.e. ascii + digits + #$_
The name of the resume file has been changed to avoid leaking the hash when running the cracker

If you use this great crackre then it is worth going and getting an update version

US DoD database security technical implementation guide V7, release 1

I reported the other day that the US Department of Defense (DoD) STIG had been released and that a link to it was available. David Aldridge informed us of this fact in my Oracle security forum. The link to this 248 page paper is I could not download the paper the other day as I was limited to an airport internet club and a German PC that refused to download PDF's so I did not get a chance to have a proper look at this paper until this evening. I just spent 20 minutes or so browsing though it. This is a substantial peice of work that covers Oracle, SQL Server and DB2 security. The paper include details specific to Windows and Unix and OS390 for Oracle.

This is well worth a good look by anyone and its good to know that the US government uses similar standards to what i have been advocating for some years now. It is also good that they have seen fit to release this document to the public. The Oracle section credits the book "Oracle Security Step By Step guide" that I wrote for SANS and also the CIS benchmark that is also based on the SANS book.

Great paper, thanks to the US DoD / DiSA for releasing it and making it available to everyone to use.

Happy 20th birthday Windows

A bit off topic I know but Oracle does run on Windows and it does need to be secured on there as well. It was 20 years ago on Sunday since Windows 1.0 was released to the world - 20th November 1985. I found a news article talking about it "ANNIVERSARY: Happy 20th Microsoft Windows Birthday" that includes the original press release and also a screen dump of what it looked like. I think I have a copy in my box of CD´s and disks. I certainly have VB 1.0 on 5 and a quarter floppies!

A DoD Security Guidelines document for databases

Today David Aldridge has posted on my Oracle security forum in a thread titled "DoD Security Guidelines for Databases" to let us all know that (Davids words)

"the DoD/DISA "Security Technical Implementation Guide" (STIG) is available as a pdf download and covers security for Oracle, DB2 and SQL Server.

It's pretty comprehensive and ought to be a reasonable reference for those starting out with database security."

The document is available from

I have not been able to download it myself yet as I am stuck in an internet club at Munich airport waiting for check-in to open for my flight home. If anyone has any useful comments on it I would be glad to hear in the forum thread above. Thanks again David for letting us know.

SANS has released a new top 20 list of vulnerabilities

Todaz at the Department Of Trade and Industry (DTI) in the UK SANS has announced a new top 20 list of secuirty vulnerabilities in many software products. Oracle database software is included. The SANS Top-20 list is a departure from the previous lists of the last 4 years as it includes only recent issues this time not a cumulative list. The page linked above lists details of all of the issues. Search in the page for Oracle or click on the database software link. Even this site gets a mention!

Two new speaking events added to my site

I have just added two links to my website on the index page. I will be speaking at the UKOUG DBMS SIG on December 8th and also at the UKOUG UNIX SIG on January 26th 2006. I have added links to both events, if anyone gets a chance to come over then please come and say hello.

A new Oracle security checklist paper from Oracle

I came across a new Oracle security checklist paper from Oracle last week sometime. The paper is titled "Oracle database security checklist" and is a good paper. it covers a good base checklist of issues. I note that the pdf is not available this evening, i guess otn is having some issues. There is a google html cache version available for now.

I have also added the paper to my Oracle security white papers page in the checklists section.

How many Oracle databases are exposed to the net?

I saw this evening that Ivan had made an interesting post to my Oracle Security Forum titled "How many Oracle databases are exposed to the net?". in this post Ivan talks about David looking at the number of Oracle databases exposed to the Internet. He goes on to talk about some simple research he has done using google hacking techniques. He also surmises how scary it is that there are indeed numbers of Oracle databases exposed to the net, quite a number do not have listener passwords set and they can easily be found by google hacking and also potential victims of worms or scripts.

The recent example worm code released exposes this issue as being current. David also talked in his blog about a worm that could use an extproc exploit. I talked about in the same thread above or rather mused, how many Oracle databases are exposed to the net (vulnerable or not) and how does that compare to the number of SQL Server databases, the software we all know that has been victim to a worm. I for one would be interested to know how the figures or comparisons stack up.

As I have said before here, the arrival of XE (Oracle Express) will inevitably mean that more, many more Oracle databases will get installed on PC's, laptops and servers that are not destined to be production databases. People like free software and will download it and try it. Dare I compare Oracle to MS Access? - Well in this context yes. People who do not know the power of Oracle will download it or get it on a magazine CD or from a friend or as part of some product, real or sample. Some people will use it with HTMLDB, or Excel or Word or some other GUI tools to store their contract lists or club members’ details or whatever. It will happen.

It is not just the threat of a worm that worries me, its the complexity of Oracle when it comes to securing it and the problem that will appear of so many databases simply not hardened and also simply made insecure through no fault of the owner. Oracle can be configured, parameters and RBAC and many other things, in so many ways that it is so easy to make it insecure and hackable. Oracle has problems with lots of bugs still to be fixed as we have seen over the recent times. Even, just recently Alex reported some 270 new security bugs to Oracle.

It is good that Oracle has decided to release upgrades with security bug fixes for XE but we need more. We need a way to prevent (too strong?) users of, particularly XE, from installing insecure copies of Oracle and also from easily making it insecure. If we assume that the problems will arise mostly from those users who simply insert the CD and install and then use Oracle like MS Access or use it as part of some application where they do not really understand that they have installed Oracle then what we need is a secure install option. Come on Oracle, lets have a secured installation option - (how about a secure wizard option?).

  • set all parameters that could cause insecurities to safe values

  • force all installed users passwords to be set - and not to any dictionary word

  • install profiles by default to enforce password complexity

  • close all un-needed ports - if they are needed then open manually - e.g. iSQL*Plus

  • force a listener password to be set - again force complexity and also non-dictionary

  • get rid of 99% of the PUBLIC privileges that are granted by default

  • many more....

I hope that these items listed above give a small taster of what I mean by this. I think because Oracle has so many configuration complexities in terms of parameters and privileges and features we sorely need a secure configuration wizard for Oracle - especially now XE is here - or even a forced secure configuration for those people who do not have any idea of how secure it is (or not). Any thoughts on this let me know on my Oracle security forum, and let Oracle know of course!

Listener password management features

I started a thread on my Oracle security forum yesterday titled "valid listener passwords". In this thread I was asking if anyone knew or rather could confirm the valid character set allowed for listener passwords. Of interest and worthy of discussion was the comments I made later in the thread that it is time the listener had some password management features or at least the equivalent of the failed login attempts parameter available in the database for users implemented in profiles. What do you think? - I think it (the listener) should have these features.

A good comparison between Oracle and SQL Server features

Today someone pointed a good link out to me. I have been looking at SQL Server a bit recently to understand some of the security issues and how they compare to Oracle. I was looking for something that compares the features and functions of Oracle to SQL Server. This paper titled "Microsoft SQL Server 2000 for the Oracle Professional" describes the differences and similarities in areas such as definitions of what a database is, the catalogs, security and roles, physical storage, parameters etc. This is a great paper that allows us Oracle bods to see how and where to look in SQL Server for the similar parts and features.

Determining if a patch set has been applied to an Oracle database

A question was asked on my Oracle security forum titled "Critical Patch Update on". In this question the poster wanted to know how it can be possible to correctly determine if a CPU or other patch set has been applied to an Oracle database. Or conversely you could ask what patch level is an Oracle database at. Whilst this question as raised against an 8.1.7 database it is relevant for all versions.

There are many ways to find the version of an Oracle database, v$version, dba_registry, listener banner, OPatch, the inventory xml file, the installer actions log and non of which are particularly accurate. The way to do it reliably is to analyze the patches and determine checksums for new or modified pieces of code shipped by Oracle. This technique is explained in some detail in an excellent paper by David Litchfield titled "Patch verification of Oracle database servers". This is well worth reading if you want to understand how to reliably check Oracle patch levels.

Why oh why cannot Oracle make it easy for us to determine the patch level and version accurately?

Laurent on hidden parameters

I saw Laurent's post this evening titled " hidden parameters" and went for a look as I am always interested in anything undocumented and internal. I do not agree with setting underscore parameters unless Oracle say its OK to do so bu8t I do like to know why they are used and what for. Laurent talks about _kgl_large_heap_warning_threshold and __dg_broker_service_names. The second parameter interests me as it can be used to control a broker service for data guard.

David Litchfield has started a blog and talks about the worm

I saw that David Litchfield has started a weblog that is simply titled " Weblog". I notice that he has made a good choice of using greymatter software. This is what I use and have been very happy with so far.

I was particularly interested by a post titled "On Oracle worms" that makes an interesting point about the feeling in the community of Oracle users that a worm will not work because the database is usually behind a firewall. Whilst there are no where as near as many Oracle databases exposed to the net as SQL Server / MSDE for instance, it does not mean that there are not exposed databases out there.

The new Oracle Express should change that viewpoint. I am also interested by Davids comments that the extproc flaw would be an ideal vector for a worm and it could be called remotely and also methods exist for replication. Whilst it would be possible to do this from inside the database a more scripted approach might suit. As David points out lets hope that his comment does not end up being a self fulfilling prophecy.

David Litchfield has started a database security portal

David Litchfield emailed me a few days ago to let me know that he has started a database security portal website. The site is called "" and will feature Oracle, DB2, PostGreSQL, mySQL, Informix, SQL Server and others. There are links to books, papers, sites, vulnerabilities etc. It looks like it will be a useful site and worth keeping an eye on.

Oracle's email on Thor Technologies and OctetString

I saw this evening Eddie's post to his blog about the two new security software companies that Oracle have just purchased. I also received the email that Eddie has included in his post so rather than me repeat it here as well, I will point you to Eddie's post titled "Oracle Strengthens Security Offerings" which describes in some details Oracles reasoning for buying these two companies and also gives a good description of what the two companies products do.


I saw this evening a couple of posts by Laurent Schneider in his blog about LDAP. This is an interesting area for me as I am keen to learn more about Oracle's solution. In his first post titled "ldap server" laurent simply lets us know that he has installed his LDAP server on his laptop running SLES9. In his second post titled "ldap day 2" talks about what he can do with LDAP and what the differences are between LDAP and Oracle Internet Directory. He includes a few good links on OTN shows us how to start the admin tool. I have not seen many good papers or writings on LDAP with Oracle so i am keen to see more posts from laurent and his experiments with OID/LDAP.

Oracle buys two security software companies

Oracle Continues on Its Shopping Spree by By Michael Liedtke:

"SAN FRANCISCO - Oracle Corp. has snapped up security-software specialists Thor Technologies Inc. and OctetString, continuing an aggressive shopping spree aimed at filling holes in its product lineup."

Oracle have bolstered their line up even further with a purchase of two security software companies. Thor Technologies of New York and OctetString of Schaumburg, Ill. Both companies focus on Identity Management.

It seems to me that Oracle are going to concentrate on Identity Management and ensuring that only the users who should see data are going to see it. This is a very positive attitude to security from Oracle.

Oracle responds to the password algorithm weakness paper

I saw on Eddie's blog last week a post titled "Oracle Responds to the Password Hashing Algorithm Paper" which replicates an email from Oracle support refuting some of the claims in Josh and Carlos' paper. It starts with a statement that says the paper describes possible attacks when the hacker has the password hash available - This as I have said previously is the key to the weaknesses. The second paragraph suggests using industry standard practices for protecting databases. This I feel refers to password choice and also to the protection of the hashes from being accessed. The email finally points to a metalink note Doc ID is 340240.1. which details steps to protect against these types of attack.

Problems with the October CPU discovered

There was a thread on the bugtraq mailing list a few days ago about more troubles with Oracle's security fixing efforts. The latest patch set in the Critical Patch Update sequence, CPU October 2005 has got problems. The post is titled "Oracle October 2005 CPU Problems" and discusses the same issue with the CTXSYS.DRILOAD.VALIDATE_STMT that was fixed a number of CPU's ago and failed to be fixed properly and has now failed to be fixed again. The issue is with the patch installer incorrectly calling SYS.DBMS_REGISTRY.SCRIPT. When will this bug finally be fixed for all platforms and versions affected.

Disclosure or advertising?

I saw an intersting news item this evening by Brian Martin titled "Disclosure or advertising?". This article explores whether full-disclosure of bugs is advertising or not for the researcher that finds the bug. This is quite controversial and actually is written about Oracle security bug researchers and is current if you read Oracles stance on this issue in their document "Security Vulnerability Fixing Policy and Process" in the section "credit for reporting vulnerabilities".

DBMS_ASSERT can be used to protect against SQL Injection

I was aware of this new package called DBMS_ASSERT that Oracle have added to 10g Release 2 to check and sanitize input to PL/SQL packages to prevent SQL Injection or rather make it less likely. This package has also been back ported to previous versions for fixes for CPU October 2005. I noticed this evening that David Litchfield has posted a note titled "Oracle DBMS_ASSERT and the October 2005 CPU" on the bugtraq list about a paper NGS have written documenting this DBMS_ASSERT package. The paper is titled "Securing PL/SQL Applications with DBMS_ASSERT". This is a good paper describing the 6 exported functions in this package with examples of their use and well worth a read.

I also agree with David that this is definitely a move in the right direction for Oracle. At last they seem to be tackling problems at the root. This is good. I don't know the extent of the use of this package yet but I would hope that eventually every PL/SQL package function and procedure parameters are protected or sanitized by DBMS_ASSERT if that input ends up in an SQL statement either directly or not. In fact I would use it for all parameters at source. I would hope Oracle is working towards this. My next step would also to be to use bind variables in every case possible to again eliminate SQL Injection and get rid of all concatenated SQL statements. i.e. SQL that is built by concatenation should be removed - binds should be used instead in all cases as any concatenation potentially can be injected.

This is a good paper but contains one small error that does not detract from reading it. The example for QUALIFIED_SQL_NAME should use that function and not SIMPLE_SQL_NAME. no matter though the intent is obvious.

Mary Ann Davidson on how to evaluate software security

I saw an interesting news post on CSO Online yesterday and made a not to mention it here. The post is titled "How to Evaluate Software Security" and is an interview with Mary Ann Davidson the Chief Security Office of Oracle. The interviewer asks here about her thoughts on has the focus been taken off code quality due the recent increases in identity theft and then she is asked about her thoughts on vulnerability scanning software. She was then asked how does Oracle ensure that the end product is secure. This is interesting as she says that they employ in-house training, coding standards, in-house tools and also use the internal ethical hacking team. She is then asked how an outsider can review Oracles products for security without access to the source code. She is finally asked for her thoughts on the best standards available to test co security before it is released.

The article is worth reading to get an insight into Mary Ann's thoughts and motives in securing the Oracle products.

Commercial rainbow cracking

Gold at the end of rainbow cracking? by Robert Lemos of SecurityFocus -

"A trio of entrepreneurial hackers hope to do for the business of password cracking what Google did for search and, in the process, may remove the last vestiges of security from many password systems."

Oracle XE will get upgrades with security fixes rather than patches

I saw on Andrew Clarkes blog a post titled "Oracle Express Edition: Security Patching Policy" that refers to mark Townsend's reply to a thread on the OTN XE forum that says basically that Oracle will provided new versions of XE with security patches applied already rather than making patches available. I think this is a good decision. First to make security fixes available and secondly to make fixes available as a simple upgrade rather than as a patch. This is better as the amount of people who will download and use XE will liklely include a lot that are not Oracle experts. It will be easier for them to upgrade rather than patch. The thread is titled "Upgrade and Patch Policy" - you need to register to read it. I replied to Mark with these comments:

"Thanks for the good news on security "fixing" rather than patches. I can see that this would be a better solution for people out there who do not have a lot of Oracle skills. It will be far simpler to adopt an upgrade approach. Will the new patched versions be available on the same day as the current CPU releases? as not doing so would make XE versions targets for script based attacks. Reseachers or annonymous hackers are tending to release exploits quiote often straight after CPU releases.

Also will Oracle adopt a more reactive approach to fixing security bugs with XE as there will likely be more XE installations exposed to the Internet than with say production Enterprise databases?"

Good move!

More than 275 new security bugs found last week in the Oracle 10g database

I saw a news item on EWeek today in an article written by Paul F. Roberts titled "New Security Risks Hit Oracle" that talks about the recent Oracle worm and how it does not use any security bugs but exploits configuration insecurities. The key information in this post is the announcement that last week Alex Kornbrust reported more than 250 SQL Injection bugs in standard packages shipped in the Oracle 10g Release 1 database. A quote from the article says:

"said he passed details to Oracle last week on more than 250 SQL injection vulnerabilities in the company's 10g Release 1 database server. Kornbrust said he found the SQL injection holes in just 6 hours using automated vulnerability scanning tools to analyze about 9,000 software packages and functions that are part of 10g Release 1."

Alex also developed exploit code for some of the bugs that can be used to escalate privileges. He said up to 30% of the bugs can be used to escalate privileges.

Separately on Alex's "Upcoming Oracle Security Alerts" he shows that he has reported 25 vulnerabilities in the October 18 2005 Critical Patch update.

This totals more than 275 new bugs in the Oracle database products, almost exclusively in built-in PL/SQL packages that in most cases have PUBLIC execute privileges.

Many ways to become DBA

I have just added a link to my presentation at the recent OUG Scotland conference in Glasgow on October 4th 2005. The paper is called "Many ways to become DBA". I have also updated my Oracle Security White papers page to include a link to this paper. The paper covers in 45 minutes how to find information, the problems and risks, some example exploits, how to audit for issues and some ideas on securing and audit.

Bruce Schneier blogs about the Oracle password weakness paper

I saw this evening that Bruce Schneier has posted an entry in his blog about the paper Josh released. The post is titled "Oracle's Password Hashing". The interesting part is the comments, especially Roger's comments about the weaknesses.

My feelings on this are two fold. The first is that the real problem is that the hashes are easy to get hold of - this is the weakness. Without them brute forcing would involve brute forcing the DES keys which would be magnitudes harder. Therefore the hashes need to be secured at all costs. The second issue is that if people set long enough passwords and used the full keyspace then brute forcing of even building suitable rainbow tables would take too long. The problem is that people do not set long enough passwords or use enough of the keyspace. Interesting post though.

Oracle Worm Proof-of-concept

Another story that I had bookmarked was the post by Josh Wright on the Internet Storm center. The post details the methods used by the Oracle voyager worm and also makes a list of suggestions for securing the database against a worm like this. The post is titled "Oracle Worm Proof-of-concept".

Voyager worm targets Oracle databases

I have quite a few links and posts backlogged so I will try and go through a few and catch up. Bill Brenner of has written an article titled "Voyager worm targets Oracle databases" that discusses the recent worm. The article discusses the structure of the worm and also quotes this site and also the Internet Storm Center.

A movie about Oracle homeland security solutions

I saw an interesting news story this evening titled "Interactive Mystery - Oracle Presents 'Who Caught John Blade?'" that describes an interactive movie that coviers security and Oracle in tandem:

"The true power of this story is
seeing how integrated information prevents a major crime from taking place.
Information technology has never been so intriguing!"

The movie is available from ""

This sounds intriguing.

Oracle alerts customers to the so called voyager worm

I saw an email from Oracle support about the recent voyager Oracle worm. The mail suggests that the worm is incomplete in its current form and also poses no immediate threat to Oracle customers. It also suggests that the worm only poses a threat to customers who have configured their Oracle database insecurely.

The email is repeated in a post by Alex in my Oracle security forum titled "Oracle Voyager Worm".

Why Protect Fort Knox Borders But Ignore The Gold?

"Why Protect Fort Knox Borders But Ignore The Gold?": Charles Babcock - Information week:

"Providing emphasis to the increasing need for database-security capabilities, Embarcadero Technologies Inc., a maker of database development and management tools, has begun selling database-monitoring software from its $6.2 million acquisition last week of SHC Ambeo Acquisition Corp., a privately held maker of database-security software."

Oracle has released a new security vulnerability fixing policy and process

Yesterday Oracle has released a new document "Security Vulnerability Fixing Policy and Process". This is significant as it sets out Oracle's stall on the process that they will use to fix security bugs and release patches. Read this document, it is enlightening. The document covers the critical patch updates, cumulative patches verses one-off patches, and the order of fixing security bugs - there is an example of product and patch release cycles with a diagram. The paper goes on to talk about critical patch update documentation and finally about the process for crediting researchers who find the security bugs. This is where Oracle is clear. If a researcher works with Oracle and does not publish the vulnerability before the fix is available and does not publish exact details of the bugs or exploits or proof of concepts then they will be credited. The paper goes on to justify the reasons for this new stance. Also employees or contractors will not be credited. This paper is worth reading for anyone who wants to understand Oracle's thoughts on fixing security bugs.

Mary Ann speaks about security strategy

I was passed a link to a blog entry by Jason on the Juxtaposition blog. The entry is titled "More from Oracle's CSO". The writer suggests that Mary Ann in an article titled "Davidson: Lessons of warfare for IT security - To best apply limited resources to maximize defense success, carefully select your turf" is looking too deeply into security techniques and should be taking a higher level position. To be honest after reading Mary Ann's article I am quite impressed. Read it again now. I liked the sentence:

"The network perimeter has disappeared as ubiquitous computing and extranet access have surged. The model of hardened perimeters and wide-open interiors is no longer adequate."

This is what I have been saying for a long time. The old model of securing the network or even hardening the servers and leaving the database wide open is not an option in today’s world. The data is what runs businesses and provides profit and jobs, it has to be protected. Access to the database needs to be controlled and the database itself has to be hardened. Patches for all of the bugs are also needed but we are talking about multi-layer security. It is quite heartening to hear Mary Ann agree with my sentiments.

Oracle Express - will we get security patches? - I truly hope so

I attended Tom Kytes keynote last night at the UKOUG and, like everyone there was interested to learn as much I could about Oracle Express edition, the new free cut down version of Oracle 10gR2 leaked on blogs last week and officially announced last night by Tom. Tom's speech was excellent mostly due to showing my web site and blog posting on this subject on the big screen at the beginning along with some other bloggers sites. Only kidding Tom, the speach was great, a free version of Oracle is the best news.

At the end of Toms speech I asked a question. "Will we get critical security patches for Oracle?". Tom's answer was that "off the record" he is pushing for it but its not decided internally. In fact he told me top blog about the issue here! I pointed out aftert Tom's answer that XE is likely to become very widely deployed on peoples desktop PC's, websites and many more. This. with the explosion of broadband useage effectively means more Oracle databases will be exposed to the world wild web. I pointed out as the number of Oracle instances grows the likelyhood of a slammer type worm grows. In fact I talked here yesterday about someone releasing a concept code for an Oracle worm on the full disclosure list. Whilst this worm did not do much a real one could follow brought on by wide deployment.

In security terms the attack surface will increase. For people who know a lack of patches can be worked around by not exposing the database but most people will download it or get it as part of another application and will not be aware and could expose the software. If critical bugs are found and become publically known everyone who downloads or deploys XE deserves recourse to security patches. Ideally XE would be included in the CPU updates and patches made available not via metalink.

Please Oracle, give us free access to security patches for XE!!

UKOUG so far

Day 2 of the event and some good talks so far. I have met quite a lot of people who I usually only see via the net on email, chat or reading their posts. So it has been nice to put faces to names. I also went to the Oracle bloggers dinner last night which was well attended. Mark has a good post on this and some pictures. I will talk about some of the details of some of the presentations later, i need to go and introduce Franks talk in a few minutes.

Oracle worm in the wild

Today Alex has made a post to my forum titled "Oracle voyager worm". This mentions a post to the full disclosure list titled "trick or treat Larry" that details PL/SQL code for an Oracle worm. Alex has also analysed the worm on his site in a document titled "Analysis Oracle voyager worm". This paper describes what the worm does. Basically this worm uses UTL_TCP to send a command to the listener potentially on each IP Address in the same net range as the IP the database is on. If it finds a database it creates a private database link and then tries to connect on that link using default users and passwords. It then creates a table callled 'X' in the remote database. The code looks incomplete as the worm does not replicate itself. This could be changed. The poster is anonymous. This is a worrying new event for anyone running insecure databases. Take simple precautions, revoke the execute privileges on UTL_TCP, change all default passwords, do not use 1521 for the listener and disable local authentication on the 10g listener and instead use a strong password. Alex has detailed some of these and more on his site.