Archive for the ‘SQL Injection’ Category

Newer Entries »

SQL Injection Notes in Oracle Metalink (updated)

Donnerstag, Januar 29th, 2009

4 years ago I published an article about “Metalink Hacking“.

Today I was looking again in Metalink for the search string “SQL Injection” and I found 2 interesting notes in Oracle’s knowledge base.
———–
Doc ID:     455801.1 – Updated 29-Jan-2009
DBTableOraDataSourceLoginModule Based Custom Login Module Has Faulty SQL Injection Detection

Applies to:
Oracle Containers for J2EE – Version: 10.1.3.0.0 to 10.1.3.3.0
This problem can occur on any platform.
Users with the characters “OR”/”or” in their name are not able to connect to the database.

The note mentions also an unpublished bug
5645982 –  – AUTHENTICATION FAILS FOR USERNAME CONTAINING “OR”, “UPDATE”, “DELETE”, ETC.
Interesting approach from Oracle. Just filter all reserved words to avoid SQL Injection. To bad for me that ALEXANDER contains the reserved word AND  and KORNBRUST the reserved word OR. Double whammy…

The good news is that Oracle has a patch for this problem.

1. Download and apply Patch 5645982 to a 10.1.3.3 installation
2. Restart the OC4J instance

I recommend a blog entry “Can you spell…” from Oracle Guru Tom Kyte…

———–

Second finding in Metalink was an exploit in the CMS from Stellent (aka Oracle Universal Content Management), aquired by Oracle in 2007. Publishing exploits with customer URLs is a bad style…

———–

Note 733017.1  from October 2008 says:
Version 6.2 of the Content Server has an SQL injection vulnerability.

Oracle was so nice to publish the exploit pointing to a customer site.

Scurity consultant report states:

Severity: 5
Port: 80
Name: SQL injection
Description: “An SQL injection vulnerability was identified in the following page:
http://customer.site/****&dID=1%20and%20convert
(varchar.(select%20@@version))=1

The back-end version return was ‘Microsoft SQL Server 2000 -8′</blockquote>”

– Business Impact:
Potential security threat

Cause
This is a known bug/issue with 7.5 and prior. (internal bug p51038621)

———————————–

Good to know that SQL Injection is just a potential security threat…

UPDATE:
Oracle removed note 733017.1 from Metalink.

Posted in Oracle Security, SQL Injection | 1 Comment »

First exploits for CPUJan2008 published

Donnerstag, Januar 31st, 2008

The first exploits for CPU January 2008 were published on milw0rm.com.

Alexandr Polyakov from Digital Security published 4 exploits for XMLDB. Alexandr found and reported these vulnerabilities mid of december 2007 to Oracle. It seems that someone else reported these errors before because Oracle NEVER fixes vulnerabilities within less than a month.

Posted in Exploit, SQL Injection | 8 Comments »

Oracle, white spaces and unexpected behaviour

Dienstag, Januar 15th, 2008

Last week I saw the blog entry „select 1.x from t1“ from Laurent concerning white spaces in select statements and Tom Kyte’s answer with a short explanation. Tanel Poder wrote a blog entry „Can you write a working SQL statement without using any whitespace?“ too.

In my opinion and from the security perspective making whitespaces optional in SQL statements is a bad idea because it’s an unexpected behavior. And this is always a bad idea.

Here a real life example from Oracle itself:
Two years ago I found a SQL Injection Vulnerability in the web component of XMLDB.

The exploit was looking like:

http://url/xmldb?param1=’||(select sysdate from dual)||‘

The result was a HTTP page containing the current date in an Oracle error message, a common exploit technique used by attackers.

The bugfix from the Oracle developer responsible for this component was to filter the URL for white spaces. Whenever a whitespace was part of the URL, the query was rejected. That’s why it was still possible to use functions (e.g. SYS_CONTEXT, …) but select statements were refused.

At that time I was not aware that SQL statements can be constructed without white spaces.

But with the knowledge from Laurent’s and Tanel’s blog entries I could rewrite the exploit

http://url/xmldb?param1=’||(select/**/sysdate/**/from“DUAL“)||‘

A quick check in the Oracle PL/SQL code shows that some Oracle packages are using whitespaces as token separator (with the function instr()). I was also able to create a buffer overflow with alter session (11g) in SQL*Plus using this technique.  I will digg deeper…

Quick question to my readers: Is this just an Oracle behavior or also possible in other databases like SQLServer or DB2.

Posted in Oracle Security, SQL Injection | 3 Comments »

Best (insecure) Practice PL/SQL on OTN

Dienstag, Juli 31st, 2007

You already know that I like to analyze other people’s code. On OTN I found a nice article (most popluar developer article) „Best Practice PL/SQL from Steven Feuerstein“ (http://www.oracle.com/technology/pub/columns/plsql/index.html).
Steven Feuerstein is a well-known expert on the Oracle PL/SQL language. His disclaimer says that „Do not take the advice and recommendations herein at face value. You should always build yourself a test case and run it on your database, for your schema, on your computer.“  That’s OK but even (or especially) sample code should be secure. Disclaimers are a simple but not a good solution.
Especially if the code is posted as „Best Practice“.

The best practice contains some PL/SQL sample code for download, e.g. str2list.
„The str2list package accepts your string, delimiter, and the name of your package-based collection. It deposits the parsed items in your string directly into your collection. The collection can either be declared in the package specification (publicly accessible) or you can define it in the package body and then provide procedures to add to and delete from the collection. These will be called by str2list to populate the collection properly. It’s a useful utility as well as a great example of dynamic PL/SQL block execution.“
As always the same problem: no input-validation in some of the procedures (e.g. showlist or parse). This could allow an attacker to run custom PL/SQL code. PL/SQL injection is more severe than SQL Injection. I know that writing secure code takes time but I think it’s worth to do this, especially for sample code which is often used by many people. Just adding a disclaimer is in my opinion not the right way to deal with vulnerabilities.

A quick analysis of the code str2list.pkg (Source is from March 2005) shows the following vulnerable code:

—————— str2list.pkg ————————————————————
PROCEDURE showlist (
pkg            IN   VARCHAR2,
firstrowproc   IN   VARCHAR2,
nextrowproc    IN   VARCHAR2,
getvalfunc     IN   VARCHAR2,
showproc       IN   VARCHAR2 := ‚pl‘,
datatype       IN   VARCHAR2 := ‚VARCHAR2(32767)‘
)
IS
dynblock   VARCHAR2 (32767);
BEGIN
dynblock :=
‚DECLARE
indx PLS_INTEGER := ‚
|| pkg
|| ‚.‘
|| firstrowproc
|| ‚;
v_startloc PLS_INTEGER := 1;
v_item ‚
|| datatype
|| ‚;
BEGIN
LOOP
EXIT WHEN indx IS NULL;‘
|| showproc
|| ‚ (‚
|| pkg
|| ‚.‘
|| getvalfunc
|| ‚(indx));
indx := ‚
|| pkg
|| ‚.‘
|| nextrowproc
|| ‚(indx);
END LOOP;
END;‘;
EXECUTE IMMEDIATE dynblock;
EXCEPTION
WHEN OTHERS
THEN
disperr (dynblock);
END;—————— str2list.pkg ————————————————————

Posted in Oracle Security, source code audit, SQL Injection | 3 Comments »

He that is without sin among you, let him first cast a stone at her

Montag, Juli 9th, 2007

On Tom Kyte’s blog , Pete Finnigan’s blog and Sven Vetter’s blog there are comments about SQL Injection in a bank application.

I know that SQL Injection is a big problem and especially the vulnerability in this banking application was really severe. But in the real world most developers write (or at least wrote) unsecure code. Often they use (unsecure) samples from books. But who is writing the books?
Why do you blame this poor little bank. Don’t throw the first stone…
Let’s do some quick check how secure the code from other people or companies (e.g. intelligence agencies) is…
—-

Expert One-on-One by Tom Kyte from 2001. 2 years after SQL Injection became public.
p. 707:
create or replace
function update_row (p_owner in varchar2, p_newDname in varchar2, p_newLoc in varchar2, p_deptno in varchar2, p_rowid out varchar2)
return number
is
l_theCursor integer;
l_columnvalue number default NULL;
l_status integer;
l_update long;
begin
l_update := ‚update ‚ || p_owner || ‚.dept
set dname = :bv1, loc = :bv2
where deptno = to_number(:pk)
returning rowid into :out‘;
l_theCursor := dbms_sql.open_cursor;
More code with SQL Injection (not complete I just skimmed through the book):

p710: execute immediate ’select count(*) from ‚||p_tname‘
p710: execute immediate ‚update ‚||p_owner||‘.dept…‘

p712, p724, p726, p727, p728, p729, 1087. I stopped her…
—-
Oracle Database 10g – The complete reference by Kevin Loney

page 577

Oracle Security in der Praxis by Frank Haas (German Oracle Security Book from a nice and clever Oracle Consultant)

page 139, 140

Effective Oracle Database 10g Security by design by David C. Knox

page 30

Database Security Technical Implementation Guide STIG V7.2, by the DISA (Defense Information Systems Agency responsible for DOD systems)
page 186 plus some more

Trivadis.com

PDF-file DBMS_SYS_SQL..PARSE_AS_USER:

page 1,2,4

Will be continued…

Posted in Oracle Security, source code audit, SQL Injection | 2 Comments »

Newer Entries »