Call: +44 (0)7759 277220 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

Happy new year!!

Warning:- rare non Oracle security post!

Its been a while since my last post to this blog. I have been taking a couple of weeks rest and of course it was christmas so with my wife and a young child my time was better spent not in front of a laptop and writing about Oracle! - That said I have also had a disaster with my laptop and hence I am now writing my first blog post from a brand new laptop, a sort of christmas present to myself, slightly cheaper because of the sales. I rather stupidly decided to upgrade Windows XP to service pack 2 on my old laptop on Christmas eve and it was all going swimmingly until the install crashed and said it couldnt copy a file. I had shut down everything first, all services, system tray etc and also backed up all of my data. Anyway it crashed and would not be coaxed back into life, in the end i had no option to turn it off and then back on. The disk started to check it self and then hung, it wouldn't start in safe mode and the recovery CD wouldn't let me boot to Windows, it only offered the chance to restore it back to 2.5 years ago. What use is a Windows recovery CD??

Anyway after a bit of fishing, editing via caldera DOS I managed to get it to boot (not safe mode, it still would not come up in safe mode) into Windows where it announced that it was unstable and would I like to uninstall SP2, of course I would!! - so i did and the uninstall instead of restoring the machine to its previous state left it in a mess. All the toshiba hardware was not recognised, all devices were trying to re-install themselves.....

So after a couple of long evenings I managed to get it into a workable state. The screen has been loose for some time, so we decided after all my repair efforts that I should go and buy a new laptop, so that was two days ago. I have spent the last two evenings copying everything across and re-installing all my software, moving email accounts etc (why is it not trivial to move Outlook from one machine to another??)

So I am back in business now, just my old demon email account still to move, then I will secure delete the old laptops harddrive and pass it on..

I want to wish everyone a belated (if that is the spelling) merry christmas and a very happy and successfull new year. Hope to see you all here in 2007.

So back to Oracle security..

Integrigy have released a completely new version of their listener check tool

Integrigy have just released a complete re-write of this tool as version 2.2. This is a great tool now with a lot of new features. The original 3 checks have been enhanced and the complete list of checks includes:-

1) The listener version
2) Whether the listener password is set
3) Whether ADMIN_RESTRICTIONS are set
4) Whether listener logging is on and
5) Whether LOCAL_OS_AUTHENTICATION is on or off.

The tool also includes a set of FNDFS Oracle Applications 11i listener checks. Oracle Applications includes a seperate listener, defaulted on port 1626 in addition to the database listener. This listener is an Oracle 8.0.6 listener.

The tool also includes a SID enumeration tool and also a TNSNAMES.ORA security check. Also if you dig deep and venture to the about page you are rewarded with an extra link that takes you to a page that can be used to generate TNS names entries, 10g connect strings (the new short ones) and JDBC connect strings.

I have updated my Oracle security tools page and you can download the Oracle database listener check tool from Integrigy.

Oracle 11g will have SHA-1 hashed passwords and case sensitive passwords

I was made aware today by someone that the new release of Oracle, currently known as 11g or 11.1 will have case sensitive passwords and also the password algorithm has changed to SHA-1 instead of the old DES based hashing used.

It also seems that passwords hashed on 10gR2 and lower where the database has been upgraded to 11g will retain case insensitive passwords. This hints at the old DES based password algorithm still being available in 11g as well. I cannot confirm this as I am not a beta customer (indeed if I was I couldnt confirm it either!) and I am sure my source isn't either but they found out quite reliably so i am sure its correct.

This is good news that Oracle seem to be taking security very seriously in 11g.

Evading Oracle IDS and audit appliances

I made a note of a post on Steve Kosts blog titled "Evading Oracle IDS and Auditing Solutions" last week to come back and have a look. Steve Kost and Jack Kanter have released a new paper titled "Evading Network-Based Oracle Database Intrusion Detection Systems" that shows how easy it is to evade Oracle IDS solutions and audit solutions especially those that use signature based rules to detect abuse.

This is a great paper that covers SQL*Net fragmentation, encryption, obfuscation techniques and dynamic SQL. This is a paper worth reading.

Hacking and hardening Oracle Express Edition - UKOUG 2006

I have had a break from Oracle, Oracle security and touching computers in general for the last week. We have been on holiday in Cornwall for a week and had a great break and relaxing time so no posts for the last week..:-), laptops and holidays don't mix..

Anyway back to Oracle security:-

Alex Kornbrust came over to the UKOUG in Birmingham in November 2006 to talk about "Oracle security and Hacking and hardening Oracle Express Edition" in particular. This is a great presentation talking about the security issues in the Oracle XE free version. Alex starts by discussing the architecture and the patch policy (what patch policy?) and then goes on to demonstrate how to hack XE and APEX. Great paper, well worth reading.

Oracle XE, where are the security patches?

At the UKOUG in 2005 Tom Kyte announced the arrival of the free Oracle Express Edition and after his talk I asked the first question, "what about security patches". He answered and after some time we did get a first patch. But that was it. Oracle XE is a great idea, a really free version of Oracle, that can be put to good use. BUT its not a good idea to expose it to the internet even via a web based application because of the bugs and the simple fact that there are no security patches available. Why not? - Tom said to me just after his keynote this year, "I didn't see you in there to ask a question?" - I travelled down by train and arrived half way through Tom's presentation and felt it rude to come in half way. Maybe I should have gone into Tom's presentation and asked about XE security patches, it worked last time.:-)

Pete Finnigan's InfoSec 2006 paper How to Secure Oracle in 20 Minutes

I just wanted to post a link to the short talk I did at the InfoSec conference earlier this year (2006) in London. The paper is called "How to Secure Oracle in 20 Minutes" and is quite a nice short paper that makes the point that you cannot secure Oracle in 20 minutes but you can learn that you have a problem in 20 minutes and start to take action. The thing I learned from this is its much easier to hack Oracle than to secure it. Anyone running Oracle should learn this.

SQL Injection, Are Your Web Applications Vulnerable?

SQL Injection, Are Your Web Applications Vulnerable?

"SQL injection is a technique for exploiting web applications that use client-supplied data in SQL queries without stripping potentially harmful characters first. Despite being remarkably simple to protect against, there is an astonishing number of production systems connected to the Internet that are vulnerable to this type of attack. The objective of this paper is to educate the professional security community on the techniques that can be used to take advantage of a web application that is vulnerable to SQL injection, and to make clear the correct mechanisms that should be put in place to protect against SQL injection and input validation problems in general."

WinSID an Oracle instance discovery tool is available again

Paul Breniuc wrote a nice Windows GUI tool to locate Oracle databases based on the perl script and released it quite some time ago. After a while he removed it from his website and it was not available. I get emails from time to time asking me if I know where it can be got. Tonight whilst surfing I found a site hosting it again. WinSID is available for now, I don't know if the original author will object and ask for it to be taken down but the license says it can be freely redistributed.

This great Oracle instance discovery tool. The tool does not need an Oracle client and is not a wrapper on top of the Oracle client. It can be used to interrogate the Oracle listener to display information about remote (and local) listeners - For instance services, SID, listener statistics on established connections. The link above points to Paul's main page for this tool and it gives some details of the tool and also some graphics of it in use. A great feature is the fact that a working TNSNAMES.ORA connection string is stored in the Windows clipboard. As I said the tool does not use Oracle libraries / OCI etc. It used native network code to send packets to the listener. The free version does not support all listener commands, the Pro version does. The free version does not support TNSPings, Paul was going to release a free ping tool, but this never happened.

I have updated my Oracle Security Tools page to update the new link.

Pete Finnigan's Oracle Security Masterclass UKOUG 2006 available

My UKOUG 2006 Oracle Security Masterclass presentation is available. This is a 2 hour presentation with plenty of demonstrations and examples. The paper covers where to find information, what the issues are with securing data in an Oracle database, how to exploit 9iR2 and 10gR2, google hacking, how researchers analyse CPU's, how to unwrap PL/SQL and much more. This is a lot of informantion to deliver in 2 hours. The presentation was done in the last slot of the conference and I was pleasantly surprised to see a lot of people turn up. I think it went down well, the scores from the evalutions showed this as well and some good comments. I have added a page to my site that has the scripts for the Oracle Security Masterclass on it. Enjoy.

A free PL/SQL fuzzing tool released

A free PL/SQL fuzzing tool written in python has just been released on the Full Disclosure list and bugtraq lists. The post titled "Oracle PL/SQL Fuzzing Tool" describes a python tool released under the GPL that will form part of a bigger Oracle specific vulnerability assessment tool that the author will release. The post includes the python script.

I have not tested it as I dont have python installed on my laptop. I will test it. The tool looks fairly simple and should be easy to extend. Quite obviously it should not be run on a production database as it can cause crashes and potentially change data. You need a database account with at least CREATE SESSION and connect info to use it.

I have added the tool to my "Oracle security tools page"

The Best of Oracle Security 2006 (in German)

I have made a note to post a link to a paper that Alex Kornbrust presented at the DOAG 2006 conference on November 16th. This paper is titled "Best of Oracle Security 2006 (DOAG 2006), german" and unfortunately for us English speakers it is in German. That said even for someone like me who knows very little German quite a lot is still understandable. It is a good paper. I don't know if Alex intends to translate it at some point. If he does I will let everyone here know.

Pete Finnigan's UKOUG presentation on FGA, VPD and audit performance

It has been a while since the UKOUG finished but if you were there and spoke to me you would remember that I had a very bad cold and cough, well the bad news is that I have still got it nearly 5 weeks after getting it. I have taken all manner of cold products, cough mixture, tablets, powders, anti-biotics last week and now codine phosphate. This is the worst cold i have ever had so its laid me up somewhat. I have a big backlog of links and posts I want to make and also quite a few updates and changes to my site. I am also involved in the development of GreyMatter Blog software and participate in the forum that is used for this sites blogs so my ill health has stopped me on my current project to build some comment moderation features into Greymatter, which I would like to get into the next planned release so that i can turn on comments here finally.

Anyway back to the main subject of the post. At the UKOUG in Birmingham I talked about the issues of performance degredation when Audit, VPD and FGA are implemented in a database. This is a common issue and an important one as a lot of sites don't use audit and a lot of people think that these technologies simply kill the database. This is true in some cases but what I wanted to concentrate on was the important task of designing and planning so that you "tune the algorithm" rather than the technology. I have read books in the past by Michael Abrash famous as a games developer in C and assembler and he gives some goood lessons. I remember one chapter or article where he showed a program, did every kind of tuning you could think to it and it went faster but not blindingly so. Then he turned to the algorithm, tuned the algorithm and the increase in performance was astronomic. This is the sense I wanted to cover in my presentation titled "Does VPD, FGA or audit really cause performance issues?"

Tension between security vendors, bug hunters continues to simmer

Tension between security vendors, bug hunters continues to simmer - At issue is recent criticism of Oracle's security practices - by Jaikumar Vijayan

"December 03, 2006 (Computerworld) -- The long-standing tension between software vendors and independent vulnerability researchers who find security holes in vendors' products shows little signs of abating -- despite recent talk about responsible vulnerability disclosure practices.

Last week Oracle Corp. criticized independent vulnerability researchers after it came under fire for its security practices. In a company blog, Eric Maurice, manager for security in Oracle's global technology business unit, said the company would not let external perceptions drive its security policies."

Oracle launches identity governance project

Oracle launches identity governance project - Info-sharing spec to be handed over to standard body someday - Paul F. Roberts

"November 29, 2006 (InfoWorld) -- Oracle on Wednesday announced a new project to tackle one of the thorniest problems facing enterprises: the proliferation of sensitive identity information across enterprise networks.

The Identity Governance Framework is an initiative to develop specifications for sharing identity data across heterogeneous applications. The project has the support of identity and access management (IAM) vendors Ping Identity, Sun Microsystems and Securent, as well as CA and Novell. The framework and will eventually be turned over to a standards-setting body, according to Amit Jasuja, vice president of product development for Oracle's security and identity management products."