8 Mai 2008 von Alexander Kornbrust.

2 weeks ago Oracle released the instant client 10.2.0.4 for Mac OS Intel. Yesterday I had the time to recompile checkpwd (checkpwd for other platforms) with the new instant client. The compilation worked flawless.

The performance of checkpwd with the native Oracle Mac client is 50% faster than the previous version for PPC.

Here are the links:

• Checkpwd 1.23  [Mac - Intel - native] - 37 MB - with Oracle instant client
• Checkpwd 1.23  [Mac - Intel - native] - 68 KB - without Oracle instant client
• Checkpwd 1.23  [Mac - Intel - native] - 68 KB - Passwords are not displayed

And here sidguess recompiled for Mac - Intel:

•  Sidguess 1.02  [Mac - Intel - native] - 16 KB -without Oracle instant client

Geschrieben in MacOS, passwords, checkpwd, Security, Oracle Security | Keine Kommentare »

11 Apr 2008 von Alexander Kornbrust.

Yesterday Oracle has published the pre-release announcement for the upcoming CPU next tuesday. According to this announcement the CPU will fix 41 security in various Oracle products. 17 vulnerabilities are affecting the Oracle Database.

• Advanced Queuing
• Audit
• Authentication
• Change Data Capture
• Core RDBMS
• Data Pump
• Export
• Oracle Application Express
• Oracle Net Services
• Oracle Secure Enterprise Search or Ultrasearch
• Oracle Spatial
• Query Optimizer

2 of these vulnerabilities are located in APEX and 2 of these 17 are remote exploitable (APEX?).

Tonight Oracle secalert will normally inform the researchers what vulnerabilities will be fixed by the upcoming CPU. It seems that some of our critical vulnerabilities (e.g. Bypass Oracle auditing in all databases) will be fixed next week.

More about the CPU next tuesday night or at HITB 2008 Dubai.  Cesar Cerrudo and I will be there.

Geschrieben in CPUApr2008, Security, Oracle Security | Keine Kommentare »

14 Jan 2008 von Alexander Kornbrust.

Today Sentrigo published a press release saying that in a survey 67% of the attendees never apply Oracle Critical Patch Updates on their system.

Geschrieben in Sentrigo, Security, Oracle Security | Keine Kommentare »

28 Nov 2007 von Alexander Kornbrust.

Sans updated their Top-20 list of security risks.

One section covers Oracle and Database Software. Since September 2006 there are 18 new CVE vulnerabilities with a CVSS base score of 7 or higher.

CVE-2006-5332, CVE-2006-5333, CVE-2006-5334, CVE-2006-5335, CVE-2006-5336, CVE-2006-5339, CVE-2006-5340, CVE-2006-5341, CVE-2006-5342, CVE-2006-5343, CVE-2006-5344, CVE-2006-5345, CVE-2006-7138, CVE-2007-0272, CVE-2007-1442, CVE-2007-2113, CVE-2007-2118, CVE-2007-5506.

Some of the most critical vulnerabilities in Oracle databases like the view / inline-view bug or the bypass logon trigger are not covered in the SANS list.

BTW.: Microsoft SQL Server has only 1 vulnerability: CVE-2007-4814

Geschrieben in Security, Oracle Security | 3 Kommentare »

22 Okt 2007 von Alexander Kornbrust.

Today I modified the Inguma PL/SQL Fuzzer a little bit (adding my own enhancements) and run it against 10.2.0.3 with Oracle Critical Patch Update (CPU) October 2007 applied. After running it for a while (without a database crash) Oracle reported the following errors messages in trace files:

—–
ORA-07445: exception encountered: core dump [ACCESS_VIOLATION] [_kghuclientasp+118] [PC:0×603D67AE] [ADDR:0×9253768] [UNABLE_TO_READ] []
ORA-07445: exception encountered: core dump [ACCESS_VIOLATION] [_kxsdcbc+205] [PC:0×8A7911] [ADDR:0×18] [UNABLE_TO_READ] []
ORA-07445: exception encountered: core dump [ACCESS_VIOLATION] [_kxsdcbc+123] [PC:0×8A78BF] [ADDR:0×18] [UNABLE_TO_READ] []
ORA-07445: exception encountered: core dump [ACCESS_VIOLATION] [_qmuhshget_internal+228] [PC:0×605738A8] [ADDR:0×6474636B] [UNABLE_TO_READ] []
ORA-00600: internal error code, arguments: [kohcpi298], [], [], [], [], [], [], []
ORA-00600: internal error code, arguments: [KGHALO2], [0×0], [], [], [], [], [], []
ORA-00600: internal error code, arguments: [qmsVarrayElemtds:pd or extra tmx], [], [], [], [], [], [], []
oracle.jdbc.driver.OracleSQLException: ORA-00933: SQL command not properly ended
oracle.jdbc.driver.OracleSQLException: ORA-01742: comment not terminated properly
oracle.jdbc.driver.OracleSQLException: ORA-01756: quoted string not properly terminated
——-

Some of the error messages are indication (just indication) for SQL Injection and buffer overflows. I will investigate…

Geschrieben in Inguma, Security, Oracle Security | 1 Kommentar »

14 Okt 2007 von Alexander Kornbrust.

From time to time I’m doing research on Russian websites (with Google Translate) because you can find interesting information and tools. Last week I found a small program Oracle scanner called goss a GUI Oracle Scanner.

This tools contains features like getting the SID (similar to sidguess), password guessing, retrieve password hashes from the database, …

The output is displayed in a new window.

Some of the features in this tool where not working properly against my test databases.

Geschrieben in software, Security, Oracle Security, Allgemein | Keine Kommentare »

9 Okt 2007 von Alexander Kornbrust.

Today Laszlo released his password cracker woraauthbf for Oracle, the fastest windows tool for cracking Oracle passwords (supports the new and old password hash format plus cracking the authentication attack).

On his webpage Laszlo has a small benchmark comparing the 3 leading password Oracle crackers checkpwd, orabf and woraauthbf. According to Laszlo’s benchmark checkpwd 1.22 is the slowest cracker (but only out of these 3).

I was surprised that checkpwd was so slow comparing to the benchmarks I did on my systems. The reason for this is bad result was the way how Laszlo performed the tests.

Laszlo was testing only 1 password hash. The implementation of reading of the dictionary file is slow that’s why this affects the entire result of checkpwd. In the real world you are normally testing many password hashes and not only 1 hash
That’s why I run a benchmark how long it takes to crack 40 hashes (instead of 1 hash) with the new checkpwd 2.0 which supports reading passwords hashes from a text file (to get rid of the file reading overhead). I run the tests on my 2 GHz Core2Duo.

woraauthbf 0.2 1.103.773 pw/s (Laszlo: 515114 pw/s)

checkpwd 2.0 637.263 pw/s (Laszlo: 193.168 pw/s)

orabf 0.76 400.000 pw/s (Laszlo: 311.994 pw/s)

Checkpwd 2.0 was nearly 2 times faster in this benchmark (just by cracking 40 instead of 1 password (637.263 vs 309.057)).

In checkpwd 2.0 we will focus on intelligent password cracking instead of pure power but we are still interested to improve the speed of checkpwd.
Here some new features of checkpwd 2 (released next week)

* cracking APEX passwords
* support for Oracle 11g
* support for Oracle Password History
* intelligent password collector
* many new options
* …

Geschrieben in 11g, checkpwd, Security, Oracle Security | Keine Kommentare »

30 Aug 2007 von Alexander Kornbrust.

Yesterday the US Cert published an advisory that the ActiveX control of Jinitiator 1.1.18.16 and earlier contains multiple buffer overflows allowing remote code execution. Even a new installation of Jinitiator does not fix the problem because the old, vulnerable control will not be removed. The US Cert recommends to disable ActiveX or to set the appropriate killbit.

Create and execute the following textfile to set the killbit. Additional information about killbits and activeX are available in the following Microsoft support note 240797.

———–killbit.reg—————

Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9b935470-ad4a-11d5-b63e-00c04faedb18}]
“Compatibility Flags”=dword:00000400

———–killbit.reg—————

Geschrieben in Security, Oracle Security | Keine Kommentare »

21 Aug 2007 von Alexander Kornbrust.

Red-Database-Security GmbH in Germany and PeteFinnigan.com Limited in the UK are pleased to announce an exclusive partnership to promote and sell services / training and products to give customers the best choices in securing Oracle databases. Pete Finnigan and Alex Kornbrust are both world leaders in the field of securing Oracle databases and this exclusive partnership will provide a stronger combined proposition for customers of both companies. Alex and Pete are pleased to announce an exclusive and exciting limited opportunity to attend a 5 day Oracle Anti Hacker training in London from October 29th to November 2nd. The places are limited so don’t miss this unique opportunity. See www.petefinnigan.com and www.red-database-security.com for more details and to register.”

Geschrieben in Trainings, Security, Oracle Security, Allgemein | 2 Kommentare »