6 Apr 2010 von Alexander Kornbrust.

This weekend I installed the new version of Oracle 11.2.0.1 (64 bit) for Windows. The 11.2 version for Windows is available since a few days.

I installed the 64 bit version (default installation (next - next - …)) without any problems  on Windows 7 system. After that I run a default check with our database scanner Repscan 3 (the most advanced database scanner) against this new database version. According to Repscan this new 11.2.0.1 is no longer vulnerable against the DBMS_JVM_EXP_PERMS exploit and this is correct. Oracle has already fixed the problem. I expect a solution in the upcoming Oracle CPU April 2010.

A quick check in the Repscan database browser shows the difference in the privileges:

11.2.0.1.0 Linux:

11.2.0.1.0 Windows:

Oracle removed the public privilege from DBMS_JVM_EXP_PERMS and granted privileges to the roles “IMP_FULL_DATABASE” and “DATAPUMP_EXP_FULL_DATABASE”.   The privileges of DBMS_JAVA and DBMS_JAVA_TEST are not modified.

The package DBMS_JVM_EXP_PERMS contains also a bug fix. A comparision between the Windows and Linux version shows the following differencein the package body.

— DBMS_JVM_EXP_PERMS  (only in 11.2.0.1 Windows) ——————
[…]
– Check privs
sys.dbms_zhelp_ir.check_sys_priv(DBMS_ZHELP_IR.KZSSTA);
[…]
— DBMS_JVM_EXP_PERMS ——————
After that I analyzed the Oracle database with the Repscan database browser (really useful component, just try the trial version of Repscan) found a few suspicous audit entries in my audit log (sys.aud$).

A user AIME from the terminal “ST-ADC\DADVFH0169″ had a connection to my database?I know that the terminal “ST-ADC\DADVFH0169″ is a terminal somewhere from Oracle. A backdoor in 11.2.0.1? Someone from Oracle was accessing my database?

No. After I checked the timestamp I saw that this entry was created 2 days BEFORE I installed my database. Oracle only forgot to cleanup the audit log before delivering it to customers. If you install Oracle 11.2.0.1 you should truncate the SYS.AUD$ table to avoid questions from (internal/external) auditors.

Geschrieben in Repscan, 11g, Security | Drucken | Keine Kommentare »

31 Mrz 2010 von Alexander Kornbrust.

Paul released a new article about Oracle Java Forensics. He describes how to find traces of Java attacks (e.g. via dbms_jvm_exp_perms) in the Oracle database.

I’ve got some nice ideas from Paul’s article.

Well done.

Geschrieben in 11g, Forensics, Oracle Security | Drucken | Keine Kommentare »

24 Mrz 2010 von Alexander Kornbrust.

Today Laszlo sent me an email that he published the English version of his Hacktivity 2009 talk “Oracle authentication” on his webpage. Laszlo was so nice to give me an English private session last year at the Hacktivity in Budapest.

His presentation contains the following topics:

• Introduction
• Oracle native authentication (database)
• Downgrade (Flash Demo)
• Windows authentication
• Module for Squirtle (Flash Demo)
• pytnsproxy  (Flash Demo)

I like the part where Laszlo shows how to hijack an Oracle session.

This presentation is a must for everyone interested in the Oracle authentication process.

Well done Laszlo.

Geschrieben in Tools, 11g, Oracle Security, Allgemein | Drucken | 1 Kommentar »

5 Feb 2010 von Alexander Kornbrust.

Blackhat removed the video from David Litchfield (containing the 0day exploit code for 11g) from their website. But it’s too late because the 0day code for 11g can be found in the meantime in many places.

The video was downloaded several times and it’s just a question of time until it re-appears…

BTW Oracle 10.2.0.4 with all security patches is vulnerable against this issue too. But the exploit must be modified a little bit.

Geschrieben in 11g, Exploit, David Litchfield, Allgemein | Drucken | 5 Kommentare »

29 Nov 2009 von Alexander Kornbrust.

This time I want to present a new super-fast password cracker.Ivan Golubev released a new version of his password cracker IGhashGPU.  I know the tool for a while but in older versions of IGHASHGPU Oracle SHA1 passwords were not supported.

The new version 0.62 supports now also Oracle 11g hashes (SHA1 + salt). The remarkable thing is the speed of cracking passwords. Ivan’s cracker is using the GPU for cracking the passwords. Without a GPU (NVidia or ATI) or within  a virtual machine the tool is not working.

On a dual ATI 5970 configuration (forum entry) the tool can crack approx. 790 (!!!) Million hashes per second. A single ATI 4850 can achieve more than 300 Mill. hashes per second. This means that the new 11g password algorithm can be cracked approx 130 times faster than the old DES algorithm. I am not sure if it was a good idea from Oracle to use such a standard algorithm like SHA1 because this is together with MD5 one of the most optimized algorithms.

Here is a short comparison between cracking old Oracle DES based passwords and new Oracle 11g SHA1 based passwords. I used the fasted software BF password cracker for Oracle DES (Repscan  from Red-Database-Security or woraauthbf, both with approx. 6 Mill hashes on a Core i7) and compared it with the configuration of running IGHASHGPU on a dual 5970 configuration (790 Mill hashes per second).

Here are some benchmark numbers. I know that 11g supports case sensitive passwords but from my experience most people use normally lowercase passwords with the first character converted to uppercase.In such a case it is not necessary to crack the entire key space.

26 characters, length 6:   DES: 53 seconds,  SHA1: 0.4 seconds

26 characters, length 7:   DES: 23 min,  SHA1: 10 seconds

26 characters, length 8:   DES: 10 h,  SHA1: 4.6 minutes

26 characters, length 9:   DES: 11 days,  SHA1: 2 hours

26 characters, length 10:   DES: 283 days,  SHA1: 2 days

If you are interested to download the tool you can get it from here.

Geschrieben in Tools, 11g | Drucken | 2 Kommentare »