29 Okt 2007 von Alexander Kornbrust.

Joxean Koret just released a whitepaper about Design Failures in Oracle Database Vault.

Joxean describes Oracle Database Vault (DBV) in his paper as “war against DBAs” and explains various ways to bypass DBV on OS / file system level (e.g. trojanized oci library, backup, rootkits, …). Joxean is also talking about is the ancient problem “Quis custodiet ipsos custodes” (”Who will guard the guardians” or “Who controls the police”). The solution for this problem is always the concept of segregation of duties (3 accounts instead of the powerful DBA). It’s clear that the current version of DBV has still many bugs (there are many open bugs from various companies unfixed).

I think this whitepaper shows a common misunderstanding of the product DBV itself. DBV was never designed to protect against attacks on OS/Filesystem level (e.g. it’s possible to disable DBV on OS level for applying patches). It’s just a framework to build more secure database systems together with other products like TDE, ASO, … together with a good architecture (apps, auditing, backup, …)

Geschrieben in Database Vault, Oracle Security, Allgemein | Keine Kommentare »

23 Okt 2007 von Alexander Kornbrust.

I just uploaded checkpwd 2.00 A12. This first version of checkpwd  2.0 comes with a lot of new features making it the smartest and most convenient Oracle password checker around… (and it’s free).

2 weeks ago Laszlo released his password cracker woraauthbf becoming the fastest password cracker for Oracle (but not the smartest). Woraauthbf is working in offline mode only and does not use information from the database.

Checkpwd is connecting to the database (offline is possible too) and uses passwords and potential password candidates from the database for cracking Oracle passwords. This approach is often more successful than the normal dictionary based approach (see password of MGMT_VIEW in screenshot). Due to this technique checkpwd finds more passwords than woraauthbf and that’s the main goal of a password checking tool. Speed is not everything…

Another interesting but dangerous feature writes the found passwords into a file called foundpw.txt. The content of this file is used the next time, making the passwords dictionary more and more powerful. This feature is useful for cloned databases which are normal in company environments. Be careful with this file…

Here are some of the new features of checkpwd:

* support for Oracle 11g passwords
* support for APEX passwords (1.4-3.0.1)
* collect passwords from the database
* collect password candidates from the database
* option not to display the oracle password in command line
* crack passwords from the password history
* crack role passwords
* save checkpwd default configuration in a configuration file
* read username and password hashes from a file
* …

Feature-Requests and comments are welcome.

Geschrieben in passwords, checkpwd, Oracle Security | 1 Kommentar »

22 Okt 2007 von Alexander Kornbrust.

Today I modified the Inguma PL/SQL Fuzzer a little bit (adding my own enhancements) and run it against 10.2.0.3 with Oracle Critical Patch Update (CPU) October 2007 applied. After running it for a while (without a database crash) Oracle reported the following errors messages in trace files:

—–
ORA-07445: exception encountered: core dump [ACCESS_VIOLATION] [_kghuclientasp+118] [PC:0×603D67AE] [ADDR:0×9253768] [UNABLE_TO_READ] []
ORA-07445: exception encountered: core dump [ACCESS_VIOLATION] [_kxsdcbc+205] [PC:0×8A7911] [ADDR:0×18] [UNABLE_TO_READ] []
ORA-07445: exception encountered: core dump [ACCESS_VIOLATION] [_kxsdcbc+123] [PC:0×8A78BF] [ADDR:0×18] [UNABLE_TO_READ] []
ORA-07445: exception encountered: core dump [ACCESS_VIOLATION] [_qmuhshget_internal+228] [PC:0×605738A8] [ADDR:0×6474636B] [UNABLE_TO_READ] []
ORA-00600: internal error code, arguments: [kohcpi298], [], [], [], [], [], [], []
ORA-00600: internal error code, arguments: [KGHALO2], [0×0], [], [], [], [], [], []
ORA-00600: internal error code, arguments: [qmsVarrayElemtds:pd or extra tmx], [], [], [], [], [], [], []
oracle.jdbc.driver.OracleSQLException: ORA-00933: SQL command not properly ended
oracle.jdbc.driver.OracleSQLException: ORA-01742: comment not terminated properly
oracle.jdbc.driver.OracleSQLException: ORA-01756: quoted string not properly terminated
——-

Some of the error messages are indication (just indication) for SQL Injection and buffer overflows. I will investigate…

Geschrieben in Inguma, Security, Oracle Security | 1 Kommentar »

20 Okt 2007 von Alexander Kornbrust.

Joxean Koret released version 0.05 of his free penetration toolkit called Inguma. This tool is also implementing an exploit for one of the bugs (LT.FINDRICSET) fixed in the October 2007 CPU.

The name Inguma is coming from the basque god of dreams who kills people while sleeping and, also, the one who make the nightmares.

Inguma, written in Phython, supports different systems (e.g. Oracle, SQL Server, SSH, Firewalls). The following features are Oracle specific:

* Added one exploit for the vulnerability in SYS.LT.FINDRICSET (Oracle CPU Oct. 2007).
* Added module “bruteora” to brute force Oracle servers. It will check
for every (commonly) possible user or for an specified user.
* Added a tool to crack MD5 hashes using freely available rainbow tables.
* Added module “sidguess” to guess the SID of an Oracle Database instance.
* Added a password cracker for Oracle11g.
* Enhanced the Oracle PL/SQL Fuzzer. Now, if you redirect the output
only the vulnerabilities found are logged, all the rest of the output
are written to stderr.

Here a screenshot from the tool on my Backtrack 2 system:

Well done Joxean.

Geschrieben in Inguma, software, Oracle Security, Allgemein | Keine Kommentare »

16 Okt 2007 von Alexander Kornbrust.

I just arrived in Munich. Wednesday and Thursday I will give an Oracle Hacker Training for the Oracle University.

Oracle just released the Oracle Critical Patch Update for October with fixes for 51 vulnerabilities in various products. The CPU for the database contains fixes are 27.

14 of them were reported by Red-Database-Security. The vulnerabilities were reported by the usual suspects (David, Esteban, Joxean, Johannes Greil and me).
Oracle is fixing 11 bugs in Workspace Manager, 3 in Oracle Text and 3 in Oracle Spatial. There are also some bugs in Advanced Queueing, XMLDB, OID and ASO). There are 2 bugs in Import/Export. The Import bug (DB01, reported by us) is the most critical bug with a rating of 6.5 (CVSS 2.0 rating) and affects all versions of Oracle. Some of our bugs in Database Vault (DB21) and Enterprise Manager (EM01) are remote exploitable.

The bugs in the database (AFAIK) are SQL Injection (Workspace Manager, Spatial), Buffer Overflows, Privilege Escalation.

More details soon.

Geschrieben in CPUOct2007, Oracle Security | 1 Kommentar »

14 Okt 2007 von Alexander Kornbrust.

From time to time I’m doing research on Russian websites (with Google Translate) because you can find interesting information and tools. Last week I found a small program Oracle scanner called goss a GUI Oracle Scanner.

This tools contains features like getting the SID (similar to sidguess), password guessing, retrieve password hashes from the database, …

The output is displayed in a new window.

Some of the features in this tool where not working properly against my test databases.

Geschrieben in software, Security, Oracle Security, Allgemein | Keine Kommentare »

9 Okt 2007 von Alexander Kornbrust.

Today Laszlo released his password cracker woraauthbf for Oracle, the fastest windows tool for cracking Oracle passwords (supports the new and old password hash format plus cracking the authentication attack).

On his webpage Laszlo has a small benchmark comparing the 3 leading password Oracle crackers checkpwd, orabf and woraauthbf. According to Laszlo’s benchmark checkpwd 1.22 is the slowest cracker (but only out of these 3).

I was surprised that checkpwd was so slow comparing to the benchmarks I did on my systems. The reason for this is bad result was the way how Laszlo performed the tests.

Laszlo was testing only 1 password hash. The implementation of reading of the dictionary file is slow that’s why this affects the entire result of checkpwd. In the real world you are normally testing many password hashes and not only 1 hash
That’s why I run a benchmark how long it takes to crack 40 hashes (instead of 1 hash) with the new checkpwd 2.0 which supports reading passwords hashes from a text file (to get rid of the file reading overhead). I run the tests on my 2 GHz Core2Duo.

woraauthbf 0.2 1.103.773 pw/s (Laszlo: 515114 pw/s)

checkpwd 2.0 637.263 pw/s (Laszlo: 193.168 pw/s)

orabf 0.76 400.000 pw/s (Laszlo: 311.994 pw/s)

Checkpwd 2.0 was nearly 2 times faster in this benchmark (just by cracking 40 instead of 1 password (637.263 vs 309.057)).

In checkpwd 2.0 we will focus on intelligent password cracking instead of pure power but we are still interested to improve the speed of checkpwd.
Here some new features of checkpwd 2 (released next week)

* cracking APEX passwords
* support for Oracle 11g
* support for Oracle Password History
* intelligent password collector
* many new options
* …

Geschrieben in 11g, checkpwd, Security, Oracle Security | Keine Kommentare »

2 Okt 2007 von Alexander Kornbrust.

The following url contains a cheat sheet for Oracle SQL Injection. Not complete, some statements are a little bit complicated (e.g. SELECT table_name FROM all_tables WHERE TABLESPACE_NAME=’USERS’ or SELECT username, FROM all_users UNION SELECT name, password FROM sys.user$, better: SELECT name, password FROM sys.user$ where type#=1).

Geschrieben in Oracle Security | Keine Kommentare »

2 Okt 2007 von Alexander Kornbrust.

Van Hauser from THC told me today that vonjeek/THC from released a password cracker for Oracle 11g on the THC website called OrakelCrackert. OrakelCrackert checks approx. 400.000 passwords/second on my 2 GHz Core2Duo and has a similar speed as checkpwd 2.0 (which will be released next week).

In this blog entry I mentioned that OrakelCrackert comes with the dictionary file from checkpwd. This is not true and I really apologize for this wrong accusation. In the case of OrakelCrackert I was looking for my lastname which is really unusual (not part of a normal dictionary)

But the other sidguessing tools (sidguesser, ora-getsid, coss) took my list of Oracle SIDs. “Taking” such collections without giving credentials is not unusual. The tools for guessing SIDs (e.g. . sidguesser from Cqure or ora-getsid from NGS Software) for example are taking the SID list I composed via Google Hacking, manual editing, …. without mentioning my work.

As a consequence of this wrong accusation of vonJeek I recreated the dictionary file for checkpwd 2.0 and I will document where I took the passwords from. This will become another blog entry.

Geschrieben in Oracle Security | 3 Kommentare »

2 Okt 2007 von Alexander Kornbrust.

Yesterday I uploaded an updated version of sidguess for Windows and MacOSX. In this version (1.0.2) the brute force mode for guesssing SIDs is now working properly.

Geschrieben in Oracle Security | 2 Kommentare »