Pete Finnigan's Oracle Security Weblog

First of all I would like to wish everyone a belated happy Christmas and a (not belated) very happy and successful new year. Blog entries and writing with a pen have been limited recently as I travelled a lot before christmas not allowing time to write on this blog and then much worse I managed to break my hand falling on ice; suffice to say it will cause me some hassles for some weeks yet whilst it mends (properly!) and typing is painful and writing with a pen hurts.

I wanted to get out a blog entry before the year end as there has been a lot of things happening recently. The UKOUG conference brought a few talks on Oracle security. I mentioned mine in my last post where I posted up the slides on my Oracle Security white papers page. Paul Wright also gave a talk as did Slavik Markovich. Slavik also mentioned his new PL/SQL fuzzer in his talk; Slavik kindly sent me the code a few weeks ago but due to time and now my hand I have not had a chance to play with it yet. Slavik will release it from his blog soon.

There is also a new version of the excellent tool http://www.oxid.it/downloads/ca_setup.exe - (broken link) Cain and Abel from Massimiliano Montoro; as an interesting aside, when Patrik Karlsson and 0rm (orabf) in Stockholm recently they picked me up at my hotel and I noticed that there was a cafe/shop next door called Oxid - the same name as the Cain and Abel URL..:-). The new Cain and Abel version has added an 11g password cracker and also AES and DES TNS hash sniffer and decryptors. The changes are listed on the http://www.oxid.it/ - (broken link) sites main page for version 4.9.25, i guess they won't stay there forever. There are also three papers on the TNS authentication building on Laszlo's work. The links taken from Oxid's topics pages and are:

• http://www.oxid.it/downloads/oracle_tns_3des_check.txt - (broken link) Oracle 9i TNS 3DES authentication details


• http://www.oxid.it/downloads/oracle_tns_aes128_check.txt - (broken link) Oracle 10g TNS AES-128 authentication details


• http://www.oxid.it/downloads/oracle_tns_aes192_check.txt - (broken link) Oracle 11g TNS AES-192 authentication details

There is also a new version of Inguma written by Joxean Koret, this is the Inguma 0.1.0 (R1) release. From the release notes the only change for Oracle (This is a pentesting toolkit that doesnt just target Oracle but indeed targets a whole range of... well... targets...) is a new library called liboracleinternals.py that Joxean tells us just creates Oracle password files. This is interesting as this file doesn't exist in the distro but a file liborainternals.py does exist. I havent tested yet but it seems to be based on the ideas put forward by Paul to write a new password file including a new user added by the attack. Inguma is becoming a big tool and worth watching from the Oracle perspective. As I understood from Slavik, his new fuzzer written in PL/SQL is also based on (loosely I guess) the PL/SQL fuzzer from Joxean.

DannyBoy also sent me a copy of GsAuditor a few weeks ago but due to travel and my hand I have not tested it yet. Dannyboy says that it does around 6 million hashes a second and is not yet multi-core so it should get even quicker.

Alex also recently released a number of presentations recently, “Best of Oracle Security 2008”, A paper from the "Polish Oracle User Group" conference, "DeepSec" in Vienna on reverse engineering applications and a paper from the "iSafe" conference in Dubai.

Finally Paul has an interesting post on Data Leak Prevention. This is an interesting post that simply uses a profile to limit CPU and I/O, whilst this is a good idea this whole area is traditionally fraught with error. The first thing to note is that the initialisation parameter "resource_limit" must be turned on first to allow kernel profile parameters to work. This is awkward as its off by default and confusing as the password paremeters work out of the box without turning this on. Also Pauls statement:

"It is usually the case that DB users do not need to select more than 100 rows in a single statement."

Is simply that; Pauls statement, there is not way we can say that this is true across the board, who knows; I agree with Paul that it sounds logical and common sense but who ever said that vendors or internal projects build logical applications. Also "power users" tend to have access (I dont agree with this sort of access) to production that is often sweeping and all inclusive; This sort of profile would be good to control these people but i think that they should simply be blocked!.

I have worked with a number of clients on profiles that include kernel settings and these have always needed extensive testing in a large number of scenarios often over extended time periods to ensure that no issues arise. BUT, I agree with Paul, a profile limiting CPU and I/O is useful from a security perspective; for me in the cases where a "user" in the database should not exist in my view, but is retained, then profiles provide a good layer in security in depth. As always an interesting idea Paul.

Wow; it has been a while since my last blog post. I do seem to start blog posts in the same way recently but it has been a very busy time for me recently. I was down at UKOUG last week three times to speak in Hall 1 on the subject of Oracle security basics and then to host an Oracle security round table session that i felt went very well. Then finally I was down on the Friday to teach my two hour Oracle Security masterclass.

It was a good conference even though I was not able to spend as much time there as I would have liked. It did meet quite a lot of people though. I always find the UKOUG conference a good event for meeting people.

My two talks where I have posted up the slides are first the "Oracle Security Basics" which is based on the talk I did back in February in London. That talk was slightly longer at one hour, this one 45 minutes. I also updated the slides and added a number of new ones so its not the same paper anymore. The talk is not meant to be absolute basics but is intended to offer the experienced DBA who perhaps does not know security advice on where to look first in terms of securing an Oracle database. The talk went down well i thought, quite a few questions directly afterwards and a number of people came up to me later and discussed it.

The masterclass was held on the Friday as the last session of the day. I didn't count how many people were in the room but it was well attended, the venue people said it was the most popular of the masterclasses so if thats true, its a nice endorsement.

I had originally intended to refresh the masterclass from last year but decided on writing a complete new one; so thats what i did. In the last two years that i have done the masterclass I have taken two approaches; the first year was a brain dump of everything Oracle security that i could fit into two hours; last year I did a two hour brain dump on how to perform a security audit of an Oracle database.

This year I decided to write a new masterclass. This is a new presentation and it focusses on two areas with around 4 detailed examples. These are split into two groups, the first, how easy it is to steal data from a database and the second how easy it is to misslead youself into thinking you have secured the data when it fact you have only secured a small subset of it.

The two new sets of slides are available on my Oracle Security white papers page.