Call: +44 (0)7759 277220 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

Oracle Security Audit and Open Ports on a Database Server

As part of a detailed security audit of an Oracle database performed by our company we look at most areas that are related to two things; the security of the Oracle platform itself, i.e. the Oracle database and its software; and we also look at the security of the data itself held in the Oracle database that we are reviewing.

There are two main high level threats; the first that an attacker wants to steal your data and the second that he chooses the Oracle database as an easy target to then catapult himself into the rest of your IT infrastructure.

We start our audits at a theoretical level by asking questions. We gather details of the architecture of the data/database and understand how it fits into the whole organisation focusing on how data flows and also identifying all major processes and jobs that access the database directly. We then conduct an interview with key people to gather details on aspects of the Oracle database security that cannot be tested technically or where we want to also understand the organisations position on some aspect of data security but where we can test it technically to confirm or deny what the customer happening. We use PFCLScan, our database security scanner for Oracle. This tool can be used to conduct interviews as well as to scan a database for vulnerabilities. We then scan the database and the operating system with PFCLScan to produce a detailed scan and report of the technical settings and OS and listener settings of the database. Based on what the scanner finds a detailed audit then consists of hands on investigations using many of our PL/SQL based tools to dig further into specific areas of the particular databases security.

All of these techniques and the tools are covered in my two day class - How to perform a security audit of an Oracle database which I teach regularly. The next public class starts on Monday on UK hours over webex and there is still time to register if you would like to attend - see the public training dates page for details.

I will be adding more public Oracle security training dates next week including a class in Athens, Greece later in the year with Oracle and I am also planning to run a class here in York again as these have been very successful in the past. The proposed class in York will be three days, including my two days how to perform a security audit of an Oracle database and also my one day class securing and locking down Oracle. I will also be adding new online dates via webex.com for all of my Oracle Security classes. I will announce towards the end of next week when all of the new training dates are live along with how to register.

Just over a week ago we released a new 1.9 version of PFCLScan; This included a lot of changes, new checks, new reports, bug fixes from raised tickets and a new E-Business Suite project template. All customers who are licensed are now in possession of version 1.9. If anyone is interested to see a demo we will be happy to arrange and do that over webex. Our licenses are very good value allowing anyone to perform a security audit of an Oracle database.

We are now in the process of finalising the plan for what will be in the next major release of PFCLScan, which will be 2.0, later this year in the autumn.

At this stage (none is this is 100% finalised yet but its close) we will include the plugins feature as we need to have these to support some new features planned. There will be new features (improved cracker, ability to customise more elements) and new tools (port scanner, code analyser, log file analysers..). There will be a lot of new checks, the E-Business Suite project will be expanded, an APEX project added, a health check project added and possibly some others as well. We will add new reports, we will add CVE based checks. We will also fix more bugs reported by customers. Any much more.

One of the key elements of the design of PFCLScan from the start was its ability to be flexible and run checks in different languages / types such as SQL, PL/SQL, Shell, SFTP, Lua, Internal and much more. Also the checks can be (and indeed are in our shipped policy sets) interlinked to provide power and flexibility. This means that the results of one check can be fed into further checks ad-infinitum and these checks can be across languages / types such as the results of a SQL check feeds into an OS type check written in Shell script. Part of this flexibility are the tools / engines we provide as part of PFCLScan. One new tool just developed for Version 2.0 is a new port scanner. We have written this tool to allow external ports to be scanned (and found) on a database server and then assessed as to why they are exposed externally as part of the audit. As we are conducting an audit and can also connect via ssh to the server we can also see all ports that are listening which are shown to be external via the internal netstat command. Here is an example for my Linux server running Oracle 12.1.0.2:


[root@ol65 ~]# netstat -plnt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:36957 0.0.0.0:* LISTEN 1771/rpc.statd
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1726/rpcbind
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2080/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1833/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2160/master
tcp 0 0 :::62554 :::* LISTEN 6273/ora_d000_orcl
tcp 0 0 :::5500 :::* LISTEN 5253/tnslsnr
tcp 0 0 :::59972 :::* LISTEN 1771/rpc.statd
tcp 0 0 :::111 :::* LISTEN 1726/rpcbind
tcp 0 0 :::1521 :::* LISTEN 5253/tnslsnr
tcp 0 0 :::22 :::* LISTEN 2080/sshd
tcp 0 0 ::1:631 :::* LISTEN 1833/cupsd
tcp 0 0 ::1:25 :::* LISTEN 2160/master
[root@ol65 ~]#


As you can see the lines 0.0.0.0 means that the port is "listened" for on all interfaces; the 127.0.0.1 means that they are local to the server only (ports 25 and 631) and the IPV6 syntax ::: means that these are external ports. We can see that the ports 22, 111, 1521, 5500, 59972, 36957 and 62554 should be exposed externally. We can run the new port scanner tool (part of PFCLScan) from the command line - all internal tools can be used from the command line either as part of a complete project scan or individually. Here it is:


C:\oscan\Release>ps -v -d 192.168.1.92 -f 1 -e 65535 -g 100000 -n 100

PS: Release 2.0.4.1314 - Production on Thu Jul 6 18:39:55 2017

Copyright (c) 2017 PeteFinnigan.com Limited. All rights reserved.

[2017 Jul 06 17:39:55] Listen: Starting PS...
[2017 Jul 06 17:39:55] Listen: Initialise Port Scanner
[2017 Jul 06 17:39:55] Listen: Running Port Scanner
22/tcp open
111/tcp open
1521/tcp open
5500/tcp open
36957/tcp open
62554/tcp open
[2017 Jul 06 17:41:11] Listen: Completed Port Scan
[2017 Jul 06 17:41:11] Listen: Closing Down PS

C:\oscan\Release>


As you can see 6 of the 7 ports were found; the missing one is 59972. The scan took 1 minute and 16 seconds to scan all 65536 ports. A comparison scanning the same database server with nmap shows:


...
Discovered open port 111/tcp on 192.168.1.92
Discovered open port 22/tcp on 192.168.1.92
Discovered open port 36957/tcp on 192.168.1.92
Discovered open port 1521/tcp on 192.168.1.92
Discovered open port 62554/tcp on 192.168.1.92
Discovered open port 5500/tcp on 192.168.1.92
Completed SYN Stealth Scan at 18:45, 36.55s elapsed (65535 total ports)
...


So neither nmap nor our tool ps.exe finds port 59972 listening externally even though netstat locally shows it to be listening externally. The nmap scan took 36 seconds not including its startup so overall we are not far behind the speed of nmap. So we are happy with this new tool as part of PFCLScan especially as we can correlate between the internal netstat and also ps.exe scans as part of our database auditor project/policies.

If you would like to know more about (or to book) our database audit service, our Oracle security training or PFCLScan please contact us.
[No Comments]

Oracle Security Training



Yesterday I made a short video to talk about my two day class "How to Perform a Security audit of an Oracle database" and added the video to YouTube. This class is going to be delivered at a few public events this year (so far); the next being in Paris on the 13th and 14th June with EasyTeam.

I am also going to teach this class online for those that cannot or do not want to travel. I will teach two classes on USA timezones, one on New York time and one on Los Angeles times. Each class includes tuition by myself, around 50 demos and lots of practical experience. You will get a download of all the class materials including pdfs of the slides, all the demo code and over 100 free tools and scripts including simple security scanner written in PL/SQL

If you would like to take part in any of these trainings then please review the public trainings page and register.
[No Comments]

O7_DICTIONARY_ACCESSIBILITY and UTL_FILE_DIR in Oracle 12c release 2

I was not in the beta program for Oracle database 12c release 2 but when I was discussing security changes in the new release with some people who were in the beta they told me that O7_DICTIONARY_ACCESSIBILITY and utl_file_dir parameters had gone in 12cR2. This is not the case:


Peters-MacBook-Pro:____12_2 pxf$ sqlplus sys/oracle1@//192.168.56.95:1539/orcl.localdomain as sysdba

SQL*Plus: Release 11.2.0.3.0 Production on Mon May 22 20:26:25 2017

Copyright (c) 1982, 2012, Oracle. All rights reserved.


Connected to:
Oracle Database 12c Standard Edition Release 12.2.0.1.0 - 64bit Production

SQL> set serveroutput on
SQL> @check_parameter


Then check the settings of O7_DICTIONARY_ACCESSIBILITY:


check_parameter: Release 1.0.2.0.0 - Production on Mon May 22 20:36:23 2017
Copyright (c) 2004 PeteFinnigan.com Limited. All rights reserved.

PARAMETER TO CHECK [utl_file_dir]: O7_DICTIONARY_ACCESSIBILITY
CORRECT VALUE [null]: FALSE
OUTPUT METHOD Screen/File [S]:
FILE NAME FOR OUTPUT [priv.lst]:
OUTPUT DIRECTORY [DIRECTORY or file (/tmp)]:

Investigating parameter => O7_DICTIONARY_ACCESSIBILITY
====================================================================
Name : O7_DICTIONARY_ACCESSIBILITY
Value : FALSE
Type : BOOLEAN
Is Default : DEFAULT VALUE
Is Session modifiable : FALSE
Is System modifiable : FALSE
Is Modified : FALSE
Is Adjusted : FALSE
Description : Version 7 Dictionary Accessibility Support
Update Comment :
-------------------------------------------------------------------------
value is correct

PL/SQL procedure successfully completed.

For updates please visit http://www.petefinnigan.com/tools.htm

SQL>


This script check_parameter.sql is available from my website by clicking the link. The parameter is not removed after all in 12c R2 but only deprecated. Also this document does not state when this parameter will actually be removed. This is one of the key security parameters that has been included in most Oracle security guides for many years. If this parameter is set too TRUE then system privileges that include the word %ANY% will also apply to the SYS schema. So SELECT ANY TABLE with this set to TRUE will allow you to read SYS.USER$ for instance. It also controls other privileges with ANY such as EXECUTE ANY PROCEDURE to allow you to execute SYS owned packages. Of course it defaults to FALSE and should remain FALSE.

The other parameter of interest is utl_file_dir which controls access to directories on the host file system.


check_parameter: Release 1.0.2.0.0 - Production on Tue May 23 16:24:27 2017
Copyright (c) 2004 PeteFinnigan.com Limited. All rights reserved.

PARAMETER TO CHECK [utl_file_dir]:
CORRECT VALUE [null]:
OUTPUT METHOD Screen/File [S]:
FILE NAME FOR OUTPUT [priv.lst]:
OUTPUT DIRECTORY [DIRECTORY or file (/tmp)]:

Investigating parameter => utl_file_dir
====================================================================
Name : utl_file_dir
Value :
Type : STRING
Is Default : DEFAULT VALUE
Is Session modifiable : FALSE
Is System modifiable : FALSE
Is Modified : FALSE
Is Adjusted : FALSE
Description : utl_file accessible directories list
Update Comment :
-------------------------------------------------------------------------
value is correct

PL/SQL procedure successfully completed.

For updates please visit http://www.petefinnigan.com/tools.htm

SQL>


This also has been in security guides and standards since the SANS Step-by-Step. In the old days we recommended not setting to * or . or .. or \ or / or many other things such as system locations but since the arrival of DIRECTORY objects you should not use utl_file_dir for anything. utl_file_dir is global and affects any user with just CREATE SESSION so is dangerous if dangerous locations are specified. The DIRECTORY object alternative is much better as the controls are at the user level as grants can be made against specific DIRECTORY objects so allowing fine grained controls. Again utl_file_dir is deprecated but the removal version/date is not stated.

utl_file_dir is more relevant to us as users as there is more likely to be an application impact but O7_DICTIONARY_ACCESSIBILITY should be left set to FALSE no matter what.

Good luck!!
[No Comments]

Oracle Security 12cR2 and Oracle Security Training Dates

I am going to be teaching my two day class "How to perform a security audit of an Oracle database" in Athens, Greece on the 30th and 31st May 2017. This is advertised on Oracle University website and you can register there or contact me and I will put you in touch with the Oracle team on the ground.

I have also just agreed two new dates with Oracle University to teach my one day classes. The first is on the 28th June and is my one day class "Secure and lock down Oracle". This is a great class and we spend a whole day starting with an open default database with two applications, we attack that database and then lock down most aspects of it and finally hack it again at the end of the day to show that we in fact secured the data in it. The second class to be taught on Oracles LVC on the 5th July 2017 is my new one day class "An Appreciation of Oracle Security". This class takes some elements from my other 5 days of Oracle security training plus some new material on subjects such as incident response to an attack in an Oracle database and also forensic analysis of an Oracle database.

I am also teaching my two day class "How to perform a security audit of an Oracle database" in person in Paris on the 13th and 14th of June 2017.

Finally I will be teaching my "How to perform a security audit of an Oracle database" online via the webbed platform on EST timezone (i.e. New York) on the 26th to 27th June and again on PST timezone (i.e. Los Angeles) and finally on London timezone on the 10th to 11th July 2017.

The details for each of these classes are on my public training dates page along with links to my class outlines. To register follow the register links or if in doubt email me and if the class is with us I will take your booking or if with EasyTeam or Oracle University i will be able to direct you to the right people to book your places.

I have spent some of my spare time (not a lot available unfortunately) researching Oracle 12c Release 2 security changes. This research has looked at the big changes announced by Oracle. There is nothing really major like with previous releases but still quite a lot of security related changes. I have also looked at the little details that I have spotted so far that have changed; interestingly as I was not in the Beta some information gleaned from those that were seems to have either been incorrect or has changed. For instance I was told that O7_DICTIONARY_ACCESSIBILITY was removed in 12.2.0.1 but its still there and is in fact only deprecated. Some research has followed removed and deprecated items and some followed the major change of application root containers and other changes in Multitenant in 12cR2 such as the ability now to formally add metadata links and object links. Some things are the same of course; OPS$ is still OPS$; some things are expected such as more new default users and roles. Interestingly when we first tried PFCLScan our database security scanner against a 12cR2 database it worked with no errors and no changes needed (to support 12cR2) but many years of Oracle made me suspect that would be the case; Oracle rarely changes historic interfaces and rarely removes anything critical that would affect applications and tools. We are of course adding new checks to PFCLScan for 12cR2.

In the latest version of PFCLScan we have also just added our first E-Business Suite policy to check some of the Security basics of E-Business Suite. We will also add an Oracle APEX security scan policy soon as well; its in development.

Our company has also just become an Oracle Gold Partner - we have yet to update the logo on our site to Gold but that will be done soon.

I blogged about old course manuals for our training courses a few weeks ago and these were snapped up straight away and despatched across the world. I have now one extra 2015 printed manual for my one day class "Designing Practical Audit Trails" that we returned to me a week or so ago. A printer who prints our manuals for classes it seems sent it to someone else in 2015 just before our class in York and the organisation that it was sent to posted it to me - So this manual is now also available; its pristine condition and I will take £30 GBP + Postage + VAT (if applicable). If anyone is interested then please email me and we will arrange it - obviously first come; first served.

We are also considering to sell the current class materials to people who would like to buy them. They will be higher price than the old ones we sold recently and the 2015 manual mention here. You would get the scripts and tools from the class and paper manuals BUT you would not benefit from actually attending the training and listening to the delivery but we realise that some people may want just the manuals. If you are interested contact me as we will decide whether its worth the effort to set this up based on the interest levels.

We have also now just purchased our first real server as we continue to grow as we have relied on various office level machines and a RAID storage for many years but we have just bit the bullit and bought a real server with multi-CPU, multi hot swappable SFF disks, hot swappable PSU's massive RAM and storage etc. This will fortify our development and testing regimes for PFCLScan and PFCLObfuscate as soon as we get it live. It took two people to lift it into place..:-)

OK, that wraps it up for this post
[No Comments]

Oracle 12cR2 Security - Listener Port

I downloaded Oracle 12cR2 from Oracle when it became available in March and installed a legacy SE2 database and also a single PDB multitenant database and started some investigations to discover and look at the new security features added in Oracle 12cR2 and also more importantly to investigate the subtle changes made to the database that affect Oracle security and also the bigger non-security changes added to Oracle 12cR2 that could have a security angle.

I have made a lot of notes and I will make some blog posts around some of the new security features / changes in 12cR2 as time allows. The last few weeks have been extremely busy due to client work, teaching training classes, product development on PFCLScan and also company year end so blogging has taken a back seat for a few weeks.

I wanted to make this first post on Oracle 12cR2 Security a simple and short one about the fact that when you install 12cR2 and choose to have a sample database the installer now did not choose by default the port 1521 for the listener and instead in my case it chose 1539 - well, at least in my case. This is not massively different from 1521 but it was nice to see that Oracle did not choose 1521 as its default. I checked with netstat and nothing else was using 1521 to force it to use 1539 instead. I did not find any documentation (yet) that states that Oracle use 1539 instead and a search of Google shows one post from 2016 where someone with 12.1 had Oracle change the port to 1539.

So I decided on Friday evening to try this again and installed a new Oracle Linux 7.3 VM and then installed Oracle 12cR2 SE2 database (My company is a Silver partner currently so we are limited to SE and SE2 at this time). I used the same settings as I did in March and chose defaults except to choose SE2 and also to choose non-CDB. Everything ran correctly except the necta failed and I looked at the logs and it claimed that port 1521 was in use - This was not true and I checked with netstat. So i clicked try again and it succeeded so the choice of port 1521 / 1539 could be related to the fact that necta failed and not a better security setting. The install in March did not fail in nectar and 1539 was also used as i noted it but have now deleted the VM so cannot look further into the install logs.

After the installation completed the listener is not running:

No Listener running after 12cR2 install


Then I changed the current_listener to LISTENER and then started the listener BUT no services; this is to be expected as the auto registration works only in 1521. Here is the listener running but no services:

No Listener services after start of listener


The listener is up and running so lets add the local_listener database parameter and then register the services and see what happens:

Add the local_listener


Finally we can now get into the database via the listener:

The listener has services


In summary, its a good thing that Oracle chose a non 1521 port for my listener; whether its intended as a new security feature I am not yet certain as I need to install the database software again as there is no evidence that i can find that this is normal as the installer said necta failed and then allowed me to try again. Irrespective of this you should not run your database on 1521 as its not just a known default but some things work because of 1521; i.e. alter system register; or connect to the listener and not set the current_listener if the listener is running on port 1521.

As an aside the default port of 5500 for the database manager website is still used and the XDB service is also still enabled by default in 12cR2!!

Changing the port will not stop any determined person as a port scanner would find the database listener anyway but its a default and defaults sometimes make it easier for a script kiddie type attacker who doesn't "know"
[No Comments]

New Online Oracle Security PUBLIC Training Dates Including USA Time Zones

We have just agreed three new online classes to be taught in June and July. These are for my two day class How to perform a security audit of an Oracle database. The classes are two day events and will be taught online via the webex platform. For the first time after having requests for public classes in the USA many times Pete Finnigan will teach this two day class on USA time zones so that it is aimed at USA (Canada, Mexico) attendees. One of the planned two day classes is on EST time zone from 8am to 4pm New York time and one on PST time zone 8am to 4pm Los Angeles time zone. The final sitting is UK/EU time zone from 9am to 5pm.

For details of the classes please see the online Oracle Security class page. A list of all the public training dates is also available.

Please send an email to info@petefinnigan.com to register your place.
[No Comments]

PeteFinnigan.com In The Top 60 Oracle Database Blogs

I got a couple of emails over the last couple of weeks from Anuj at FeedSpot to tell me that my blog (This Oracle Security blog) has been listed in the top 60 Oracle Database blogs on the Feedspot website. This means I have been awarded a gold badge to display here on this blog:



According to the list I am currently number 15!!!. Currently comments are still broken in this blog since I upgraded GreyMatter (this blogs engine) to a custom version I am calling version 1.9. The last released version was 1.8.2 and I offered 1.8.3 to the community some years back with a major new feature to allow posts with linked names rather than numbers. I have recently been adding categories and tags to Greymatter and this will be visible here soon but i seem to also have broken comments as well...

Please connect to me via Social Media:

Twitter or Facebook or Linked In. I am always happy to accept new connections and you can reach me for comments there until the blog is fixed.
[No Comments]