Pete Finnigan's Oracle security weblog

Howard's DORIS script is available again - some security comments from me

I noticed today that Howard's Dizwell-Oracle Reliable Installation Script (DORIS) version 1.0a shell script is available again for download. This is a useful script and great for installing Oracle on Linux without resorting to reading loads of "how-to" sites.

Howard also made some brief notes available in his blof entry titled "Doris redux" and includes there a note that the reader/user of the script can edit themselves to change the default DBNAME used of lin10 or lin11. I posted some further comments that may be useful to anyone that should download the script if they are particularly interested in security. This is repeated here as for completeness

"I see in your brief notes that the user of the script is advised to change the default database name assigned by the script, i.e. lin10 or lin11. This is important as there are a number of "guesser" tools out there and it wont be long before lin10 and lin11 are added to their dictionaries, they are in mine already.

Also worth pointing out for your readers is the usefulness of changing the software owner name from "oracle" - this would require editing of the doris script of course by the reader. This is importnat. I do a lot of database security audits for clients and I am seeing an increasing number of attempts to connect to servers by guessing the OS username of "oracle". Default names give attackers a head start, unfortunately.

The same, but to a much lesser extent applies to the default name "dba", obviously it cannot be an advantage to guess it, but the script could be improved to allow the segregation of duties afforded by the creation of an OSDBA and OSOPER Unix/Linux group. I have to say I never see any database where this is done, having the OSOPER group/alias allows the creation of an OS account that can be assigned this group, who can then stop and start the database but is actually only connected as PUBLIC not SYS. Its easy to fix after the fact also by editing the $ORACLE_HOME/rdbms/lib/config.c or .s (Real Unix) and relinking."

Pete on 05.16.08 @ 07:50 PM GMT [link] [1 Comment]

License Plate scanners and SQL Injection

I posted a couple of days ago a link to an almost certain hoax of a license plate of a red mini that had been altered to include SQL Injection. This was in a post titled License Plate SQL Injection.

It was interesting to see that Bruce Schneier's crypo-gram newsletter also included reference to the same license plate SQL Injection hoax but also it included a link to an article by Bruce titled "City Cops' Plate Scanner is a License to Snoop" which starts:

"New Haven police have a new law enforcement tool: a license-plate scanner. Similar to a radar gun, it reads the license plates of moving or parked cars and links with remote police databases, immediately providing information about the car and owner. Right now the police check if there are any taxes owed on the car, if the car or license plate is stolen, and if the car is unregistered or uninsured. A car that comes up positive is towed."

Interesting!
Pete on 05.15.08 @ 09:02 PM GMT [link] [No Comments]

Oracle Application Server 10g ORA_DAV basic authentication bypass

I would recommend anyone that is interested in securing their Oracle database to subscribe to some of the major security lists such as the bugtraq list at securityfocus.com or the full disclosure list. There are plent more besides these, but these are the major ones.

Why subscribe? - well its important for two reasons (BTW, I am not suggesting in any way that you should read every post - well unless you want to); the first is that these lists get Oracle vulnerabilities listed on a reasonably regular basis. Its worth understanding the sorts of bugs, vulnerabilities and exploits that are out there. The proliferation of lists like these and also of exploit sites like Milw0rm that can be searched for exploits by vendor and type means that many other people who want to steal from you also look at these sites and download exploits and other details. In order to secure an Oracle database you have to understand the types of attack that can occur against it. The second reason is more general, in that these lists contain a huge array of all types of exploits and bugs, not just for Oracle. In general you should understand all sorts of different types of attacks against Oracle. If we went back a few years and looked at bugtraq for instance "in general" and took differnt types of attack against other software we will be able to find attack types that are now found against Oracle. Keep up to date with security in general and apply that knowledge to securing Oracle.

If you are a DBA then subscribe, surf some posts and learn at a high level what the current issues are. It needn't take a huge amount of time, obviously this depends on what and how much you read.

As an example a couple of days ago Deniz Cevik posted an authentication bypass for Oracle Application server in a post titled "Oracle Application Server 10G ORA_DAV Basic Authentication Bypass Vulnerability".

A sample request is shown as:

Make a special http request first by visiting
"http:/site/pls/portal/%0A" url.

This request adds special session id into cookie. Subsequent connection attempts to
"http://site/dav_portal/portal/" will reveal the contents of directory
without any authentication.


Pete on 05.14.08 @ 07:42 PM GMT [link] [No Comments]

License plate SQL Injection

Wow, its been a while since I posted, I have been travelling all over the world over the last month or so, teaching my Oracle security class and also speaking at conferences and performing Oracle security audits. It's been a hectic few weeks. Hopefully I can do some blogging again soon.

I came across a post on my Oracle Security forum today posted by Marcel-Jan in a post title SQL Injection in license plate scanners the original source is quoted in the post. This is a cool idea, SQL injection as part of a license plate to fool the license plate reader software. As the original source states, its likely to be a hoax but the idea is great, it reminds me of the scam to add SQL Injection strings to forms with a pen that are read in by computer, the governments of the world love to use these. Also it reminds me of a bar code SQL Injection attack. Fun anyway
Pete on 05.13.08 @ 07:38 PM GMT [link] [No Comments]

Slides from OUG Scotland DBA SIG on Oracle Forensics available

I have posted the slides to my talk from yesterday at the OUG Scotland SIG to my Oracle Security white papers page. They are the first entries in the page. The talk was 45 minutes about Oracle Forensics. This was an interesting discussion and I had some good discussions afterwards with various people on the same subject.

The presentation is based on the one I did for the UKOUG conference last year but it has had quite a few small edits done to it so if you have the old version its certainly worth downloading the new one from yesterday.

Oracle forensics certainly seems to generate a lot of interest and should be a key area very soon as knowledge builds.

On a related subject I finally received my copy of Paul Wright's book about Oracle Forensics a couple of weeks ago. This has taken some time since ordering (some 5 months) to delivery even though the published date still seems to be early 2007, this is a pity as there is clearly a big interest in this area. I have not read it all yet but have skimmed it. The content looks interesting and I will give some comments here at some point when i have some time to read it cover to cover, not much spare time at the moment..:-(
Pete on 05.01.08 @ 02:23 PM GMT [link] [No Comments]

Conditionally firing triggers

I saw a post on the BAR Solutions blog today titled "Triggers…" that was very interesting as I have had the same issue in the past for different reasons. The blog post was around an issue where triggers became disabled, or rather not re-enabled after an upgrade script that turned them off didnt successfully complete and therefore the triggers didnt get re-enabled.

The author presents a solution based on a semaphore flag that conditionally allows the trigger to fire based on whether the semaphore is set or not.

I posted a comment to the blog which is repeated here:

"nice post and interesting. I have come across the same issue but from a security angle. I wanted to have triggers that would conditionally fire based on certain circumstances (user, group of users (role), time..). I came up with a similar solution but simpler. I used the “when” clause of the trigger to detect which user/role fired the trigger. in this way it was possible to control when the triggers fired. This meant triggers could always remain enabled but not fire for certain cionditions. I did some extensive testing and the performance “loss” due to the when clause was much less than executing checks in the body of the trigger. Running a trace shows that a loss less background work is done in the trigger. The losses i saw were shown at a high level in as a 3% impact for executing the when clause compared to 37% for executing the body. I wrote a presentation that is called “does vpd, fga and audit really cause a performance impact” - there is a link on my Oracle security white papers page including some sample code.

Other areas we looked at were the OF clause as well."

I thought it worth a mention here as this is a common issue where for security reasons triggers are used as part of an audit trail but need to fire conditionally based on user, role, time.... These are facilities that are available for other Oracle audit solutions such as FGA but not out of the box for triggers. Nice post though and useful.
Pete on 05.01.08 @ 01:22 PM GMT [link] [No Comments]

Lateral SQL Injection and Conferences and security training

I am writing this whilst sat on a train travelling at around 120mph between York and Darlington, this is probably my first blog entry written at speed!

I saw that David had released his paper "Lateral SQL Injection: A new class of vulnerability in Oracle" last week. I saw this paper in February when David kindly let me have a read of it in advance of publication.

I have to say I am with David in terms of his comments released yersterday in a post on his blog. This is a new class of vulnerability and its certainly not second order SQL Injection as no data is stored to be executed. I have to say its close to it in terms of principal as the attack payload is set up first but its different as the session is modified to add the payload as a date format. I am also with David, this is not mostly academic (Eric Maurice in his blog also agrees), there is a real threat, as there are a number of issues:

1) It's a new way to inject via dates and numbers
2) Just because dynamic code appears to not have an attack vector doesn't mean that it cannot be attacked.
3) Any principal that says a concat or double vertical bar is safe because the data is not passed in as a parameter or read from the database is flawed.

There are likely to be more methods come to light as time passes. Any concatenated string used as SQL, DDL, PL/SQL is potentially dangerous.

I am on my way to Edinburgh to speak at the OUG Scotland DBA SIG in Edinburgh to speak on the subject of Oracle Forensics. I have some updates to make to the front page of my site in terms of speaking engagements which i will get to soon but for now, I have agreed to speak in Iceland in September and also the UKOUG Northen Server technology day in June and also the management and infrastructure SIG of the UKOUG also in June.

I am also working with a number of companies to provide public training days for my two day course "How to perform an Oracle database security audit". More details in the next few days but as a summary there will be an event in London in June, July and also potentially in August or September. I will also deliver the training in Holland, Germany, Sweden and Norway in November and December. I am also delivering the course to a growing number of private companies on their own sites over the next 6 months. As I said I will put up actual dates and a detailed agenda in the next few days here on the blog and also on the training course page itself.
Pete on 04.30.08 @ 08:26 AM GMT [link] [No Comments]

Slides from OUGN Norway and RISK 2008 Norway available

I was over in Norway this week and the Oracle User Group Norway (OUGN) asked me to speak at an evening user group meeting of theirs. This was a eally friendly group and it was a pleasure to speak there. The slides for the two talks I gave are on my Oracle Security white papers page. The individual papers are "Oracle Security Basics" - which out of interest is not intended to mean a basic presentation but is about getting the building blocks right in terms of securing an Oracle database. The second paper is "Oracle Security Tools".

Then I was asked to speak at the RISK 2008 Conference organised by Mnemonic one of the key security consultancies in Norway. It was a good conference (mostly in Norwegian) but I enjoyed Marcus Ranum's talk which was interesting from the point of view that we are on the same wave length, he was saying some of the same things I say about security and particularly data security. It was nice to have a chat with him after lunch also.
Pete on 04.25.08 @ 05:58 PM GMT [link] [No Comments]