Archive for the ‘source code audit’ Category

How to Prevent a User Granted the ALTER USER Privilege From Changing SYS/SYSTEM password and how to bypass it

Mittwoch, Februar 24th, 2010

I found the following nice article „How to Prevent a User Granted the ALTER USER Privilege From Changing SYS/SYSTEM password“ [271077.1] on My Oracle Support. As always if I see PL/SQL code I am looking for ways to find security problems or to bypass limitations.

SQL> conn  / as sysdba
Connected.

SQL> CREATE or REPLACE TRIGGER prohibit_alter_SYSTEM_SYS_pass
AFTER ALTER on SCOTT.schema
BEGIN
IF ora_sysevent=’ALTER‘ and ora_dict_obj_type = ‚USER‘ and
(ora_dict_obj_name = ‚SYSTEM‘ or ora_dict_obj_name = ‚SYS‘)
THEN
RAISE_APPLICATION_ERROR(-20003,
‚You are not allowed to alter SYSTEM/SYS user.‘);
END IF;
END;
/

Trigger created.

SQL> conn scott/tiger
Connected.

SQL>alter user system identified by alex;
alter user system identified by alex
*
ERROR at line 1:
ORA-00604: error occurred at recursive SQL level 1
ORA-20003: You are not allowed to alter SYSTEM/SYS user.
ORA-06512: at line 5

SQL> alter user sys identified by alex;
alter user sys identified by alex
*
ERROR at line 1:
ORA-00604: error occurred at recursive SQL level 1
ORA-20003: You are not allowed to alter SYSTEM/SYS user.
ORA-06512: at line 5

SQL> alter user dbsnmp identified by dbsnmp;
User altered.

Many Oracle users are not aware that the grant command can also be used to change passwords or even create users („grant dba to user1,user2 identified by user1,user2“). In our case we can use this technique to bypass the database trigger.
SQL> grant connect to sys identified by alex;
Grant succeeded.

SQL> grant connect to system identified by alex;
Grant succeeded.

To fix this problem we have to block grant commands as well….

New Repscan 3.0 is available

Dienstag, Februar 23rd, 2010

The latest version 3.0 of our database scanner Repscan is now available. This new version supports MS SQL Server and Oracle databases. Repscan comes with a large amount of new features and a complete new GUI (First database scanner with Office-2007 UI).

Repscan 3.0

Here some of the new features of Repscan 3.0:

  • Support for MS SQL Server (2000, 2005, 2008)
  • Extremely user-friendly database configuration wizard (screenshot)
  • Flexible tree control (re-group databases by status, hierarchy, …) (screenshot)
  • Database security browser with drill down functionality (PDF, XLS, … export) (screenshot, screenshot)
  • New reports (performance, used_features, …)
  • Data Discovery (SSN, PII, Creditcard, Passwords, …)
  • Database Enumeration (custom, NMap support) (screenshot)
  • Pentest Features (Guess SID, Check default username/password combinations, …)
  • Exploit & Code Library (screenshot)
  • Version and Patch Information
  • Skins

Here some (old) features of Repscan:

  • Password plugin architecture
  • Password plugins for Oracle DES, SHA1, OID, APEX, OVS
  • Commandline features
  • PL/SQL Source Code Analysis Report

Here some statements of Repscan 3.0 users:

„Repscan Rocks“, „I must have this tool.“, „Very cool stuff“, „really like the clean interface… checks are great“, „…tend to be more Oracle security information hub than just scanner :-)“

Over the next  few weeks I will show here more details of some Repscan 3.0 features.

If you want to test Repscan 3.0 you can download it from our exclusive distributor Sentrigo

Best (insecure) Practice PL/SQL on OTN

Dienstag, Juli 31st, 2007

You already know that I like to analyze other people’s code. On OTN I found a nice article (most popluar developer article) „Best Practice PL/SQL from Steven Feuerstein“ (http://www.oracle.com/technology/pub/columns/plsql/index.html).
Steven Feuerstein is a well-known expert on the Oracle PL/SQL language. His disclaimer says that „Do not take the advice and recommendations herein at face value. You should always build yourself a test case and run it on your database, for your schema, on your computer.“  That’s OK but even (or especially) sample code should be secure. Disclaimers are a simple but not a good solution.
Especially if the code is posted as „Best Practice“.

The best practice contains some PL/SQL sample code for download, e.g. str2list.
„The str2list package accepts your string, delimiter, and the name of your package-based collection. It deposits the parsed items in your string directly into your collection. The collection can either be declared in the package specification (publicly accessible) or you can define it in the package body and then provide procedures to add to and delete from the collection. These will be called by str2list to populate the collection properly. It’s a useful utility as well as a great example of dynamic PL/SQL block execution.“
As always the same problem: no input-validation in some of the procedures (e.g. showlist or parse). This could allow an attacker to run custom PL/SQL code. PL/SQL injection is more severe than SQL Injection. I know that writing secure code takes time but I think it’s worth to do this, especially for sample code which is often used by many people. Just adding a disclaimer is in my opinion not the right way to deal with vulnerabilities.

A quick analysis of the code str2list.pkg (Source is from March 2005) shows the following vulnerable code:

—————— str2list.pkg ————————————————————
PROCEDURE showlist (
pkg            IN   VARCHAR2,
firstrowproc   IN   VARCHAR2,
nextrowproc    IN   VARCHAR2,
getvalfunc     IN   VARCHAR2,
showproc       IN   VARCHAR2 := ‚pl‘,
datatype       IN   VARCHAR2 := ‚VARCHAR2(32767)‘
)
IS
dynblock   VARCHAR2 (32767);
BEGIN
dynblock :=
‚DECLARE
indx PLS_INTEGER := ‚
|| pkg
|| ‚.‘
|| firstrowproc
|| ‚;
v_startloc PLS_INTEGER := 1;
v_item ‚
|| datatype
|| ‚;
BEGIN
LOOP
EXIT WHEN indx IS NULL;‘
|| showproc
|| ‚ (‚
|| pkg
|| ‚.‘
|| getvalfunc
|| ‚(indx));
indx := ‚
|| pkg
|| ‚.‘
|| nextrowproc
|| ‚(indx);
END LOOP;
END;‘;
EXECUTE IMMEDIATE dynblock;
EXCEPTION
WHEN OTHERS
THEN
disperr (dynblock);
END;—————— str2list.pkg ————————————————————

He that is without sin among you, let him first cast a stone at her

Montag, Juli 9th, 2007

On Tom Kyte’s blog , Pete Finnigan’s blog and Sven Vetter’s blog there are comments about SQL Injection in a bank application.

I know that SQL Injection is a big problem and especially the vulnerability in this banking application was really severe. But in the real world most developers write (or at least wrote) unsecure code. Often they use (unsecure) samples from books. But who is writing the books?
Why do you blame this poor little bank. Don’t throw the first stone…
Let’s do some quick check how secure the code from other people or companies (e.g. intelligence agencies) is…
—-

Expert One-on-One by Tom Kyte from 2001. 2 years after SQL Injection became public.
p. 707:
create or replace
function update_row (p_owner in varchar2, p_newDname in varchar2, p_newLoc in varchar2, p_deptno in varchar2, p_rowid out varchar2)
return number
is
l_theCursor integer;
l_columnvalue number default NULL;
l_status integer;
l_update long;
begin
l_update := ‚update ‚ || p_owner || ‚.dept
set dname = :bv1, loc = :bv2
where deptno = to_number(:pk)
returning rowid into :out‘;
l_theCursor := dbms_sql.open_cursor;
More code with SQL Injection (not complete I just skimmed through the book):

p710: execute immediate ’select count(*) from ‚||p_tname‘
p710: execute immediate ‚update ‚||p_owner||‘.dept…‘

p712, p724, p726, p727, p728, p729, 1087. I stopped her…
—-
Oracle Database 10g – The complete reference by Kevin Loney

page 577

Oracle Security in der Praxis by Frank Haas (German Oracle Security Book from a nice and clever Oracle Consultant)

page 139, 140

Effective Oracle Database 10g Security by design by David C. Knox

page 30

Database Security Technical Implementation Guide STIG V7.2, by the DISA (Defense Information Systems Agency responsible for DOD systems)
page 186 plus some more

Trivadis.com

PDF-file DBMS_SYS_SQL..PARSE_AS_USER:

page 1,2,4

Will be continued…

Oracle Security Riddle

Montag, Mai 28th, 2007

During Oracle security audits we find from time to time the following (unsecure) code. Do you see the vulnerability and do you know how to exploit it?

Solution coming soon…
———-Code without exception handling—

FUNCTION CHGPWD (
P_USER VARCHAR2,
P_PWD VARCHAR2)
RETURN BOOLEAN IS

L_STMT VARCHAR2(255);

BEGIN

L_STMT:= ‚ALTER USER „‚ || P_USER || ‚“ IDENTIFIED BY „‚ || P_PWD||'“‚;

EXECUTE IMMEDIATE L_STMT;

RETURN TRUE;

END;