Archive for the ‘11g’ Category

Oracle 11.2.0.1 for Windows – dbms_jvm_exp_perms 0day fixed

Dienstag, April 6th, 2010

This weekend I installed the new version of Oracle 11.2.0.1 (64 bit) for Windows. The 11.2 version for Windows is available since a few days.

I installed the 64 bit version (default installation (next – next – …)) without any problems  on Windows 7 system. After that I run a default check with our database scanner Repscan 3 (the most advanced database scanner) against this new database version. According to Repscan this new 11.2.0.1 is no longer vulnerable against the DBMS_JVM_EXP_PERMS exploit and this is correct. Oracle has already fixed the problem. I expect a solution in the upcoming Oracle CPU April 2010.

A quick check in the Repscan database browser shows the difference in the privileges:

11.2.0.1.0 Linux:

Repscan Database Browser

11.2.0.1.0 Windows:

Repscan Database Browser

Oracle removed the public privilege from DBMS_JVM_EXP_PERMS and granted privileges to the roles „IMP_FULL_DATABASE“ and „DATAPUMP_EXP_FULL_DATABASE“.   The privileges of DBMS_JAVA and DBMS_JAVA_TEST are not modified.

The package DBMS_JVM_EXP_PERMS contains also a bug fix. A comparision between the Windows and Linux version shows the following differencein the package body.

— DBMS_JVM_EXP_PERMS  (only in 11.2.0.1 Windows) ——————
[…]
— Check privs
sys.dbms_zhelp_ir.check_sys_priv(DBMS_ZHELP_IR.KZSSTA);
[…]
— DBMS_JVM_EXP_PERMS ——————
After that I analyzed the Oracle database with the Repscan database browser (really useful component, just try the trial version of Repscan) found a few suspicous audit entries in my audit log (sys.aud$).

Repscan Database Browser

A user AIME from the terminal „ST-ADC\DADVFH0169“ had a connection to my database?I know that the terminal „ST-ADC\DADVFH0169“ is a terminal somewhere from Oracle. A backdoor in 11.2.0.1? Someone from Oracle was accessing my database?

No. After I checked the timestamp I saw that this entry was created 2 days BEFORE I installed my database. Oracle only forgot to cleanup the audit log before delivering it to customers. If you install Oracle 11.2.0.1 you should truncate the SYS.AUD$ table to avoid questions from (internal/external) auditors.

Oracle Java Forensics

Mittwoch, März 31st, 2010

Paul released a new article about Oracle Java Forensics. He describes how to find traces of Java attacks (e.g. via dbms_jvm_exp_perms) in the Oracle database.

I’ve got some nice ideas from Paul’s article.

Well done.

László Tóth published his Hacktivity presentation & a tool called pytnsproxy

Mittwoch, März 24th, 2010

Today Laszlo sent me an email that he published the English version of his Hacktivity 2009 talk „Oracle authentication“ on his webpage. Laszlo was so nice to give me an English private session last year at the Hacktivity in Budapest.

His presentation contains the following topics:

I like the part where Laszlo shows how to hijack an Oracle session.

This presentation is a must for everyone interested in the Oracle authentication process.

Well done Laszlo.

Oracle Blackhat video removed from Website

Freitag, Februar 5th, 2010

Blackhat removed the video from David Litchfield (containing the 0day exploit code for 11g) from their website. But it’s too late because the 0day code for 11g can be found in the meantime in many places.

The video was downloaded several times and it’s just a question of time until it re-appears…

BTW Oracle 10.2.0.4 with all security patches is vulnerable against this issue too. But the exploit must be modified a little bit.

IGHASHGPU – Cracking Oracle Passwords with 790 Million Passwords/second

Sonntag, November 29th, 2009

This time I want to present a new super-fast password cracker.Ivan Golubev released a new version of his password cracker IGhashGPU.  I know the tool for a while but in older versions of IGHASHGPU Oracle SHA1 passwords were not supported.

The new version 0.62 supports now also Oracle 11g hashes (SHA1 + salt). The remarkable thing is the speed of cracking passwords. Ivan’s cracker is using the GPU for cracking the passwords. Without a GPU (NVidia or ATI) or within  a virtual machine the tool is not working.

On a dual ATI 5970 configuration (forum entry) the tool can crack approx. 790 (!!!) Million hashes per second. A single ATI 4850 can achieve more than 300 Mill. hashes per second. This means that the new 11g password algorithm can be cracked approx 130 times faster than the old DES algorithm. I am not sure if it was a good idea from Oracle to use such a standard algorithm like SHA1 because this is together with MD5 one of the most optimized algorithms.

Here is a short comparison between cracking old Oracle DES based passwords and new Oracle 11g SHA1 based passwords. I used the fasted software BF password cracker for Oracle DES (Repscan  from Red-Database-Security or woraauthbf, both with approx. 6 Mill hashes on a Core i7) and compared it with the configuration of running IGHASHGPU on a dual 5970 configuration (790 Mill hashes per second).

Here are some benchmark numbers. I know that 11g supports case sensitive passwords but from my experience most people use normally lowercase passwords with the first character converted to uppercase.In such a case it is not necessary to crack the entire key space.

26 characters, length 6:   DES: 53 seconds,  SHA1: 0.4 seconds

26 characters, length 7:   DES: 23 min,  SHA1: 10 seconds

26 characters, length 8:   DES: 10 h,  SHA1: 4.6 minutes

26 characters, length 9:   DES: 11 days,  SHA1: 2 hours

26 characters, length 10:   DES: 283 days,  SHA1: 2 days

If you are interested to download the tool you can get it from here.