23 Feb 2010 von Alexander Kornbrust.

The latest version 3.0 of our database scanner Repscan is now available. This new version supports MS SQL Server and Oracle databases. Repscan comes with a large amount of new features and a complete new GUI (First database scanner with Office-2007 UI).

Here some of the new features of Repscan 3.0:

• Support for MS SQL Server (2000, 2005, 2008)
• Extremely user-friendly database configuration wizard (screenshot)
• Flexible tree control (re-group databases by status, hierarchy, …) (screenshot)
• Database security browser with drill down functionality (PDF, XLS, … export) (screenshot, screenshot)
• New reports (performance, used_features, …)
• Data Discovery (SSN, PII, Creditcard, Passwords, …)
• Database Enumeration (custom, NMap support) (screenshot)
• Pentest Features (Guess SID, Check default username/password combinations, …)
• Exploit & Code Library (screenshot)
• Version and Patch Information
• Skins

Here some (old) features of Repscan:

• Password plugin architecture
• Password plugins for Oracle DES, SHA1, OID, APEX, OVS
• Commandline features
• PL/SQL Source Code Analysis Report

Here some statements of Repscan 3.0 users:

“Repscan Rocks”, “I must have this tool.”, “Very cool stuff”, “really like the clean interface… checks are great”, “…tend to be more Oracle security information hub than just scanner :-)”

Over the next  few weeks I will show here more details of some Repscan 3.0 features.

If you want to test Repscan 3.0 you can download it from our exclusive distributor Sentrigo

Geschrieben in software, Tools, source code audit, Security, Oracle Security, Allgemein | Drucken | Keine Kommentare »

15 Feb 2010 von Alexander Kornbrust.

Mike Smithers, a former colleague, maintains a nice blog called “The Anti-Kyte“. He wrote a really interesting article “Self-Inflicted SQL Injection – don’t quote me !” about SQL Injection in Oracle.

Well written Mike.

Geschrieben in SQL Injection, Oracle Security, Allgemein | Drucken | Keine Kommentare »

5 Feb 2010 von Alexander Kornbrust.

Blackhat removed the video from David Litchfield (containing the 0day exploit code for 11g) from their website. But it’s too late because the 0day code for 11g can be found in the meantime in many places.

The video was downloaded several times and it’s just a question of time until it re-appears…

BTW Oracle 10.2.0.4 with all security patches is vulnerable against this issue too. But the exploit must be modified a little bit.

Geschrieben in 11g, Exploit, David Litchfield, Allgemein | Drucken | Keine Kommentare »

30 Jan 2010 von Alexander Kornbrust.

I came across an interesting article in the German newspaper FAZ. Someone is offering data of 1500 Swiss bank customers (with black money) to the German government for 2.5 Million EURO. A quick check of the tax fraud investigators showed that the data is reliable.

The Return on Invest (ROI) is approx. 100 Mill EUR for the German government (4% for the data thief). Our minister of finance is still thinking if he should make this deal. This would be good for the German government (more money, less taxes for Germans) but bad for the Swiss banking industry.

Geschrieben in Allgemein | Drucken | Keine Kommentare »

25 Nov 2009 von Alexander Kornbrust.

Shaomin Wang from Oracle has posted an interesting blog entry “How Oracle controls access to security vulnerabilities“. There are 3 different access types: Default Access, Global Access and Hierarchical Access.

Depending from the role inside of Oracle (e.g. Global Product Security staff, normal employees or their managers) people have the right to view an individual security bug or all security bugs.

This is a big improvement comparing to the time when I was an Oracle employee several years ago. At that time everybody inside of Oracle had access to security bug information.

The only problem nowadays are security bugs which are not marked as security bugs because Oracle support employees are not aware of the security impact of a normal bug. These bugs are often accessible via MyOracleSupport even for Oracle customers.

Geschrieben in Allgemein | Drucken | Keine Kommentare »

17 Nov 2009 von Alexander Kornbrust.

Metasploit 3.3, the leading exploit framework is out. Here an extract from the Metasploit blog:

“Oracle exploit support has been implemented through a tag-team effort between MC and Chris Gates, with assistance from Alexander Kornbrust. Oracle modules have been developed for exploiting TNS protocol stack and Web-based Oracle services, as well as post-authentication database-level privilege escalation flaws. ”

Version 3.3. (release notes) is the largest known ruby application (375,000 lines of code) and comes with some new Oracle features

• Support for the Oracle InstantClient Ruby driver as an exploit mixin
• Extensive support for exploitation and post-exploitation tasks against Oracle databases

Have fun using Metasploit.

Geschrieben in Tools, Exploit, Oracle Security, Allgemein | Drucken | Keine Kommentare »

17 Nov 2009 von Alexander Kornbrust.

In 3 weeks Paul Wright will give an 1 day workshop for SANS (Sat. 5. Dec. in London) about Database Activity Monitoring Systems (DAMS).  Paul will use the free Hedgehog Standard Edition in the class to demonstrate solutions for common problems like user monitoring, defending against public zero days, …

Here is the table of content:

1. Defend against public and zero day attacks via free custom written IDS rules
2. Gain  Compliance
3. User activity monitoring
4. Application monitoring
5. Sensitive data access monitoring
6. Diagnostics prior to changes such as CPU installation.

A case study about using DAMS from Paul Wright is available in the UKOUG Scene magazine (Issue 39).

You should not miss the chance to join this workshop because it can help your company/organization to secure their databases …

Geschrieben in Trainings, Allgemein | Drucken | Keine Kommentare »

8 Nov 2009 von Alexander Kornbrust.

I just read that SAP is now certified with Oracle Database Vault. This is an important step to increase the security of SAP systems. Well done Oracle. Let’s see if SAP customers will use this functionality.

The Oracle whitepaper “Best Practices Installing and Configuring Oracle Database Vault in an SAP Environment” decribes the step-by-step installation of database vault in SAP.

The following screenshot from the document (July-2009) contains an information disclosure bug for the Oracle SID (reported by me, fixed by Oracle with CPU July 2007). It seems that the installation of the security component was done with unpatched security software

Geschrieben in SAP, Allgemein | Drucken | Keine Kommentare »

13 Okt 2009 von Alexander Kornbrust.

Just back from a short trip to the Oracle Openworld where I gave a presentation “SQL Injection Crash Course for Developers“. This was the first time I talked at the Openworld in San Francisco. The feedback from the attendees was quite good.

In the SQL Injection presentation I showed some screenshots of the brand new web application scanner Netsparker (previously known as Dilemma) from Mavituna Security.

Netsparker is one of the most advanced web application scanner. Really professional GUI, easy to use. Well done Ferruh

Supports the execution of SQL statements and OS commands on the DB server.

I also met the APEX team from Oracle and had a long interesting chat with them. Joel Kallmann gave me a few tips how to harden my APEX 3.2.1 installation using mod_plsql.

What else happened in the Oracle security scene?

Slavik posted today an interesting blog entry about SQL Injection too.

Today Pete Finnigan published an entry about spoofing users and programs in Oracle. In his blog entry he mentions also the bug DB18 from January 2006, found by Imperva. AFAIK I was the first came up with the idea patching the oraclient9.dll  using a hex editor and then I sent an email with a description to Pete.

Nowadays this trick is no longer necessary for exploiting this after David Litchfield released a small tool (part of OAK - Oracle Assessment Kit) called ora-auth-alter-session.exe. But for many other applications the client patching technique can be really useful.

Geschrieben in Tools, SQL Injection, Oracle Security, Allgemein | Drucken | Keine Kommentare »

6 Okt 2009 von Alexander Kornbrust.

Yesterday, Dennis Yurichev has published details about his FPGA based Oracle (DES) password cracker. His cracker can check up to 60 Mill. passwords per seconds (for short usernames) in brute force mode.

This is a good opportunity to show the current status of Oracle Password Cracking.
The benchmark numbers on our website are a little bit outdated and I will refresh them soon.

Here a quick summary of the fastest programs in every class (AFAIK, please correct me if you know
faster tools). All tests were performed on my old Core2Quad 2.4 GHz.
New Intel i7 would perform much faster (30-50%) comparing to Core2Quad.

If you look for pure numbers, dictionary based rainbow tables for DES are the fastest solution with approx. 250 Mill password hashes, followed by FPA with 60 Mill pw/sec, followed by brute force with 4 Mill pw/sec.

The SHA1 algorithm is a bad choice from the password cracking perspective because it can be cracked much faster (30 Mill pw/s instead of 4 Mill pw/s) on the same computer.

1. Dictionary Based (* Core2Quad 2.4 GHz)
DES: approx. 3 Mill pw/sec    (Repscan 3.0 and woraauthbf)
SHA1: approx. 19 Mill pw/sec  (Repscan 3.0)

2. Brute Force (* Core2Quad 2.4 GHz)
DES: up to 4 Mill pw/sec       (Repscan 3.0 and woraauthbf)
SHA1: approx. 30 Mill pw/sec   (Repscan 3.0)

3. Rainbow Table (* Core2Quad 2.4 GHz)
DES: n/a                       (Cain)
SHA1: hash salted, not useful

4. Dictionary based Rainbow Tables (* Core2Quad 2.4 GHz)
DES: up to 250 Mill pw/sec     (ophcrack)
SHA1: hash salted, not useful

5. FPGA
DES: up to 60 Mill pw/sec      (Dennis Yurichev)
SHA1: not available

6. GPCPU
DES:  n/a
SHA1: n/a (estimated 175 Mill pw/sec)

Geschrieben in Tools, passwords, Allgemein | Drucken | Keine Kommentare »