Seducing the pants off Oracle
description
Transcript of Seducing the pants off Oracle
Seducing the pants off Oracle
Gary Myers
The period are is courtesy of http://picasaweb.google.com/silverghost1951
Computers don't "get" threats
AUTHENTICATION vs AUTHORISATION
• Passwords = AUTHENTICATION mechanism (who am I)
• With the DBA's username and password, I can convince the database I am the DBA
• DBA is typically authorised to do all (or most ) things.
I AM YOUR WORST NIGHTMARE
or at least in your Top Ten
I Am Your Worst Nightmare
• External consultant (or contractor)• Good understanding of Oracle• Follow a lot of the (public) Oracle
security chatter
• Only around for a short period• Next week, I may be working for
your competitor• Next week, I may be unemployed–Motive is often malice or financial gain– Don't rule out sheer incompetence– Financial need often driven by…• Addiction to drugs or alcohol• Gambling debts or expensive women• Sydney house prices
I Am Your Worst Nightmare
I Am Your Worst Nightmare
• I have access to your offices
• I have access to your computers
• I have access to your databases
I Am Your Worst Nightmare• I am a consultant (or contractor)• I have a good understanding of Oracle• I follow a lot of the (public) Oracle security
talk• I may only be around for weeks• I may be working for your competitor next• I may be unemployed next• I have access to your offices• I have access to your computers• I probably have access to your databases
MeansMotive
Opportunity
RISK ASSESSMENT
Fall or be shot ?
It's All About Risks• Denial of Service• Unauthorized reads• Unauthorized writes• Unauthorized use• Gateway to the Great Beyond
• Falling from buildings or being shot - not so much
DENIAL OF SERVICE
Your ride ends now...
Denial of Service• Crash the database (or
listener)• Catastrophic data loss• Catastrophic data corruption• Standard DR recovery• Beware : Attack may be
repeated
UNAUTHORISED READS
No peeking
Unauthorised ReadsSomeone sees something they
shouldn't–Backups–Redo / Undo files–Trace files, dumps and exports–Data in transit (client to/from
server)–Operating System (memory) –Development and test databases
Unauthorised Reads• Internal info (eg DBA_USERS)• Inference–Clues about data
Unauthorised Reads• Don't store data you don't need• Don't store a value where a hash
will do (eg passwords)• Encrypt personal information• Encrypt financial information• Limit 'back door' access (TDE)• Individual Authentication• Regularly review authorisations• Audit
Unauthorised ReadsAround a quarter of staff would steal information such as customer lists when they moved employmentTheRegister, 19th August 2010
UNAUTHORISED WRITES
Destroying the evidence
Unauthorised Writes• Insert, Update or Deletion of data–Could be 'regular' data–Could be 'tidying away' evidence
(audit trail)–Could be data dictionary (rootkit)
• Audit (to OS, not DB)• Checksum packages, files…
UNAUTHORISED USE
No personal calls !
Unauthorised UseUsing the database without
permission–Illegal / illicit•PCI
–In excess of licensed functionality•Contractors / Consultants
–Storing private data on the disks •Cloud
ESCAPING THE DATABASE
Out of the frying pan
Escaping The Database• Use dev / test to get to Prod• Use DR to get to Prod• Use database to get to OS• Use DB server to get to other
local machines• Use DB server to get to
remote machines (HTTP etc)• Use db password for other apps
PASSWORDS
Password security• Hashes = passwords• Crack a million passwords /
second• Seven character passwords -
Trivial• Eight alphabetic character
passwords - Trivial• Eight character passwords plus a
'1' on the end - Trivial• Password fuzzers and Rainbow
tables
Password Demo• Create fresh user in SQL Plus• Set a reasonable password – Not TIGER or MANAGER– Something that you'd remember though
• See whether ORABF will crack it• select 'orabf '||password||':'||username
from dba_users where username='GARY';• cd C:\Documents and Settings\All Users\
Documents \Common\orabf-v0.7.6• orabf 9F868BD4F05CEE80:GARY -c pass_uniq.txt
I AM YOUR WORST NIGHTMARE
…and I cheat
WRAPPING
The truth is in here
Wrapped Packages• (Python) code for unwrapping
10g+ PL/SQL is on the web• Oracle CPU release : Changed
packages WILL be unwrapped and compared to the 'old' version• Shows vulnerabilities in old code• CPUs make vulnerabilities
public !
INJECTION EXPLOITS
Exploits• No benefit in discussing specifics• Don't know any current 0-day
ones• Others fixed by CPUs• What would you do with the
information anyway ?• Hedgehog Sentrigo ?
SQL Injection• SQL injection is one of the
major categories of computer vulnerability• Typically poorly designed web
applications• Publically available tools that try
to penetrate web-sites by crafting URLS.
SQL (and PL/SQL) Injection
• Typically AUTHORISATION attacks
• Convince the database that you are authorised to perform the action
• Bypass any rules saying NO !
Standard Packages• Vulnerabilities in supplied
packages often allow for privilege escalation• Accounts like MDSYS have
CREATE ANY TRIGGER privilege• Can be abused even if account
is locked.
Corkscrew ThinkingMultiple steps to get around multiple barriers
AUDIT AND FORENSICS
Caught in the act… or afterwards
Forensics• Database log file• Web / application server log files • Audit to an Operating System file• FTP the file(s) somewhere safe• Log Miner• DDL triggers• Block dumps, AWR, ORA_ROWSCN…
Useful References• Pete Finnegan – www.petefinnigan.com
• Alex Kornburst – blog.red-database-security.com
• David Litchfield– Hackers Handbooks (Database / Oracle)