Archive for Oktober, 2009

Oracle October 2009 CPU Published

Mittwoch, Oktober 21st, 2009

Today Oracle released the October 2009 CPU.

In total 38 vulnerabilities were fixed with this CPU (or PSU). This CPU will fix 16 new vulnerabilities in the databases. 6 of them remotely exploitable without authentication, 1 affects client-only installations.
The following components are affected.

  •  Advanced Queuing
  • Application Express
  • Authentication
  • CORE RDBMS
  • Data Mining
  • Net Foundation Layer
  • Network Authentication
  • Oracle Spatial
  • Oracle Text
  • PL/SQL
  • RDBMS Data Pump
  • RDBMS Security
  • Workspace Manager

As always the usual suspect (Alexander, xxx) reported some of the vulnerabilities.

This time Oracle fixed 2 of ours vulnerabilities. Only 20 Oracle security issues are unfixed…. Oracle is getting better… Time to have a deeper look into 11.2 😉

—-

Report of Critical Patch Update Fixes for Red Database Security

The following issues reported by you are fixed in the upcoming Critical
Patch Update, due to be released at 1pm, U.S. Pacific Time, on October
20, 2009. We ask that any information that you plan to publish
regarding these issues be released after this date and time.

This Critical Patch Update will contain fixes for the following issues:

Reporter: Alexander Kornbrust

9675691  SQL INJECTION IN UPGRADE SCRIPT CATMETX.SQL

10213261  AUDIT CAN BE BYPASSED USING DBMS_SYS_SQL.PARSE_AS_USER

Please let us know if you have any questions or concerns with this
report. Thank you for reporting these issues to Oracle and for your
patience while we investigated and created the fixes.

—-

I will post detailed information including sample code on my blog tomorrow. Especially the dbms_sys_sql bug is critical because it allows to bypass the Oracle Auditing completely (and products using Oracle Auditing like Oracle Audit Vault). Even if this bug is fixed now there are other (similar) bugs around which allow to bypass Oracle Auditing completely.

It took only approx. 2 years to fix the dbms_sys_sql problem.

Paul Wright Released Whitepaper About „Create Table to OSDBA“ (Preprocessor Exploit)

Dienstag, Oktober 20th, 2009

Paul Wright wrote an interesting whitepaper „Create table to OSDBA“ about the new preprocessor feature in 11.1.0.7 and higher to run OS commands via tables. This whitepaper shows how to escalate privileges by running operating system commands using create table together with utl_file. In the future Oracle plans to backport the functionality to Oracle 10.2.0.5.

I already talked about the danger of running OS commands via „Create Table“ in February 2009 „Trends 2009“ (German slides, slide 20) and released in April 2009 a tutorial how to run OS commands via Create table, dbms_scheduler,extproc,plsql native 9, plsql native 10/11, Oracle text and alter systems.Paul added the idea executing files created with utl_file.

Oracle changed the preprocessor handling in Oracle 11.2.0.1.  In 11.2.0.1 it is necessary to have the EXECUTE privileges  on a directory objects („Execute a preprocessor program that resides in the directory. A preprocessor program converts data to a supported format when loading data records from an external table with the ORACLE_LOADER access driver. Refer to Oracle Database Utilities for more information. This privilege does not implicitly allow READ access on the external table data.“).

Paul wrote a recommendation how to mitigate the preprocessor risk. He recommends to revoke utl_file from public. This is a good idea but keep in mind that there are multiple ways to create (text) files on OS level (e.g. Sample Exploit using dbms_advisor).

I would also recommend to grant read,write instead of granting ALL on directory objects (which includes EXECUTE in 11.2.0.1). And granting to PUBLIC is also always a bad idea. Grant privileges always to a role and/or user only.

Oracle October 2009 Pre-Release

Freitag, Oktober 16th, 2009

Oracle just published the pre-release of the Oracle October 2009 CPU. In total 38 vulnerabilities will be fixed. This CPU will fix 16 new vulnerabilities in the databases. 6 of them remotely exploitable without authentication, 1 affects client-only installations.

The hight CVSS base score is 10.0 for Windows and 7.5 for other platforms (Oracle ANO and Core RDBMS). Sounds like a very interesting CPU…

The following components are affected.

  •  Advanced Queuing
  • Application Express
  • Authentication
  • CORE RDBMS
  • Data Mining
  • Net Foundation Layer
  • Network Authentication
  • Oracle Spatial
  • Oracle Text
  • PL/SQL
  • RDBMS Data Pump
  • RDBMS Security
  • Workspace Manager

Oracle will also fix 3 bugs in the Oracle Application Server, 8 in Oracle E-Business-Suite, 4 in JD-Edwards and Peoplesoft, 6 in BEA and 1 in Oracle Industry Application (a product I never heard before).

Oracle Openworld 2009 – SQL Injection Presentation

Dienstag, Oktober 13th, 2009

Just back from a short trip to the Oracle Openworld where I gave a presentation „SQL Injection Crash Course for Developers„. This was the first time I talked at the Openworld in San Francisco. The feedback from the attendees was quite good.

In the SQL Injection presentation I showed some screenshots of the brand new web application scanner Netsparker (previously known as Dilemma) from Mavituna Security.

Netsparker is one of the most advanced web application scanner. Really professional GUI, easy to use. Well done Ferruh
Netsparker GUI

Supports the execution of SQL statements and OS commands on the DB server.

Netsparker Command Window

I also met the APEX team from Oracle and had a long interesting chat with them. Joel Kallmann gave me a few tips how to harden my APEX 3.2.1 installation using mod_plsql.

What else happened in the Oracle security scene?

Slavik posted today an interesting blog entry about SQL Injection too.

Today Pete Finnigan published an entry about spoofing users and programs in Oracle. In his blog entry he mentions also the bug DB18 from January 2006, found by Imperva. AFAIK I was the first came up with the idea patching the oraclient9.dll  using a hex editor and then I sent an email with a description to Pete.

Nowadays this trick is no longer necessary for exploiting this after David Litchfield released a small tool (part of OAK – Oracle Assessment Kit) called ora-auth-alter-session.exe. But for many other applications the client patching technique can be really useful.

Oracle Password Benchmarks

Dienstag, Oktober 6th, 2009

Yesterday, Dennis Yurichev has published details about his FPGA based Oracle (DES) password cracker. His cracker can check up to 60 Mill. passwords per seconds (for short usernames) in brute force mode.

This is a good opportunity to show the current status of Oracle Password Cracking.
The benchmark numbers on our website are a little bit outdated and I will refresh them soon.

Here a quick summary of the fastest programs in every class (AFAIK, please correct me if you know
faster tools). All tests were performed on my old Core2Quad 2.4 GHz.
New Intel i7 would perform much faster (30-50%) comparing to Core2Quad.

If you look for pure numbers, dictionary based rainbow tables for DES are the fastest solution with approx. 250 Mill password hashes, followed by FPA with 60 Mill pw/sec, followed by brute force with 4 Mill pw/sec.

The SHA1 algorithm is a bad choice from the password cracking perspective because it can be cracked much faster (30 Mill pw/s instead of 4 Mill pw/s) on the same computer.

1. Dictionary Based (* Core2Quad 2.4 GHz)
DES: approx. 3 Mill pw/sec    (Repscan 3.0 and woraauthbf)
SHA1: approx. 19 Mill pw/sec  (Repscan 3.0)

2. Brute Force (* Core2Quad 2.4 GHz)
DES: up to 4 Mill pw/sec       (Repscan 3.0 and woraauthbf)
SHA1: approx. 30 Mill pw/sec   (Repscan 3.0)

3. Rainbow Table (* Core2Quad 2.4 GHz)
DES: n/a                       (Cain)
SHA1: hash salted, not useful

4. Dictionary based Rainbow Tables (* Core2Quad 2.4 GHz)
DES: up to 250 Mill pw/sec     (ophcrack)
SHA1: hash salted, not useful

5. FPGA
DES: up to 60 Mill pw/sec      (Dennis Yurichev)
SHA1: not available

6. GPCPU
DES:  n/a
SHA1: n/a (estimated 175 Mill pw/sec)