Archive for the ‘Oracle Security’ Category

Marcell published „Writing your own password cracker“ presentation

Mittwoch, September 22nd, 2010

Marcell Major has published his really good presentation „Writing your own password cracker“ from the Hacktivity 2010 security conference in Budapest.

Marcell describes different ways to achieve this goal, e.g. source code analyze, debugging or reverse engineering.

With good examples Marcell showed the password analysis of Apache Derby, Sybase ASE old and new hashing algorithm. The new Sybase ASE (15.0.2+) uses SHA256 and the old SYS-PROB (<15.0.2) is based on an already broken FEAL algorithm. Especially the FEAL algorithm is quit complicated but a good example hat debugging/reversing could do.

  • The password cracker for Sybase ASE – SHA256 is called sybcrack and already released.
  • The password cracker for Sybase ASE – SYB-PROP (FEAL) will be released soon.

Laszlo’s presentation „Oracle Post Exploitation Techniques“ and Marcel’s Sybase ASE Password Cracker

Dienstag, September 21st, 2010

Last weekend I gave a presentation „Security comparison of different databases“ (Oracle, MySQL, MSSQL, DB2 LUW, PostgreSQL and Sybase ASE) at the Hacktivity 2010 conference in Budapest. A blog entry dedicated to this will be released soon.

I saw Laszlo’s presentation „Oracle post exploitation techniques“ and got even a private sneak preview of his presentation in English 1 day before.

Laszlo talked about very very interesting things (at least for me) and I personally think that this is one of the best Oracle security research papers I know. Also some paranoid customers have to rethink their security architecture because this research affects DB Vault and Oracle TDE as well (every OS user can see every cleartext password during the logon process).

  • Decrypt the Enterprise Manager/Grid Control passwords in newer version.
    The simple way using sysman.decrypt() no longer works in newer version of Oracle. But his approach is reading the key from the file emkey.ora and using sysman.mgmt_time_sync to set the key. This works in new versions as well.
  • DLL injection:
    A malicious OS user (e.g. DBA or Unix root) on the database server can intercept the cleartext password on the database server during logon. He showed working examples running on Windows and Linux (!!!)
  • Decrypt TDE encrypted data and extract the TDE masterkey from the Oracle wallet
  • Analysis of the Oracle 11g Remote Job Scheduling.

The second really good presentation was from Marcell Major about reversing password algorithms. He showed different ways how to perform this and showed how he did this for Sybase ASE database passwords. Especially the old SYS-PROP based on a FEAL algorithm was really impressive. But this presentation is currently not online.

Marcell already released the password cracker for new Sybase ASE SHA256 algorithm.

Our new Repscan 4.0 supports now Sybase ASE, PostgreSQL and Microsoft SQL Azure and can crack all these passwords .

Update of „Project Lockdown“ released

Freitag, September 10th, 2010

Arup Nanda has released an update for „Project Lockdown“. This new version covers Oracle 11g (R1/R2) as well.

I found a few minor things which are not 100% correct but in general it  is a good introduction.

But there is something I never liked. It’s the recommendation how to check the Oracle database for weak passwords (according to my experience) this is the biggest problem in nearly every organization.

Just using dba_users_with_defpwd or comparing password hashes is not sufficient and misleading (password=username not found). Oracle 11g is using salted hashes and this concept does not work with the view dba_users_with_defpwd.

Why not using a real password checker like woraauthbf, ops_sse or Repscan? They check all the passwords independent from the database version.

My recommendation for the action plan:
Use a real password checker instead of only comparing password hashes

Oracle Presentations from Blackhat 2010 Las Vegas are online

Donnerstag, August 5th, 2010

After a longer break here a blog entry again:The presentations and documents from Blackhat 2010 Las Vegas are online.

This year 2 presentations from Esteban and Sid were dedicated to Oracle:

Hacking and protecting Oracle Database Vault – Esteban Fayo

Esteban describes different attacks against Oracle Database Vault.

These well-known techniques are

* With OS access

* Creating and executing a procedure in MACSYS schema

* SYS user can bypass DB Vault

* Impersonating SYS using SQL Injection

* Exploiting other vulnerabilities specific to DB Vault.

Keep in mind that Esteban decribes only a subset of possible attacks. There are for example  other possibilities to execute OS commands or impersonate other users available.

My favorite exploit from this presentation to bypass (older versions of) database vault is the following one:


SQL> connect onedba/onedba Connected. 

SQL> drop table cascade constraints;   

drop table cascade constraints   

* ERROR at line 1:   

ORA-00604: error occurred at recursive SQL level 1  

ORA-47401: Realm violation for drop table on HR.JOBS   

ORA-06512: at „DVSYS.AUTHORIZE_EVENT“, line 55  

 ORA-06512: at line 13 — Switch to a different NLS_LANGUAGE 


Session altered. 

SQL> drop table cascade constraints; 

Table dropped. 



It seems that some developers still not realized that there are other countries/languages outside of the US….


Here are the links from the Blackhat page (whitepaperpresentationscripts) .


Hacking Oracle from the Web – Sumit Siddarth (Sid)

Great summary with different possibilities (Privilege escalation, OS execution, …) how to exploit Oracle from vulnerable web apps.

Really good and useful collection of information. Sid’s blog contains also some nice videos.

Here is the link from the Blackhat page (whitepaper) .

Blackhat 2010 Presentation „Oracle, Interrupted: Stealing Sessions and Credentials“ online

Sonntag, April 18th, 2010

 The Blackhat Europe 2010 „Oracle, Interrupted: Stealing Sessions and Credentials“ (presentation, whitepaper) of Steve Ocepek and Wendel G. Henrique are online. An interview with Steve about the talk can be found here.

As mentioned in a previous blog post this talk  shows how to intercept unencrypted (=default) TNS connections and inject statements into a running session. Steve and Wendel will soon release 2 tools Vamp and thicknet.

I will try to present these tools at the DOAG Expertenseminar in Berlin.

DOAG Expertenseminar

A good summary of the talk can be found at Peter Van Eeckhoutten’s blog.