Archive for November, 2007

SANS Top-20 2007 Security Risks (2007 Annual Update)

Mittwoch, November 28th, 2007

Sans updated their Top-20 list of security risks.

One section covers Oracle and Database Software. Since September 2006 there are 18 new CVE vulnerabilities with a CVSS base score of 7 or higher.

CVE-2006-5332, CVE-2006-5333, CVE-2006-5334, CVE-2006-5335, CVE-2006-5336, CVE-2006-5339, CVE-2006-5340, CVE-2006-5341, CVE-2006-5342, CVE-2006-5343, CVE-2006-5344, CVE-2006-5345, CVE-2006-7138, CVE-2007-0272, CVE-2007-1442, CVE-2007-2113, CVE-2007-2118, CVE-2007-5506.

Some of the most critical vulnerabilities in Oracle databases like the view / inline-view bug or the bypass logon trigger are not covered in the SANS list.

BTW.: Microsoft SQL Server has only 1 vulnerability: CVE-2007-4814

Review „Practical Oracle Security“

Montag, November 26th, 2007

Today I downloaded a new Oracle Security book from Syngress: „Practical Oracle Security„. Here a short review:

Downloading the ebook was quick and easy. The annoying thing was the password query every time I opened the ebook. To get rid of the password I opened the PDF file in Adobe Acrobat, removed the password protection and that’s it… Syngress forgot to protect the PDF file properly.

First I skimmed through the book and it looks quite nice in the beginning but then I found more and more problems and inaccuracies. Some of the recommendations from the book make your database even more insecure.

Here an incomplete list of some potential problems and inaccuracies:

p. 43: Some older versions of dbms_system.ksdwrt are vulnerable against a buffer overflow. This could cause a database crash. This is not mentioned. Playing around with dbms_system.ksdwrt could crash your database.

p.58: Providing read access (711) to the listener.ora is not a good idea because this file contains the password hash of the TNS listener.

p.74: Recommendation to set a long and strong listener password in 10g. This makes the listener configuration more insecure because it opens remote administration if the password is known!!! The combination password and local os authentication is in my opinion not useful. I would recommend to use local OS authentication alone OR set a strong password together with disabling local OS authentication.

p.108: Using impossible passwords introduces a security risk because all versions until 10g R.2 are resetting a default password from time to time. Unlocking databases accounts introduces a big security hole because a default account gets a default password. Problem is reported to Oracle but still unfixed.

p. 139: Important and powerful packages like utl_inaddr (send sensitive data via DNS) or dbms_advisor (write files to OS) are not mentioned in the ebook

p.139: Description of execute any procedure is wrong. Exploits are only working if the o7_dictionary is set to non-default value

p.140: Description of select any table is wrong.

p.170: … if a 0day exploit exists on the internet, Oracle will generally release a security alert rather than waiting for the next scheduled CPU. This is not true (see for example exploit dbms_export_extension or create view problem). Oracle will only release out-of-order patches if an exploit is available on the internet AND the bug is critical AND will be exploited

p.180: Recommends to enable account lockout. This is a conflict with the impossible and unlocked database accounts. Account lockout could also lead to a D.o.S. against application user accounts (e.g. used in AppServer)

p. 209: Blank Oracle passwords? Tell us more…

p.210: How can you read a file with utl_file only? Without directory traversal (fixed in all supported patchsets) and without „create any directory“?

p. 211: The famous blank password again…

p.232: utl_udp is not an oracle package. It’s a package posted on USENET.

p.232: Packages such as utl_file. utl_http, … give access to the host’s operating system including the file system and network. ==> this is not correct.

D.o.S. Exploit for Oracle 10.2.0.1/10.2.0.2 published on bugtraq

Samstag, November 3rd, 2007

Yesterday an anonymous person (oraclefun@hushmail.com) posted an exploit for XDB_PITRIG_PKG.PITRIG_DROPMETADATA in Oracle 10.2 on the security mailing list bugtraq without any explanation about affected versions. I did a few tests and tested this exploit against my test databases. Unpatched Oracle 10.2.0.1 and 10.2.0.2 databases are terminated immediately.

This exploit is using IDS evasion techniques to avoid detection from network based IDS for Oracle.

To run this exploit only the privilege „create session“ is required. 10.2.0.3 is not affected from this exploit.

Oracle 9i Rel. 1, 9i Rel. 2, 10g Rel.1 and 11g are not affected and throw error messages.

######### 9.2.0.8 , 10.1.0.5 #########
ERROR at line 22:
ORA-06550: line 22, column 1:
PLS-00201: identifier ‚XDB.XDB_PITRIG_PKG‘ must be declared
ORA-06550: line 22, column 1:
PL/SQL: Statement ignored
#########

######### 10.2.0.3 or 11g #########
ERROR at line 1:
ORA-29329: Table not of type XMLType
ORA-06512: at „XDB.XDB_PITRIG_PKG“, line 127
ORA-06512: at line 22
#########