Seducing the pants off Oracle

Gary Myers

The period are is courtesy of http://picasaweb.google.com/silverghost1951

Computers don't "get" threats

AUTHENTICATION vs AUTHORISATION

• Passwords = AUTHENTICATION mechanism (who am I)

• With the DBA's username and password, I can convince the database I am the DBA

• DBA is typically authorised to do all (or most ) things.

I AM YOUR WORST NIGHTMARE

or at least in your Top Ten

I Am Your Worst Nightmare

• External consultant (or contractor)• Good understanding of Oracle• Follow a lot of the (public) Oracle

security chatter

• Only around for a short period• Next week, I may be working for

your competitor• Next week, I may be unemployed–Motive is often malice or financial gain– Don't rule out sheer incompetence– Financial need often driven by…• Addiction to drugs or alcohol• Gambling debts or expensive women• Sydney house prices

I Am Your Worst Nightmare

I Am Your Worst Nightmare

• I have access to your offices

• I have access to your computers

• I have access to your databases

I Am Your Worst Nightmare• I am a consultant (or contractor)• I have a good understanding of Oracle• I follow a lot of the (public) Oracle security

talk• I may only be around for weeks• I may be working for your competitor next• I may be unemployed next• I have access to your offices• I have access to your computers• I probably have access to your databases

MeansMotive

Opportunity

RISK ASSESSMENT

Fall or be shot ?

It's All About Risks• Denial of Service• Unauthorized reads• Unauthorized writes• Unauthorized use• Gateway to the Great Beyond

• Falling from buildings or being shot - not so much

DENIAL OF SERVICE

Your ride ends now...

Denial of Service• Crash the database (or

listener)• Catastrophic data loss• Catastrophic data corruption• Standard DR recovery• Beware : Attack may be

repeated

UNAUTHORISED READS

No peeking

Unauthorised ReadsSomeone sees something they

shouldn't–Backups–Redo / Undo files–Trace files, dumps and exports–Data in transit (client to/from

server)–Operating System (memory) –Development and test databases

Unauthorised Reads• Internal info (eg DBA_USERS)• Inference–Clues about data

Unauthorised Reads• Don't store data you don't need• Don't store a value where a hash

will do (eg passwords)• Encrypt personal information• Encrypt financial information• Limit 'back door' access (TDE)• Individual Authentication• Regularly review authorisations• Audit

Unauthorised ReadsAround a quarter of staff would steal information such as customer lists when they moved employmentTheRegister, 19th August 2010

UNAUTHORISED WRITES

Destroying the evidence

Unauthorised Writes• Insert, Update or Deletion of data–Could be 'regular' data–Could be 'tidying away' evidence

(audit trail)–Could be data dictionary (rootkit)

• Audit (to OS, not DB)• Checksum packages, files…

UNAUTHORISED USE

No personal calls !

Unauthorised UseUsing the database without

permission–Illegal / illicit•PCI

–In excess of licensed functionality•Contractors / Consultants

–Storing private data on the disks •Cloud

ESCAPING THE DATABASE

Out of the frying pan

Escaping The Database• Use dev / test to get to Prod• Use DR to get to Prod• Use database to get to OS• Use DB server to get to other

local machines• Use DB server to get to

remote machines (HTTP etc)• Use db password for other apps

PASSWORDS

Password security• Hashes = passwords• Crack a million passwords /

second• Seven character passwords -

Trivial• Eight alphabetic character

passwords - Trivial• Eight character passwords plus a

'1' on the end - Trivial• Password fuzzers and Rainbow

tables

Password Demo• Create fresh user in SQL Plus• Set a reasonable password – Not TIGER or MANAGER– Something that you'd remember though

• See whether ORABF will crack it• select 'orabf '||password||':'||username

from dba_users where username='GARY';• cd C:\Documents and Settings\All Users\

Documents \Common\orabf-v0.7.6• orabf 9F868BD4F05CEE80:GARY -c pass_uniq.txt

I AM YOUR WORST NIGHTMARE

…and I cheat

WRAPPING

The truth is in here

Wrapped Packages• (Python) code for unwrapping

10g+ PL/SQL is on the web• Oracle CPU release : Changed

packages WILL be unwrapped and compared to the 'old' version• Shows vulnerabilities in old code• CPUs make vulnerabilities

public !

INJECTION EXPLOITS

Exploits• No benefit in discussing specifics• Don't know any current 0-day

ones• Others fixed by CPUs• What would you do with the

information anyway ?• Hedgehog Sentrigo ?

SQL Injection• SQL injection is one of the

major categories of computer vulnerability• Typically poorly designed web

applications• Publically available tools that try

to penetrate web-sites by crafting URLS.

SQL (and PL/SQL) Injection

• Typically AUTHORISATION attacks

• Convince the database that you are authorised to perform the action

• Bypass any rules saying NO !

Standard Packages• Vulnerabilities in supplied

packages often allow for privilege escalation• Accounts like MDSYS have

CREATE ANY TRIGGER privilege• Can be abused even if account

is locked.

Corkscrew ThinkingMultiple steps to get around multiple barriers

AUDIT AND FORENSICS

Caught in the act… or afterwards

Forensics• Database log file• Web / application server log files • Audit to an Operating System file• FTP the file(s) somewhere safe• Log Miner• DDL triggers• Block dumps, AWR, ORA_ROWSCN…

Useful References• Pete Finnegan – www.petefinnigan.com

• Alex Kornburst – blog.red-database-security.com

• David Litchfield– Hackers Handbooks (Database / Oracle)