Decrypt Oracle 11.2.0.3 and 12.1.0.1 database link passwords

Oktober 2nd, 2013

At Derbycon 3.0, László Tóth and Ferenc Spala  gave a a new presentation „What’s common in Oracle and Samsung? They tried to think differently… “ (Video). The main focus of the presentation was the Samsung encryption and a new framework called sandy but there was also a small Oracle part.

Laszlo and Ferenc showed how to decrypt Oracle database links in Oracle 11.2.0.3 and Oracle 12.1.0.1 using a small utility called „oradecrlink.py“. In previous versions Oracle used DES to encrypt/decrypt database links. These database link passwords start with „05“ (Oracle’s indicator for DES).

 

Fix for oradebug disable auditing available (11.2.0.3/11.2.0.4/12.1.0.1)

September 13th, 2013

2 days ago I gave a presentation „Oracle 12c from the attackers perspective“ at the DOAG SIG Security. I learned some interesting things, especially that a fix for the Oracle oradebug „disable auditing“ problem is available since 9 months.

Oradebug allows to run OS commands and to enable/disable Oracle SYSDBA and normal auditing on the fly without leaving traces in the audit log. The fix for this problem is available in Oracle 11.2.0.4/12.1.0.1 and was backported to 11.2.0.3 using the patches 15805002, 15808245, 16177780.

By default the setting is not enabled in Oracle 11.2.0.4/12.1..0.1.

The undocumented parameter  _fifteenth_spare_parameter (Oracle Description: fifteenth spare parameter – integer – Yeah, really useful)  can now disable or limit the oradebug functionality. I could not find any information about this parameter on google or my oracle support.

—— extract from the read me.txt of the patch file——————

## _fifteenth_spare_parameter can be set to „all“, „restricted“ or „none“
## „all“ disables execution of all oradebug commands, „restricted“ disables
## execution of restricted oradebug commands, „none“ (default) allows execution
## of oradebug commands.

—— extract from the read me.txt ——————

 

 

DOAG 2012: Best of Oracle Security 2012

November 22nd, 2012

Yesterday I gave a presentation „Best of Oracle Security 2012“ at the DOAG 2012 conference in Nürnberg.

Best of Oracle Security

Self-Defending Databases

November 2nd, 2012

I just uploaded my talk Hashdays 2012 „Self-Defending Databases“ to the Red-Database-Security website.  The talk explains how to detect SQL Injection attacks in databases (Oracle/MSSQL/MySQL) and how to react in case of a SQL Injection (e.g. done with Pangolin, Havij or Netsparker).

Initially the idea covered only Oracle and MSSQL but Xavier Mertens extend the concept to MySQL (MySQL Attacks Self-Detection) after he saw my presentation at the Hashdays Management Session.

2 Cebit 2012 Presentations about Database Security

März 9th, 2012

I just uploaded 2 presentations I gave at the Cebit 2012.