Archive for the ‘Security’ Category

Fix for oradebug disable auditing available (11.2.0.3/11.2.0.4/12.1.0.1)

Freitag, September 13th, 2013

2 days ago I gave a presentation „Oracle 12c from the attackers perspective“ at the DOAG SIG Security. I learned some interesting things, especially that a fix for the Oracle oradebug „disable auditing“ problem is available since 9 months.

Oradebug allows to run OS commands and to enable/disable Oracle SYSDBA and normal auditing on the fly without leaving traces in the audit log. The fix for this problem is available in Oracle 11.2.0.4/12.1.0.1 and was backported to 11.2.0.3 using the patches 15805002, 15808245, 16177780.

By default the setting is not enabled in Oracle 11.2.0.4/12.1..0.1.

The undocumented parameter  _fifteenth_spare_parameter (Oracle Description: fifteenth spare parameter – integer – Yeah, really useful)  can now disable or limit the oradebug functionality. I could not find any information about this parameter on google or my oracle support.

—— extract from the read me.txt of the patch file——————

## _fifteenth_spare_parameter can be set to „all“, „restricted“ or „none“
## „all“ disables execution of all oradebug commands, „restricted“ disables
## execution of restricted oradebug commands, „none“ (default) allows execution
## of oradebug commands.

—— extract from the read me.txt ——————

 

 

2 Cebit 2012 Presentations about Database Security

Freitag, März 9th, 2012

I just uploaded 2 presentations I gave at the Cebit 2012.

DOAG 2011 Presentation „Best of Oracle Security 2011“

Freitag, November 18th, 2011

I just uploaded my DOAG 2011 presentation „Best of Oracle Security 2011„.

Cool Web Application Scanner: Netsparker Community Edition

Donnerstag, April 8th, 2010

Today I want to present the Netsparker Community Edition.

Netsparker (from Mavituna Security) is the best web application scanner I know. Easy to use and a really good web application scanning results.  It saved me a lot of time and helped me to find security bugs in Oracle applications (Enterprise Manager).

The best thing: The new community edition is free (OK, with some limitations).

The commercial versions have even more interesting features like Time Based Blind SQL Injection, Remote Code Injection, OS Level Command Injection , CRLF / HTTP Header Injection / Response Splitting, …. The entire feature (and price) list is available here.

Here is a screenshot from Netsparker:

Netsparker Community Edition

If you are interested just download the community edition.

Oracle 11.2.0.1 for Windows – dbms_jvm_exp_perms 0day fixed

Dienstag, April 6th, 2010

This weekend I installed the new version of Oracle 11.2.0.1 (64 bit) for Windows. The 11.2 version for Windows is available since a few days.

I installed the 64 bit version (default installation (next – next – …)) without any problems  on Windows 7 system. After that I run a default check with our database scanner Repscan 3 (the most advanced database scanner) against this new database version. According to Repscan this new 11.2.0.1 is no longer vulnerable against the DBMS_JVM_EXP_PERMS exploit and this is correct. Oracle has already fixed the problem. I expect a solution in the upcoming Oracle CPU April 2010.

A quick check in the Repscan database browser shows the difference in the privileges:

11.2.0.1.0 Linux:

Repscan Database Browser

11.2.0.1.0 Windows:

Repscan Database Browser

Oracle removed the public privilege from DBMS_JVM_EXP_PERMS and granted privileges to the roles „IMP_FULL_DATABASE“ and „DATAPUMP_EXP_FULL_DATABASE“.   The privileges of DBMS_JAVA and DBMS_JAVA_TEST are not modified.

The package DBMS_JVM_EXP_PERMS contains also a bug fix. A comparision between the Windows and Linux version shows the following differencein the package body.

— DBMS_JVM_EXP_PERMS  (only in 11.2.0.1 Windows) ——————
[…]
— Check privs
sys.dbms_zhelp_ir.check_sys_priv(DBMS_ZHELP_IR.KZSSTA);
[…]
— DBMS_JVM_EXP_PERMS ——————
After that I analyzed the Oracle database with the Repscan database browser (really useful component, just try the trial version of Repscan) found a few suspicous audit entries in my audit log (sys.aud$).

Repscan Database Browser

A user AIME from the terminal „ST-ADC\DADVFH0169“ had a connection to my database?I know that the terminal „ST-ADC\DADVFH0169“ is a terminal somewhere from Oracle. A backdoor in 11.2.0.1? Someone from Oracle was accessing my database?

No. After I checked the timestamp I saw that this entry was created 2 days BEFORE I installed my database. Oracle only forgot to cleanup the audit log before delivering it to customers. If you install Oracle 11.2.0.1 you should truncate the SYS.AUD$ table to avoid questions from (internal/external) auditors.