| M | D | M | D | F | S | S |
|---|---|---|---|---|---|---|
| « Mrz | ||||||
| 1 | 2 | 3 | 4 | 5 | 6 | |
| 7 | 8 | 9 | 10 | 11 | 12 | 13 |
| 14 | 15 | 16 | 17 | 18 | 19 | 20 |
| 21 | 22 | 23 | 24 | 25 | 26 | 27 |
| 28 | 29 | 30 | 31 | |||
- 11g (12)
- Allgemein (29)
- David Litchfield (7)
- Exploit (23)
- Forensics (7)
- Oracle Security (106)
- passwords (8)
- Repscan (1)
- Security (23)
- Sentrigo (5)
- software (9)
- source code audit (5)
- SQL Injection (24)
- Tools (24)
- Trainings (3)
- Tutorial (2)
- 9 Mrz 2012: 2 Cebit 2012 Presentations about Database Security
- 18 Nov 2011: DOAG 2011 Presentation "Best of Oracle Security 2011"
- 15 Okt 2011: Oracle Critical Patch Update Pre-Release Announcement - October 2011
- 17 Sep 2011: Disable Auditing and running OS commands using oradebug
- 13 Apr 2011: Blackhat Training "HACKING AND SECURING ORACLE (2 days) "
- 2 Apr 2011: Oracle Database 11.2 Express Edition Beta comes with weak default password
- 23 Mrz 2011: McAfee acquires Sentrigo
- 12 Okt 2010: TDE decrypt utilities and TDE/Password flash demo
- 22 Sep 2010: Marcell published "Writing your own password cracker" presentation
- 21 Sep 2010: Laszlo's presentation "Oracle Post Exploitation Techniques" and Marcel's Sybase ASE Password Cracker
Oracle Security
SQL Injection
- März 2012
- November 2011
- Oktober 2011
- September 2011
- April 2011
- März 2011
- Oktober 2010
- September 2010
- August 2010
- April 2010
- März 2010
- Februar 2010
- Januar 2010
- Dezember 2009
- November 2009
- Oktober 2009
- September 2009
- August 2009
- Juli 2009
- Mai 2009
- April 2009
- März 2009
- Februar 2009
- Januar 2009
- Dezember 2008
- November 2008
- Oktober 2008
- August 2008
- Juli 2008
- Mai 2008
- April 2008
- März 2008
- Februar 2008
- Januar 2008
- Dezember 2007
- November 2007
- Oktober 2007
- September 2007
- August 2007
- Juli 2007
- Juni 2007
- Mai 2007
Verfasser-Archiv
Oracle Database 11.2 Express Edition Beta comes with weak default password
2 Apr 2011 von Alexander Kornbrust.
Yesterday Oracle released the first beta of Oracle Database 11.2. Express Edition. I downloaded the beta and after installation I run our database scanner Repscan against it.
It was surprising that Oracle delivers 11.2 Express Edition with a default password for the open APEX_040000.
C:\>sqlplus apex_040000/oracle@192.168.2.38/XE
SQL*Plus: Release 11.1.0.7.0 - Production on Sat Apr 2 13:33:24 2011
Copyright (c) 1982, 2008, Oracle. All rights reserved.
Connected to:
Oracle Database 11g Express Edition Release 11.2.0.2.0 - Beta
SQL> desc dba_users
Name Null? Type
—————————————– ——– —————————-
USERNAME NOT NULL VARCHAR2(30)
USER_ID NOT NULL NUMBER
PASSWORD VARCHAR2(30)
ACCOUNT_STATUS NOT NULL VARCHAR2(32)
LOCK_DATE DATE
EXPIRY_DATE DATE
DEFAULT_TABLESPACE NOT NULL VARCHAR2(30)
TEMPORARY_TABLESPACE NOT NULL VARCHAR2(30)
CREATED NOT NULL DATE
PROFILE NOT NULL VARCHAR2(30)
INITIAL_RSRC_CONSUMER_GROUP VARCHAR2(30)
EXTERNAL_NAME VARCHAR2(4000)
PASSWORD_VERSIONS VARCHAR2(8)
EDITIONS_ENABLED VARCHAR2(1)
AUTHENTICATION_TYPE VARCHAR2(8)
SQL> select * from user_role_privs;
USERNAME GRANTED_ROLE ADM DEF OS_
—————————— —————————— — — —
APEX_040000 CONNECT NO YES NO
APEX_040000 RESOURCE YES YES NO
SQL> select * from user_sys_privs;
USERNAME PRIVILEGE ADM
—————————— —————————————- —
APEX_040000 CREATE TRIGGER YES
APEX_040000 CREATE SYNONYM YES
APEX_040000 UNLIMITED TABLESPACE YES
APEX_040000 ALTER SESSION NO
APEX_040000 CREATE JOB YES
APEX_040000 CREATE DIMENSION YES
APEX_040000 CREATE SEQUENCE YES
APEX_040000 CREATE TABLE YES
APEX_040000 ALTER USER NO
APEX_040000 CREATE USER NO
APEX_040000 CREATE SESSION YES
APEX_040000 CREATE OPERATOR YES
APEX_040000 ALTER DATABASE NO
APEX_040000 DROP USER NO
APEX_040000 CREATE INDEXTYPE YES
APEX_040000 CREATE MATERIALIZED VIEW YES
APEX_040000 CREATE VIEW YES
APEX_040000 CREATE CLUSTER YES
APEX_040000 CREATE ANY CONTEXT YES
APEX_040000 CREATE PROCEDURE YES
APEX_040000 DROP PUBLIC SYNONYM NO
APEX_040000 DROP TABLESPACE NO
APEX_040000 CREATE TABLESPACE NO
APEX_040000 CREATE TYPE YES
APEX_040000 CREATE ROLE NO
APEX_040000 CREATE PUBLIC SYNONYM NO
26 rows selected.
SQL>
This APEX user has for example ALTER USER privileges and can change the password of any user in the database.
Please change the password of APEX_040000 after the installation of the new 11.2 Express Edition beta.
Geschrieben in Oracle Security | Drucken | Keine Kommentare »
McAfee acquires Sentrigo
23 Mrz 2011 von Alexander Kornbrust.
McAfee acquires Sentrigo. Congratulations to the Sentrigo team and McAfee.
Geschrieben in Oracle Security | Drucken | Keine Kommentare »
TDE decrypt utilities and TDE/Password flash demo
12 Okt 2010 von Alexander Kornbrust.
Laszlo has posted 2 flash movies from his great presentation from the Hacktivity 2010 conference
and the TDE decryption tools showed in the movie/presentation. The source is included as well.
Thanks for sharing this valuable stuff with the community.
Geschrieben in Oracle Security | Drucken | Keine Kommentare »
Marcell published “Writing your own password cracker” presentation
22 Sep 2010 von Alexander Kornbrust.
Marcell Major has published his really good presentation “Writing your own password cracker” from the Hacktivity 2010 security conference in Budapest.
Marcell describes different ways to achieve this goal, e.g. source code analyze, debugging or reverse engineering.
With good examples Marcell showed the password analysis of Apache Derby, Sybase ASE old and new hashing algorithm. The new Sybase ASE (15.0.2+) uses SHA256 and the old SYS-PROB (<15.0.2) is based on an already broken FEAL algorithm. Especially the FEAL algorithm is quit complicated but a good example hat debugging/reversing could do.
- The password cracker for Sybase ASE - SHA256 is called sybcrack and already released.
- The password cracker for Sybase ASE - SYB-PROP (FEAL) will be released soon.
Geschrieben in Oracle Security | Drucken | Keine Kommentare »
Laszlo’s presentation “Oracle Post Exploitation Techniques” and Marcel’s Sybase ASE Password Cracker
21 Sep 2010 von Alexander Kornbrust.
Last weekend I gave a presentation “Security comparison of different databases” (Oracle, MySQL, MSSQL, DB2 LUW, PostgreSQL and Sybase ASE) at the Hacktivity 2010 conference in Budapest. A blog entry dedicated to this will be released soon.
I saw Laszlo’s presentation “Oracle post exploitation techniques” and got even a private sneak preview of his presentation in English 1 day before.
Laszlo talked about very very interesting things (at least for me) and I personally think that this is one of the best Oracle security research papers I know. Also some paranoid customers have to rethink their security architecture because this research affects DB Vault and Oracle TDE as well (every OS user can see every cleartext password during the logon process).
- Decrypt the Enterprise Manager/Grid Control passwords in newer version.
The simple way using sysman.decrypt() no longer works in newer version of Oracle. But his approach is reading the key from the file emkey.ora and using sysman.mgmt_time_sync to set the key. This works in new versions as well. - DLL injection:
A malicious OS user (e.g. DBA or Unix root) on the database server can intercept the cleartext password on the database server during logon. He showed working examples running on Windows and Linux (!!!) - Decrypt TDE encrypted data and extract the TDE masterkey from the Oracle wallet
- Analysis of the Oracle 11g Remote Job Scheduling.
The second really good presentation was from Marcell Major about reversing password algorithms. He showed different ways how to perform this and showed how he did this for Sybase ASE database passwords. Especially the old SYS-PROP based on a FEAL algorithm was really impressive. But this presentation is currently not online.
Marcell already released the password cracker for new Sybase ASE SHA256 algorithm.
Our new Repscan 4.0 supports now Sybase ASE, PostgreSQL and Microsoft SQL Azure and can crack all these passwords .
Geschrieben in 11g, Oracle Security | Drucken | Keine Kommentare »