Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

Oracle forensics paper - part 7 and an Oracle datablock dump tool

November 27th, 2008 by Pete

I was actually just browsing for one of Davids recent forensics papers to mention them in an answer to a question on my Oracle Security forum about how to delete data completely and whether it is actually possible without rebuilding the database. This is sort of the ant-thesis to Oracle forensics. Oracle forensics is possible because Oracle tends to leave a huge trail of evidence all over the database memory and the files it uses and produces. This is quite useful for finding evidence when no audit trail exists but it is not useful if you actually want to make sure no trace of data is left.

The forum post is titled "Overwriting Data or Wiping?" and is actually a very interesting question. I posted an answer:

"This is a very good question but one I am afraid we probably do not have a quick easy answer for. If you could move the table to its own tablespace you would control the datafile and could then drop it, secure delete and then recreate BUT as you have already said the problem is the data in the existing datafile.

I am sure that you have seen the many papers on Oracle forensics that discuss the issues of data recovery from Oracle data blocks. Oracle has a tendancy to not overwrite existing data for some time after its updated or deleted. This is great for forensics but not if you want rid of the data completely.

The second problem with Oracle is its tendancy to replicate data all over the place, shared memory, redo, archivelogs, flashback, actual data files, audit trails....

Maybe; maybe you are coming at the problem from the wrong end. You seem to want to update application authentication but remove old authentication details / data at the same time - presumably because they are either in clear text or very simply encoded/hashed/encrypted.

Why not do your update to the new algorithm/storage but force all users to have new passwords that also must be expired to force change on use. This way any data that could be read from datafiles, memory, redo, archivelog etc is redundant; no longer valid; therefore no use to anyone who can read it?"

Then I went off to look for links to David's forensics papers and found by chance that he has just released a new part 7 in his series on Oracle Forensics. The new paper is called http://www.databasesecurity.com/dbsec/oracle-forensics-scns.pdf - (broken link) Oracle forensics part 7 - using the Oracle system change number in forensic examinations. The paper also includes two tools that are demonstrated in the paper. The first is oratime which is mapping SCN's to timestamps but from the raw data in the block. Also David has released a tool called orablock that allows you to dump data and other details from Oracle data blocks including deleted data. The key thing for orablock is that unlike BBED (Oracle's tool) it doesn't allow changes to data. The other key factor is that David also includes the C source code to both utilities. The code and binaries for Windows can be found http://www.databasesecurity.com/cadfile.zip - (broken link) here.

Thanks David, nice tools and paper, glad I was distracted to have a look for your links to your old papers today!

Permissions required to run my PL/SQL Oracle password cracker

November 26th, 2008 by Pete

There was a question posted to my Oracle Security forum a week or so ago but i only got round to posting an answer the other day due to travelling a lot recently. The poster had an issue running my Oracle database password cracker that is written in PL/SQL. The issue was easy to solve and was related to privileges of the user in the database being used to run the cracker.

As I want this tool be used by DBA's and security people alike to get as many databases passwords strengthened across the globe we need to make it as transparent ti run as possible. This is why its written in PL/SQL so that it can simply be run as a script in SQL*Plus, no excuses.

I thought its worthwhile posting here the minimum privileges necessary to run the cracker. These are simple:

CREATE SESSION

SELECT ON SYS.USER$

Here is an example session creating a user called CRACKER and granting these privileges and then running the cracker:


SQL> connect sys/oracle1 as sysdba
Connected.
SQL> create user cracker identified by cracker;

User created.

SQL> grant create session to cracker;

Grant succeeded.

SQL> grant select on sys.user$ to cracker;

Grant succeeded.

SQL> connect cracker/cracker
Connected.
SQL> set serveroutput on size 1000000
SQL> @cracker-v2.0.sql
cracker: Release 1.0.4.0.0 - Beta on Wed Nov 26 14:00:41 2008
Copyright (c) 2008 PeteFinnigan.com Limited. All rights reserved.

T Username             Password               CR FL STA
=======================================================

U "SYS"                [ORACLE1             ] DI CR OP
U "SYSTEM"             [ORACLE1             ] DI CR OP
U "OUTLN"              [OUTLN               ] DE CR EL
U "DIP"                [DIP                 ] DE CR EL
U "TSMSYS"             [TSMSYS              ] PU CR EL
U "ORACLE_OCM"         [ORACLE_OCM          ] PU CR EL
U "XDB"                [CHANGE_ON_INSTALL   ] DE CR EL
R "GLOBAL_AQ_USER_ROLE [GL-EX {GLOBAL}      ] GE CR OP
U "DBSNMP"             [ORACLE1             ] DI CR OP
U "WMSYS"              [WMSYS               ] DE CR EL
U "EXFSYS"             [EXFSYS              ] DE CR EL
U "CTXSYS"             [CHANGE_ON_INSTALL   ] DE CR EL
U "XS$NULL"            [                    ] -- -- EL
U "ANONYMOUS"          [IMP {anonymous}     ] IM CR EL
R "SPATIAL_WFS_ADMIN"  [SPATIAL_WFS_ADMIN   ] PU CR OP
U "ORDSYS"             [ORDSYS              ] DE CR EL
U "ORDPLUGINS"         [ORDPLUGINS          ] DE CR EL
U "SI_INFORMTN_SCHEMA" [SI_INFORMTN_SCHEMA  ] DE CR EL
U "MDSYS"              [MDSYS               ] DE CR EL
U "OLAPSYS"            [                    ] -- -- EL
U "MDDATA"             [MDDATA              ] DE CR EL
U "HR"                 [CHANGE_ON_INSTALL   ] DE CR EL
U "SPATIAL_WFS_ADMIN_U [SPATIAL_WFS_ADMIN_US] PU CR EL
R "WFS_USR_ROLE"       [WFS_USR_ROLE        ] PU CR OP
R "SPATIAL_CSW_ADMIN"  [SPATIAL_CSW_ADMIN   ] PU CR OP
U "SPATIAL_CSW_ADMIN_U [SPATIAL_CSW_ADMIN_US] PU CR EL
R "CSW_USR_ROLE"       [CSW_USR_ROLE        ] PU CR OP
U "WKSYS"              [CHANGE_ON_INSTALL   ] DE CR EL
U "WKPROXY"            [CHANGE_ON_INSTALL   ] DE CR EL
U "WK_TEST"            [WK_TEST             ] DE CR EL
U "SYSMAN"             [ORACLE1             ] DI CR OP
U "MGMT_VIEW"          [                    ] -- -- OP
U "FLOWS_FILES"        [                    ] -- -- EL
U "APEX_PUBLIC_USER"   [                    ] -- -- EL
U "FLOWS_030000"       [                    ] -- -- EL
U "OWBSYS"             [OWBSYS              ] PU CR EL
R "OWB$CLIENT"         [S                   ] BF CR OP
R "OWB_DESIGNCENTER_VI [S                   ] BF CR OP
U "SCOTT"              [TIGER               ] DE CR EG
U "AB"                 [AB                  ] PU CR OP
U "OE"                 [CHANGE_ON_INSTALL   ] DE CR EL
U "IX"                 [CHANGE_ON_INSTALL   ] DE CR EL
U "SH"                 [CHANGE_ON_INSTALL   ] DE CR EL
U "PM"                 [CHANGE_ON_INSTALL   ] DE CR EL
U "BI"                 [CHANGE_ON_INSTALL   ] DE CR EL
U "PETE"               [PETE                ] DE CR OP
U "BILL"               [BILL                ] PU CR OP
U "A"                  [A                   ] PU CR OP
U "B"                  [B                   ] PU CR OP
U "C"                  [C                   ] PU CR OP
U "RES_TEST"           [RES_TEST            ] PU CR OP
U "XX"                 [123456              ] DI CR OP
U "ORASCAN"            [ORASCAN             ] PU CR OP
U "IMPOSS"             [IMP {imposs123456789] IM CR OP
U "D"                  [                    ] -- -- OP
U "P1"                 [P1                  ] PU CR OP
U "P2"                 [P2                  ] PU CR OP
U "CRACKER"            [CRACKER             ] PU CR OP
U "B1"                 [B1                  ] PU CR OP
U "LT_EXP"             [LT_EXP              ] PU CR OP


INFO: Number of crack attempts = [61791]
INFO: Elapsed time = [4.31 Seconds]
INFO: Cracks per second = [14330]

PL/SQL procedure successfully completed.

SQL>

Note: That if you have done any hardening and revoke for instance the PUBLIC EXECUTE privilege on DBMS_OBFUSCATION_TOOLKIT you would need to also grant this execute privilege for your user.

Hope this helps get people fixing weak passwords!

A new exploit to bypass Oracle Database Vault has been released

November 24th, 2008 by Pete

I got an email from Jakub Wartak a few days ago but due to travelling last week in Sweden to teach my class "How to perform an Oracle database security audit" I have not had time to look at it until today. Last week was great in Stockholm as I was able to meet Patrik Karlsson - cqure.net and http://www.toolcrypt.org/index.html - (broken link) 0rm - Toolcrypt.org - orabf for a good chat and some beers.

Back to Jakubs post. He has made a post on his blog titled http://vnull.pcnet.com.pl/blog/?p=92 - (broken link) Oracle Database Vault, not so 0-day anymore, privilege escalation using ptrace(2) from UNIX account that describes a http://vnull.pcnet.com.pl/codez/ora_dv_mem_off.c - (broken link) C program - ora_dv_mem_off.c that can be used to bypass database vault.

This bug highlights, the author states, the fact that database vault does not protect DBA access where the DBA has operating system accounts.

It is an interesting post with some detailed C code exploiting the use of ptrace() to access data and turn off DV. This post somewhat reminds me of what Tanel Poder did over a year ago with the hack to fix the SYSDBA flag (bit) in the PGA using the _oradbg_pathname parameter to call an external debugger to flip the bits.

Nice post Jakub.

The question of revoking PUBLIC grants

November 17th, 2008 by Pete

Doug posted an interesting question on the Oracle-l list yesterday titled "object privilege granted to public a sox problem? (and others)". This is an interesting problem and often one that is worth solving to make the database more secure BUT often hard to do. This is my response:

There seems to be some confusion in some of what you report below. The
first is that you say that AppDetective reports 2000 issues of grants
against objects to PUBLIC. In 11g, the number is

SQL> select count(*) from dba_tab_privs
2 where grantee='PUBLIC';

COUNT(*)
----------
27467

SQL>

In 10gR2 its around 21.5K and in 91R2 its around 12K. This would suggest
that AppDetective is picking out a large subset of objects, some key
things like packages that manipulate web content such as OWA_COOKIE and
probably all views with the ALL_% in the name BUT certainly not
reporting all grants to PUBLIC. Most views with ALL_% have some issue
for security. The problem is that you make the mistake that just because
a user/schema has access to objects of the type exposed by a view (one
poster talked about ALL_TABLES) that its OK for the "real person" who
accesses that user/schema to see what privilege the user/schema has.
This is not always the case that its OK, Imagine that an application
schema has access to ALL_TABLES, it does by defailt via PUBLIC, it can
see all the application schema, lost of useful data for instance for
someone who wants to steal; say credit cards, it makes it easier to find
them. The problem in this example is that if the application is
breakable then anyone gaining access also has access to these views. So
its best to revoke them. The issue is that because this privileges are
granted to PUBLIC its world-wide across the database. I agree that some
should be revoked (ALL_USERS for instance is a very good example to
prevent enumeration of usernames) from PUBLIC, then if the access is
genuinely required by a user/schema, consider it carefully and grant it
back again to just that user/schema and no more.

The issue with revoking from PUBLIC are that:

1) any upgrade/patch may break if it relies on access to a particular view
2) The upgrade/ patch often puts the PUBLIC privilege back again.
3) Running catproc can also put some PUBLIC privileges back again
4) finding which users/schemas need access to the ALL_% views is
tedious. If everything is static you can check for invalid objects,
revoke the privilege, check again for invalid objects, grant the
privilege to the users/schemas who own the objects, recompile.
5) The above works for static code, if there is embedded dymamic code
that used the view/package it doesnt work. If there is external code
that uses it; again it doesnt work.

Revoking 2000 public grants is unrealistic BUT it can be done with a lot
of careful work, full understanding of the schemas installed and
application code. I do know customers of mine who have revoked quite a
lot of public privileges. Keeping them revoked is a big job also that
must be automated.

In your second point you talk about "System privilege granted to public"
128 violations BUT the examples are not grants to PUBLIC? also:

SQL> select count(*) from dba_sys_privs
2 where grantee = 'PUBLIC';

COUNT(*)
----------
0

SQL>

There have never been system privileges granted to public by default and the descriptions reported are not in fact system privileges granted to PUBLIC. I
suspect a bug in the AppDetective descriptions or perhaps your interpretation in this question?

So in summary, I can see the benefits of revoking key PUBLIC privileges
BUT you must understand the process completely, TEST and also make sure
tha changes remain in place.

Podcast with Pete Finnigan on the subject of virtual patching

November 12th, 2008 by Pete

I recorded a podcast last week with Sentrigo on the subject of virtual patching and CPU's. I have just had the link emailed to me. If you would like to listen to the podcast then please visit http://www.virtual-patching.com/Virtual_Patching.html - (broken link) virtual patching the interview is half way down the page; just click on the play icon.

UKOUG Conference is only 4 weeks away

November 7th, 2008 by Pete

Well the annual UKOUG conference in Birmingham is only around 4 weeks away from now. As usual the UKOUG guys have organised a bigger and better conference than ever. I have three slots myself. I am doing my http://conference.ukoug.org/default.asp?p=842&dlgact=shwprs&prs_prsid=2283&day_dayid=13 - (broken link) Oracle Security basics presentation that talks about the key security issues that must be solved first in an Oracle database before anyone can start to dig into more detail. This is based on years of real experience auditing and securing real Oracle databases. My second session is my http://conference.ukoug.org/default.asp?p=842&dlgact=shwprs&prs_prsid=2284&day_dayid=14 - (broken link) Oracle security round table session that should be good this year as we have Duncan Harris from Oracle, Slavik Markovich from Sentrigo and Paul Wright from Oracle forensics fame and currently at Markit. This should be a good session as previous years have attracted quite a crowd and also good discussions.

My final session is on the last day and is my two hour http://conference.ukoug.org/default.asp?p=842&dlgact=shwprs&prs_prsid=2285&day_dayid=17 - (broken link) Oracle Security masterclass. This is an in-depth look at Oracle security including some live demonstrations. it is a new presentation and I am going to focus on some of the key areas of assessing the security of an Oracle database as well as some real hands on demos of what to do. It should be fun.

The complete agenda and main site for the http://www.ukoug.org/2008 - (broken link) UKOUG 2008 in Birmingham is available for details of registration, keynotes, round tables, masterclasses and also the full conference agenda. As usual the agenda is a whos-who of Oracle and it is always worth attending and I always learn a lot.

Some Oracle Security videos

November 6th, 2008 by Pete

Wow, it has been a while since my last post. I have been away a lot over the last couple of weeks teaching training classes and also consulting, so it has been busy times. I was in De Meern near Utrecht in Holland this week teaching my class "How to perform an Oracle Security audit" and it was fun and always nice to be back in Holland. I will be in Stockholm the week after next teaching the same class again.

I was searching in google today for something related to Oracle Security and was looking for a link to quote in a customers Oracle Database Security Audit and noticed a video search link and a reference to a presentation by Alex. I did a quick search for " http://video.google.com/videosearch?q=oracle+security&emb=0#q=oracle%20security&emb=0 - (broken link) Oracle Security in google video and found http://video.google.com/videoplay?docid=-8221798288331335928&ei=zfISSZb-K5Kw2QLFrNCmCg&q=oracle+security - (broken link) Alex's presentation again and also one called "How to hack and Oracle database" which sounds interesting, i just have not the time today to watch it. Looks like google video and other video sources need to be watched as new sources for Oracle Security information.