Archive for Oktober, 2007

Joxean Koret released a whitepaper about Oracle Database Vault: Design Failures

Montag, Oktober 29th, 2007

Joxean Koret just released a whitepaper about Design Failures in Oracle Database Vault.

Joxean describes Oracle Database Vault (DBV) in his paper as „war against DBAs“ and explains various ways to bypass DBV on OS / file system level (e.g. trojanized oci library, backup, rootkits, …). Joxean is also talking about is the ancient problem „Quis custodiet ipsos custodes“ („Who will guard the guardians“ or „Who controls the police“). The solution for this problem is always the concept of segregation of duties (3 accounts instead of the powerful DBA). It’s clear that the current version of DBV has still many bugs (there are many open bugs from various companies unfixed).

I think this whitepaper shows a common misunderstanding of the product DBV itself. DBV was never designed to protect against attacks on OS/Filesystem level (e.g. it’s possible to disable DBV on OS level for applying patches). It’s just a framework to build more secure database systems together with other products like TDE, ASO, … together with a good architecture (apps, auditing, backup, …)

Checkpwd 2.00 A12 released

Dienstag, Oktober 23rd, 2007

I just uploaded checkpwd 2.00 A12. This first version of checkpwd  2.0 comes with a lot of new features making it the smartest and most convenient Oracle password checker around… (and it’s free).

2 weeks ago Laszlo released his password cracker woraauthbf becoming the fastest password cracker for Oracle (but not the smartest). Woraauthbf is working in offline mode only and does not use information from the database.

Checkpwd is connecting to the database (offline is possible too) and uses passwords and potential password candidates from the database for cracking Oracle passwords. This approach is often more successful than the normal dictionary based approach (see password of MGMT_VIEW in screenshot). Due to this technique checkpwd finds more passwords than woraauthbf and that’s the main goal of a password checking tool. Speed is not everything…

Another interesting but dangerous feature writes the found passwords into a file called foundpw.txt. The content of this file is used the next time, making the passwords dictionary more and more powerful. This feature is useful for cloned databases which are normal in company environments. Be careful with this file…

Here are some of the new features of checkpwd:

* support for Oracle 11g passwords
* support for APEX passwords (1.4-3.0.1)
* collect passwords from the database
* collect password candidates from the database
* option not to display the oracle password in command line
* crack passwords from the password history
* crack role passwords
* save checkpwd default configuration in a configuration file
* read username and password hashes from a file
* …

Checkpwd 2.0 A12

Feature-Requests and comments are welcome.

Running Inguma PL/SQL Fuzzer against with October 2007 CPU

Montag, Oktober 22nd, 2007

Today I modified the Inguma PL/SQL Fuzzer a little bit (adding my own enhancements) and run it against with Oracle Critical Patch Update (CPU) October 2007 applied. After running it for a while (without a database crash) Oracle reported the following errors messages in trace files:

ORA-07445: exception encountered: core dump [ACCESS_VIOLATION] [_kghuclientasp+118] [PC:0x603D67AE] [ADDR:0x9253768] [UNABLE_TO_READ] []
ORA-07445: exception encountered: core dump [ACCESS_VIOLATION] [_kxsdcbc+205] [PC:0x8A7911] [ADDR:0x18] [UNABLE_TO_READ] []
ORA-07445: exception encountered: core dump [ACCESS_VIOLATION] [_kxsdcbc+123] [PC:0x8A78BF] [ADDR:0x18] [UNABLE_TO_READ] []
ORA-07445: exception encountered: core dump [ACCESS_VIOLATION] [_qmuhshget_internal+228] [PC:0x605738A8] [ADDR:0x6474636B] [UNABLE_TO_READ] []
ORA-00600: internal error code, arguments: [kohcpi298], [], [], [], [], [], [], []
ORA-00600: internal error code, arguments: [KGHALO2], [0x0], [], [], [], [], [], []
ORA-00600: internal error code, arguments: [qmsVarrayElemtds:pd or extra tmx], [], [], [], [], [], [], []
oracle.jdbc.driver.OracleSQLException: ORA-00933: SQL command not properly ended
oracle.jdbc.driver.OracleSQLException: ORA-01742: comment not terminated properly
oracle.jdbc.driver.OracleSQLException: ORA-01756: quoted string not properly terminated

Some of the error messages are indication (just indication) for SQL Injection and buffer overflows. I will investigate…

Inguma – Free Oracle Penetration Toolkit from Joxean Koret

Samstag, Oktober 20th, 2007

Joxean Koret released version 0.05 of his free penetration toolkit called Inguma. This tool is also implementing an exploit for one of the bugs (LT.FINDRICSET) fixed in the October 2007 CPU.

The name Inguma is coming from the basque god of dreams who kills people while sleeping and, also, the one who make the nightmares.

Inguma, written in Phython, supports different systems (e.g. Oracle, SQL Server, SSH, Firewalls). The following features are Oracle specific:

* Added one exploit for the vulnerability in SYS.LT.FINDRICSET (Oracle CPU Oct. 2007).
* Added module „bruteora“ to brute force Oracle servers. It will check
for every (commonly) possible user or for an specified user.
* Added a tool to crack MD5 hashes using freely available rainbow tables.
* Added module „sidguess“ to guess the SID of an Oracle Database instance.
* Added a password cracker for Oracle11g.
* Enhanced the Oracle PL/SQL Fuzzer. Now, if you redirect the output
only the vulnerabilities found are logged, all the rest of the output
are written to stderr.

Here a screenshot from the tool on my Backtrack 2 system:

Inguma Screenshot 1

Well done Joxean.

Oracle CPU October 2007 – 14 Bugs reported by RDS (updated)

Dienstag, Oktober 16th, 2007

I just arrived in Munich. Wednesday and Thursday I will give an Oracle Hacker Training for the Oracle University.

Oracle just released the Oracle Critical Patch Update for October with fixes for 51 vulnerabilities in various products. The CPU for the database contains fixes are 27.

14 of them were reported by Red-Database-Security. The vulnerabilities were reported by the usual suspects (David, Esteban, Joxean, Johannes Greil and me).
Oracle is fixing 11 bugs in Workspace Manager, 3 in Oracle Text and 3 in Oracle Spatial. There are also some bugs in Advanced Queueing, XMLDB, OID and ASO). There are 2 bugs in Import/Export. The Import bug (DB01, reported by us) is the most critical bug with a rating of 6.5 (CVSS 2.0 rating) and affects all versions of Oracle. Some of our bugs in Database Vault (DB21) and Enterprise Manager (EM01) are remote exploitable.

The bugs in the database (AFAIK) are SQL Injection (Workspace Manager, Spatial), Buffer Overflows, Privilege Escalation.

More details soon.