Oracle Vulnerabilities and Security Assessment

Download Report

Transcript Oracle Vulnerabilities and Security Assessment 

Information System Security
Outline
Oracle Vulnerabilities
 Oracle Security Assessment

Information System Security - Week 10
2
Outline
Oracle Vulnerabilities
 Oracle Security Assessment

Information System Security - Week 10
3
Ways to attack
Information System Security - Week 10
4
Outline

Oracle Vulnerabilities
 Users/Passwords
 PL/SQL injection
 Running System Commands
 Other Vulnerabilities
Information System Security - Week 10
5
Users/Passwords
TNS protocol
 How Oracle authenticates users?
 Vulnerabilities

Information System Security - Week 10
6
TNS protocol
Information System Security - Week 10
7
TNS protocol (cont)
TNS Listener is the hub of all
communications in Oracle.
 Information gathering can be done
through TNS.

Client
Connect
Listener
Accept or Redirect
Information System Security - Week 10
8
TNS protocol (cont)
Information System Security - Week 10
9
Authentication process
Client
Server
Send Username
Decrypts
AUTH_SESSKEY
Generates Secret
Number
Send AUTH_SESSKEY
Send AUTH_PASSWORD
Encrypts Password
Compares with the
password hash from
database.
Authenticated
Information System Security - Week 10
10
How about Oracle 11g
Client
Server
Send Username
Decrypts
AUTH_SESSKEY
Generates own
AUTH_SESSKEY
Combines 2
AUTH_SESSKEY 
Encrypt Password
Generates Secret
Number
Send AUTH_SESSKEY
and AUTH_VFR_DATA
Send AUTH_PASSWORD
Compares with the
password hash from
database.
Authenticated
Information System Security - Week 10
11
Vulnerabilities

Crypto Aspect
 If we have the password (hash)  get
clear text password
Information System Security - Week 10
12
Vulnerabilities (cont)

Default Usernames/Passwords.

Files for passwords.

Brute-force.
Information System Security - Week 10
13
PL/SQL Injection
Introduction
 Procedures, functions
 Triggers
 VPD

Information System Security - Week 10
14
Introduction

PL/SQL is the programming
language built into Oracle extends
SQL.

Can call external library (C or Java).

Used to create procedures,
functions, triggers…
Information System Security - Week 10
15
Introduction (cont)

Execution privileges.
 Definer privileges: “owner” rights.
 Invoker privileges:
Keyword: AUTHID CURRENT_USER

PL/SQL can be wrapped  working
without source: DESCribe feature.
Information System Security - Week 10
16
Procedures
Similar to SQL injection.
 PL/SQL injection can occur with a
statement like this:

Select * from table_name where
id=‘USER_INPUT’
Select * from table_name where
id=‘XXX’ UNION SELECT ….
Information System Security - Week 10
17
Procedures (cont)

Inject function to PL/SQL statement.
 Keyword: AUTONOMOUS_TRANSACTION

Take advantage of what right
functions/procedures are based on.
Information System Security - Week 10
18
Triggers
Similar to procedures/functions
injection.
 Note: Triggers run with definer right.
 Some real-world examples:

 MDSYS.SDO_DROP_USER_BEFORE
 MDSYS.SDO_GEOM_TRIG_INS1
Information System Security - Week 10
19
VPD
VPD is based on policy function.
 Can be exploited through PL/SQL
injection to drop policy.
 Or exploited to grant EXEMPT
ACCESS POLICY privilege
 Another way to defeat VPD is
reading raw file  HARD

Information System Security - Week 10
20
Running System Commands
Through PL/SQL
 Through Java
 Access File System
 Access Network

Information System Security - Week 10
21
Through PL/SQL
Use msvcrt.dll library to exec system
command.
 Must have create library privilege to
register library in oracle
 Newer versions of Oracle only accept
libraries in Oracle_home/bin

Information System Security - Week 10
22
Through PL/SQL (cont)







CREATE OR REPLACE LIBRARY exec_shell AS
'C:\winnt\system32\msvcrt.dll';
CREATE OR REPLACE PROCEDURE oraexec
(cmdstring IN CHAR)
IS EXTERNAL
NAME "system"
LIBRARY exec_shell
LANGUAGE C;
EXEC ORAEXEC('NET USER MYACCOUNT
PASSWORD /ADD');
Information System Security - Week 10
23
Through Java
Don’t need create library privilege.
 Require:

 Execute on all files.
 Write File Descriptor.
 Read File Descriptor.
Information System Security - Week 10
24
Through Java (cont)











CREATE OR REPLACE AND RESOLVE JAVA
SOURCE NAMED "JAVACMD" AS
import java.lang.*;
import java.io.*;
public class JAVACMD
{
public static void execCommand (String
command) throws IOException
{
Runtime.getRuntime().exec(command);
}
};
Information System Security - Week 10
25
Other ways
Using DBMS Scheduler.
 Using Job Scheduler.
 Using Alter System statement.

Information System Security - Week 10
26
Access File System
Use UTL_FILE library
 Need to have privilege to access
DIRECTORY object or create a new
one.
 Using Java: is similar to running OS
command.

 Need Read and Write permission
Information System Security - Week 10
27
Access Network
Use UTL_TCP or UTL_HTTP.
 Create connection to a remote host
 transfer data.

Information System Security - Week 10
28
Other Vulnerabilities

System Configurations
 O7_DICTIONARY_ACCESSIBILITY
 remote_os_authent
 dblink_encrypt_login
 ..
TNS protocol settings
 Application vulnerabilities

Information System Security - Week 10
29
Other Vulnerabilities

Session attack
 http://www.youtube.com/watch?v=jjRrL
JEbDQU

Access Control bypass in Login
 http://www.securityfocus.com/archive/
1/422253
Information System Security - Week 10
30
Outline
Oracle Vulnerabilities
 Oracle Security Assessment

Information System Security - Week 10
31
Oracle Assessment
Vulnerability scanning
 Penetration testing

Information System Security - Week 10
32
Vulnerability scanning
 Look
for evidence of
 Vulnerable software versions
 Presence or lack of patches
 Misconfiguration
Information System Security - Week 10
33
Vulnerability assessment tool

Secure Oracle Auditor™ (SOA)
Information System Security - Week 10
34
Penetration test

A penetration test (pentest) is a
method of evaluating the security of
a computer system or network by
simulating an attack from a
malicious source.
Information System Security - Week 10
35
Penetration test
o
Stages:
o Scope/Goal Definition
o Information Gathering
o Vulnerability Detection
o Information Analysis and Planning.
o Attack& Penetration/Privilege Escalation.
o Result Analysis & Reporting.
o Cleanup.
Information System Security - Week 10
36
Information gathering

Footprint
 The first and most convenient way that
hackers use to gather information.
 Includes: internet, remote
access,extranet…
 Example: whois hvaonline.net
Information System Security - Week 10
37
Information gathering

Example:
Information System Security - Week 10
38
Attack

SQL script
Information System Security - Week 10
39
Vulnerability assessment tool
AppDetectivePro for Oracle
 Metasploit

Information System Security - Week 10
40
DATABASE SERVICES
COUNTERMEASURES
Remove default accounts, assign
strong passwords to existing accounts,
and begin the audit facility for failed
logins.
 Keep the databases patched
 Reducing the privileges such as
PUBLIC, keeping the privileges to a
minimum, and auditing access to
critical tables and views.

Information System Security - Week 10
41
Summary

Vulnerabilities usually occur based
on granting inappropriate privileges.
 CREATE ANY PROCEDURE
 CREATE ANY TRIGGER
 CREATE ANY VIEW
 GRANT Something to PUBLIC
…
Information System Security - Week 10
42
References
Oracle Hacker’s HandBook
 Database Hacker’s HandBook
 http://www.petefinnigan.com/weblog/
 http://soonerorlater.hu/index.khtml?ar
ticle_id=512

Information System Security - Week 10
43
Information System Security - Week 10
44