Alexander Kornbrust Oracle Security Blog

I just posted 2 new advisories for the July 2009 CPU from Oracle on my website.

The first advisory (CVE-2009-1021) is about PL/SQL Injection vulnerabilities in the package DBMS_EXPORT_EXTENSION. In July 2006 Oracle fixed already vulnerabilities in this package but the bugfix was not implemented properly.

The second advisory (CVE-2009-1969) is about an information disclosure problem in Oracle audit logs. In some cases these audit logs can contain password hashes.

Last Friday Denis Yurichev released 4 new advisories concerning the TNS Listener in Oracle 10g/11g. All advisories are explained with a proof-of-concept code.

The first and most critical bug (CVSS 9.0 Win/6.5 Linux) advisory (CVE-2009-1020)  is remote exploitable but requires an authentication. All databases (9.2.08, 10.1.0.5, 10.2.0.4 and 11.1.0.7) are affected.

The second advisory (CVE-2009-1019) is remote exploitable without authentication. The P.o.C.of Denis creates a denial of service against the database. All databases (9.2.08, 10.1.0.5, 10.2.0.4 and 11.1.0.7) are affected.

The third advisory (CVE-2009-1963) is remote exploitable with authentication. The P.o.C.of Denis creates a denial of service against the database.  11.1.0.7 is affected.

The fourth advisory (CVE-2009-1970), remote exploitable without authentication, is  a denial of service vulnerability against the database. Oracle  10.1.0.5, 10.2.0.4 and 11.1.0.6 are affected.

Oracle just released the April 2009 CPU.The database part of this Critical Patch Update (CPU) contains fixes for 16 security vulnerabilities in the Oracle database. 2 of the Oracle database vulnerabilities (Cluster Services, TNS Listener) are remote exploitable without authentication. The highest CVSS base score is 9.0 is a bug in the resource manager (Oracle 9.2 only) and requires create session privileges only.

This time Oracle has fixed 3 of our vulnerabilities (2 times SQL Injection in Oracle Advanced Queuing, Apex). The description from Oracle concerning the APEX problem is not correct. To access the APEX password hashes  there is no need for an APEX development user. A simple database user with create session is sufficient.

12 researchers are mentioned in this oracle advisory (2 from Red-Database Security (Franz Hüll and Alexander Kornbrust). The usual suspects (Esteban, Joxean and David) are part of the reporters again.

The most critical Oracle security bug (CVE-2009-0979) affects the Resource Manager in Oracle 9.2.

The following database components are affected:

• Advanced Queuing
• Application Express
• Cluster Ready Services
• Core RDBMS
• Database Vault
• Listener
• Password Policy
• Resource Manager
• SQLX Functions
• Workspace Manager

Red-Database-Securit released 3 advisories (SQL Injection in dbms_aqin, SQL Injection in dbms_aqadm_sys and unprivileged DB users can see APEX password hashes)

More details from the rest of this CPU, patches, exploits, …will be released within the next days.

Yesterday Pete Finnigan posted an entry „Is it possible to steal data with just ALTER SESSION?“ in his blog.

In this blog entry Pete describes various interesting possibilities to dump sensitive information from the database via ALTER SESSION, e.g. library cache, password hashes, …

It’s clear that „alter session“ offers many methods to dump data to the file system of the database server but without access to the (trace) file this information would be useless.

Pete talked also about the methods how to get such a trace file from the database server. According to Pete „a lot of“ databases where he performed a security audit had utl_file_dir set=* or directory objects to the tracefiles.

It would be interesting to know from Pete’s experience, on how many production systems a user with „alter session“ can access the tracefile  without asking the DBA for additional privileges, especially since „alter session“ was removed from the CONNECT role in 10g R2? 50% 20% 10% 1%?

I audited several hundred Oracle databases and so far only 5 of them had UTL_FILE_DIR=*. In my experience something less than 1%. At least far away from „a lot“. But probably our customer base has a different kind of database setup.
To steal the data from the server it is necessary to  have to privilege ALTER SESSION plus the right to get data from the file system.
The question is: What is more dangerous?  File Access from the database or the ALTER SESSION privilege?  It is clear that the best solution is to restrict/block both but this is not always possible.

I would vote for restricting/blocking file access because this will close many potential security holes. ALTER SESSION is only 1 problem.

A database with the setting UTL_FILE_DIR=* (btw utl_file_dir deprecated from Oracle since 9.2) has bigger problems than ALTER SESSION.

The important point in this discussion is to know all the different ways how a database user can access the file system of the database server. From my experience most DBAs do not know all documented ways how this can be performed.

I know 3 documented concepts in Oracle how to access the file system from the database.
* UTL_FILE_DIR / Directory Concept
* Java
* Oracle Text

Using these techniques (e.g. UTL_FILE_DIR=*, Java or Oracle Text) a database user can read any files (e.g. .bash_history, oracle password file, data_sources.xml) from the server.

UTL_FILE_DIR / ORACLE DIRECTORY / CREATE ANY DIRECTORY:
This setting / Oracle object / privilege is required to access files. The file access can be done via packages (e.g. dbms_lob, utl_file, dbms_advisor, …), external tables or via a simple SQL statement (XMLTYPE). Especially XMLTYPE is dangerous because this is exploitable from a vulnerable web application without using packages. An example how to do this could be found on my overview page Oracle SQL Injection via Web.

JAVA:
Special java privileges are needed to read files from the operating system.This is not granted to PUBLIC. A sample how this could be done is available here.

ORACLE TEXT:
Most DBAs are not aware of the possibility to read files via Oracle Text. By using the CTXAPP privilege plus a CREATE TABLE it is possible to read files from any directory of the database server.

— create a table
CREATE TABLE files (
id NUMBER PRIMARY KEY,
path VARCHAR(255) UNIQUE,
ot_format VARCHAR(6)
);

— insert the file (or URL!) you want to read into the table
INSERT INTO files VALUES (1, ‚c:\boot.ini‘, NULL);
— read the file/url by creating an Oracle Text index
CREATE INDEX file_index ON files(path) INDEXTYPE IS ctxsys.context
PARAMETERS (‚datastore ctxsys.file_datastore format column ot_format‘);

— retrieve the read data from the fulltext index
Select token_text from dr$file_index$i;

Sample Output
TOKEN_TEXT
—————————————————————-
0
1
30
Microsoft
Professional
WINDOWS
Windows
XP
boot
default
disk
Conclusion:

To harden a database there are many steps to perform. Blocking file and OS access is one of the most important steps. That’s why it is necessary for a DBA and also security researcher to know all ways how this could be performed.

The Oracle database is a huge product. If you know additional documented /undocumented ways how to access files do not hesitate to send me an email or to post a comment.