Last weekend I gave a presentation “Security comparison of different databases” (Oracle, MySQL, MSSQL, DB2 LUW, PostgreSQL and Sybase ASE) at the Hacktivity 2010 conference in Budapest. A blog entry dedicated to this will be released soon.
I saw Laszlo’s presentation “Oracle post exploitation techniques” and got even a private sneak preview of his presentation in English 1 day before.
Laszlo talked about very very interesting things (at least for me) and I personally think that this is one of the best Oracle security research papers I know. Also some paranoid customers have to rethink their security architecture because this research affects DB Vault and Oracle TDE as well (every OS user can see every cleartext password during the logon process).
- Decrypt the Enterprise Manager/Grid Control passwords in newer version.
The simple way using sysman.decrypt() no longer works in newer version of Oracle. But his approach is reading the key from the file emkey.ora and using sysman.mgmt_time_sync to set the key. This works in new versions as well.
- DLL injection:
A malicious OS user (e.g. DBA or Unix root) on the database server can intercept the cleartext password on the database server during logon. He showed working examples running on Windows and Linux (!!!)
- Decrypt TDE encrypted data and extract the TDE masterkey from the Oracle wallet
- Analysis of the Oracle 11g Remote Job Scheduling.
The second really good presentation was from Marcell Major about reversing password algorithms. He showed different ways how to perform this and showed how he did this for Sybase ASE database passwords. Especially the old SYS-PROP based on a FEAL algorithm was really impressive. But this presentation is currently not online.
Marcell already released the password cracker for new Sybase ASE SHA256 algorithm.
Our new Repscan 4.0 supports now Sybase ASE, PostgreSQL and Microsoft SQL Azure and can crack all these passwords .