21 Sep 2010 von Alexander Kornbrust.

Last weekend I gave a presentation “Security comparison of different databases” (Oracle, MySQL, MSSQL, DB2 LUW, PostgreSQL and Sybase ASE) at the Hacktivity 2010 conference in Budapest. A blog entry dedicated to this will be released soon.

I saw Laszlo’s presentation “Oracle post exploitation techniques” and got even a private sneak preview of his presentation in English 1 day before.

Laszlo talked about very very interesting things (at least for me) and I personally think that this is one of the best Oracle security research papers I know. Also some paranoid customers have to rethink their security architecture because this research affects DB Vault and Oracle TDE as well (every OS user can see every cleartext password during the logon process).

• Decrypt the Enterprise Manager/Grid Control passwords in newer version.
  The simple way using sysman.decrypt() no longer works in newer version of Oracle. But his approach is reading the key from the file emkey.ora and using sysman.mgmt_time_sync to set the key. This works in new versions as well.
• DLL injection:
  A malicious OS user (e.g. DBA or Unix root) on the database server can intercept the cleartext password on the database server during logon. He showed working examples running on Windows and Linux (!!!)
• Decrypt TDE encrypted data and extract the TDE masterkey from the Oracle wallet
• Analysis of the Oracle 11g Remote Job Scheduling.

The second really good presentation was from Marcell Major about reversing password algorithms. He showed different ways how to perform this and showed how he did this for Sybase ASE database passwords. Especially the old SYS-PROP based on a FEAL algorithm was really impressive. But this presentation is currently not online.

Marcell already released the password cracker for new Sybase ASE SHA256 algorithm.

Our new Repscan 4.0 supports now Sybase ASE, PostgreSQL and Microsoft SQL Azure and can crack all these passwords .

Geschrieben in 11g, Oracle Security | Drucken | Keine Kommentare »

6 Apr 2010 von Alexander Kornbrust.

This weekend I installed the new version of Oracle 11.2.0.1 (64 bit) for Windows. The 11.2 version for Windows is available since a few days.

I installed the 64 bit version (default installation (next - next - …)) without any problems  on Windows 7 system. After that I run a default check with our database scanner Repscan 3 (the most advanced database scanner) against this new database version. According to Repscan this new 11.2.0.1 is no longer vulnerable against the DBMS_JVM_EXP_PERMS exploit and this is correct. Oracle has already fixed the problem. I expect a solution in the upcoming Oracle CPU April 2010.

A quick check in the Repscan database browser shows the difference in the privileges:

11.2.0.1.0 Linux:

11.2.0.1.0 Windows:

Oracle removed the public privilege from DBMS_JVM_EXP_PERMS and granted privileges to the roles “IMP_FULL_DATABASE” and “DATAPUMP_EXP_FULL_DATABASE”.   The privileges of DBMS_JAVA and DBMS_JAVA_TEST are not modified.

The package DBMS_JVM_EXP_PERMS contains also a bug fix. A comparision between the Windows and Linux version shows the following differencein the package body.

— DBMS_JVM_EXP_PERMS  (only in 11.2.0.1 Windows) ——————
[…]
– Check privs
sys.dbms_zhelp_ir.check_sys_priv(DBMS_ZHELP_IR.KZSSTA);
[…]
— DBMS_JVM_EXP_PERMS ——————
After that I analyzed the Oracle database with the Repscan database browser (really useful component, just try the trial version of Repscan) found a few suspicous audit entries in my audit log (sys.aud$).

A user AIME from the terminal “ST-ADC\DADVFH0169″ had a connection to my database?I know that the terminal “ST-ADC\DADVFH0169″ is a terminal somewhere from Oracle. A backdoor in 11.2.0.1? Someone from Oracle was accessing my database?

No. After I checked the timestamp I saw that this entry was created 2 days BEFORE I installed my database. Oracle only forgot to cleanup the audit log before delivering it to customers. If you install Oracle 11.2.0.1 you should truncate the SYS.AUD$ table to avoid questions from (internal/external) auditors.

Geschrieben in Repscan, 11g, Security | Drucken | Keine Kommentare »

31 Mrz 2010 von Alexander Kornbrust.

Paul released a new article about Oracle Java Forensics. He describes how to find traces of Java attacks (e.g. via dbms_jvm_exp_perms) in the Oracle database.

I’ve got some nice ideas from Paul’s article.

Well done.

Geschrieben in 11g, Forensics, Oracle Security | Drucken | Keine Kommentare »

24 Mrz 2010 von Alexander Kornbrust.

Today Laszlo sent me an email that he published the English version of his Hacktivity 2009 talk “Oracle authentication” on his webpage. Laszlo was so nice to give me an English private session last year at the Hacktivity in Budapest.

His presentation contains the following topics:

• Introduction
• Oracle native authentication (database)
• Downgrade (Flash Demo)
• Windows authentication
• Module for Squirtle (Flash Demo)
• pytnsproxy  (Flash Demo)

I like the part where Laszlo shows how to hijack an Oracle session.

This presentation is a must for everyone interested in the Oracle authentication process.

Well done Laszlo.

Geschrieben in Tools, 11g, Oracle Security, Allgemein | Drucken | 1 Kommentar »

5 Feb 2010 von Alexander Kornbrust.

Blackhat removed the video from David Litchfield (containing the 0day exploit code for 11g) from their website. But it’s too late because the 0day code for 11g can be found in the meantime in many places.

The video was downloaded several times and it’s just a question of time until it re-appears…

BTW Oracle 10.2.0.4 with all security patches is vulnerable against this issue too. But the exploit must be modified a little bit.

Geschrieben in 11g, Exploit, David Litchfield, Allgemein | Drucken | 5 Kommentare »