The Listener Service

Download Report

Transcript The Listener Service

Protecting Oracle Databases
Aaron Newman
[email protected]
Application Security, Inc.
www.appsecinc.com
1
www.AppSecInc.com
Protecting Oracle Databases
For the latest version of the presentation:
• http://www.appsecinc.com/presentations/
oracle_security.ppt
2
www.AppSecInc.com
Protecting Oracle Databases
Agenda
•
•
•
•
Introduction
Listener Vulnerabilities
Oracle and Firewalls
Protecting Oracle behind a Web Server
– SQL Injection Demo
• Database Vulnerabilities
• Resources, Conclusion, and Wrap Up
3
www.AppSecInc.com
Protecting Oracle Databases
What we will not be covering
• FUD (fear, uncertainty, and doubt)
– The problem exists but it won’t be fixed
tomorrow
– But we must start plugging these holes
• Securing the operating system
4
www.AppSecInc.com
Protecting Oracle Databases
Database Security - Why do I care?
• Database assets are valuable – crown jewels
• Used as a spring board into your network
• Easy targets
– database security is not as robust as OS security
• Connected and open to the Internet
5
www.AppSecInc.com
Protecting Oracle Databases
Types of Vulnerabilities
• Vendor bugs
• Poor vendor architecture
– i.e. weak encryption
• Misconfiguration
– i.e. REMOTE_OS_AUTHENT = True
• Incorrect usage
– SQL Injection
– Dynamic PL/SQL Injection
6
www.AppSecInc.com
Protecting Oracle Databases
Listener Vulnerabilities
• What is the listener?
– Proxy between the client and the database
• Why is it important?
– Separate authentication and auditing
– Runs as a separate process
– Accepts commands and performs tasks outside
the database
• Issues with the Listener Service
– Known Issues and Vulnerabilities
7
www.AppSecInc.com
Protecting Oracle Databases
Security Issues with the Listener Service
• Few people know that the process needs a
password
• Setting the password is not simple
• Vulnerable to brute-forcing
• Password is stored insecurely
8
www.AppSecInc.com
Protecting Oracle Databases
Listener Commands
• What are the commands
–
LSNRCTL for 32-bit Windows: Version 8.1.7.0.0 - Production on 04-JUN-2001 10:42:14
(c) Copyright 1998 Oracle Corporation. All rights reserved.
Welcome to LSNRCTL, type "help" for information.
LSNRCTL> help
The following operations are available
An asterisk (*) denotes a modifier or extended command:
start
stop
status
services
version
reload
save_config
trace
dbsnmp_start
dbsnmp_stop
dbsnmp_status
change_password
quit
exit
set*
show*
password
rawmode
displaymode
trc_file
trc_directory
trc_level
log_file
log_directory
log_status
current_listener
connect_timeout
startup_waittime
use_plugandplay
save_config_on_stop
9
www.AppSecInc.com
Protecting Oracle Databases
Known Listener Vulnerabilities
• Sniffing listener passwords
• Appending\creating a file using logging
– .rhost – “+ +”
– .profile – “rm *”
• Leaking commands
– Faking the command size
10
www.AppSecInc.com
Protecting Oracle Databases
Stealing Listener Commands
• Typical command
– .T.......6.,...............:................4.............(CONNECT_DATA=.)
• Use 40 bytes buffer to send 15 bytes
– ......."...(DESCRIPTION=(ERR=1153)(VSNNUM=135290880)(ERROR_STACK=
(ERROR=(CODE=1153)(EMFI=4)(ARGS='(CONNECT_DATA=.)ervices))CONN
ECT'))(ERROR=(CODE=3 03)(EMFI=1))))
• Up the lie and use 200 bytes
– ........"..>.H.......@(DESCRIPTION=(ERR=1153)(VSNNUM=135290880)(ERROR
_STACK=(ERROR=(CODE=1153)(EMFI=4)(ARGS='(CONNECT_DATA=.)ervic
es))CONNECT_DATA=(SID=orcl)(global_dbname=test.com)(CID=(PROGRAM=
C:\Oracle\bin\sqlplus.exe)(HOST=anewman)(USER=aaron))'))
(ERROR=(CODE=303)(EMFI=1))))
11
www.AppSecInc.com
Protecting Oracle Databases
Buffer Overflows in Listener
• Sending 1 kilobyte of data in the connection
string caused crash
• Sending more than 4 kilobytes in the
connection string caused core dump
• Problem in structured-exception handler
allows hacker to execute code
12
www.AppSecInc.com
Protecting Oracle Databases
Oracle and Firewalls
• Tunneling Oracle through a firewall
– Pros and Cons
• Probing Oracle through a firewall
– Tips and Tricks
– Protecting against these attacks
13
www.AppSecInc.com
Protecting Oracle Databases
Oracle Through a Firewall
• Why is tunneling through a firewall so hard
– Ports are redirected
• We highly recommend you DO NOT allow
connections from the Internet
• Still, we get countless requests for tunneling
traffic
14
www.AppSecInc.com
Protecting Oracle Databases
Reasons to not allow tunneling!
• Network protocols are immature
– Getting a lot better but still years behind OS
• Brute-forcing
• Lots of default accounts
15
www.AppSecInc.com
Protecting Oracle Databases
How to Tunnel Oracle (if you had to do it)
• Enable Oracle proxying through firewall
• Use Connection Manager
• Disable Port Redirection
– USE_SHARED_SOCKET on Windows NT
– MTS to redirect connections to specific port
– SERVER=DEDICATED in tnsnames.ora file
• Tunnel through SSH – see dbaspecialist
website
16
www.AppSecInc.com
Protecting Oracle Databases
Probing Oracle through a Firewall
• SYN scans
• FIN scans
– Stateful firewalls should handle
• Scanning the DMZ using ICMP
– see Ofir Arkin’s paper from Sys-security group
• Don’t install the Oracle HTTP Web Server
with the database if you don’t need it
17
www.AppSecInc.com
Protecting Oracle Databases
Attacking through a Web server
• Most common method of providing access
is through a web server application
• SQL Injection
– Not a Oracle vulnerability
– a web programming problem
• Simplest way to verify
– Put a single quote in fields
– look for ODBC error
18
www.AppSecInc.com
Protecting Oracle Databases
How does it work?
• Modify the query
• Change:
– Select * from my_table where column_x = ‘1’
• To:
– Select * from my_table where column_x = ‘1’
UNION select password from DBA_USERS
where ‘q’=‘q’
19
www.AppSecInc.com
Protecting Oracle Databases
Example ASP page
Package myseverlets;
<….>
String sql = new String(“SELECT * FROM
WebUsers WHERE Username=’” +
request.getParameter(“username”) + “’
AND Password=’” +
request.getParameter(“password”) + “’”
stmt = Conn.prepareStatement(sql)
Rs = stmt.executeQuery()
20
www.AppSecInc.com
Protecting Oracle Databases
Valid Input
• If I set the username and password to:
– Bob
– Hardtoguesspassword
• The sql statement is:
– SELECT * FROM WebUsers WHERE
Username=’Bob’ AND
Password=’Hardtoguess’
21
www.AppSecInc.com
Protecting Oracle Databases
Hacker Input
• Instead enter the password:
– Aa’ OR ‘A’=‘A
• The sql statement now becomes:
– SELECT * FROM WebUsers WHERE
Username=’Bob’ AND Password=’Aa’ OR ‘A’=‘A’
• The attacker is into the database now
22
www.AppSecInc.com
Protecting Oracle Databases
Selecting from other Tables
• To select data other than the rows from the
table being selected from.
• UNION the SQL Statement with the
DBA_USERS view.
23
www.AppSecInc.com
Protecting Oracle Databases
Sample ASP Page
Dim sql
Sql = “SELECT * FROM PRODUCT WHERE
ProductName=’” & product_name & “’”
Set rs = Conn.OpenRecordset(sql)
‘ return the rows to the browser
24
www.AppSecInc.com
Protecting Oracle Databases
Valid Input
• Set the product_name to :
– DVD Player
• The SQL Statement is now:
– SELECT * FROM PRODUCT WHERE ProductName=’DVD
Player’
25
www.AppSecInc.com
Protecting Oracle Databases
Hacker Input
• Set the product_name to :
– test’ UNION select username, password from dba_users where ‘a’
= ‘a
• The SQL Statement is now:
– SELECT * FROM PRODUCT WHERE ProductName=’test’
UNION select username, password from dba_users where ‘a’=‘a’
26
www.AppSecInc.com
Protecting Oracle Databases
Preventing SQL Injection
• Validate user input
– Parse field to escape single quotes to double
quotes
• Use the object parameters to set parameters
– Bind variables
27
www.AppSecInc.com
Protecting Oracle Databases
SQL Injection demo
ASP page, IIS web server
Oracle database
28
www.AppSecInc.com
Protecting Oracle Databases
Database Security Issues
• sqlnet.log
• Popular Oracle Security Issues
• PL/SQL Vulnerabilities
– Examples
• Host Operating System
– Known Issues Installing Oracle
– Lockdown Protection Procedures
29
www.AppSecInc.com
Protecting Oracle Databases
Sqlnet.log
• File is created in a directory when a
connection attempt fails from a machine
• Gives too much information – username, IP
address, date, etc…
• Have seen many times on public web sites
30
www.AppSecInc.com
Protecting Oracle Databases
Popular Oracle Security Issues
• Biggest issue – default passwords!
– SYS, SYSTEM, DBSNMP, OUTLN,MDSYS,
SCOTT
• Password management features not enabled
– No password lockout by default
– No password expiration by default
• Public permissions on ALL_USERS view
31
www.AppSecInc.com
Protecting Oracle Databases
PL/SQL Vulnerabilities
• Problem with dynamic SQL
– EXECUTE IMMEDIATE
– DBMS_SQL
• Danger allowing the user to pass parameters
that are used in the parsed SQL statement
32
www.AppSecInc.com
Protecting Oracle Databases
Dynamic SQL Example
CREATE PROCEDURE BAD_CODING_EXAMPLE ( NEW_PASSWORD
VARCHAR2 ) AS
TEST VARCHAR2;
BEGIN
-- DO SOME WORK HERE
EXECUTE IMMEDIATE 'UPDATE ' || TABLE_NAME || ' SET ' ||
COLUMN_NAME || ' = ''' || NEW_PASSWORD || '''‘ WHERE USERNAME=
= ''' || CURRENT_USER_NAME || ''';
END BAD_CODING_EXAMPLE;
33
www.AppSecInc.com
Protecting Oracle Databases
Valid input
• Input
– EXEC BAD_CODING_EXAMPLE( ‘testabc’ );
• SQL Created
– UPDATE APPLICATION_USERS SET PASSWORD = ‘testabc’
WHERE USERNAME = ‘aaron’
34
www.AppSecInc.com
Protecting Oracle Databases
Hacker input
• Input
– EXEC BAD_CODING_EXAMPLE( ‘testabc’’, ADMIN=1,
FULL_NAME=‘’TEST’ );
• SQL Created
– UPDATE APPLICATION_USERS SET PASSWORD = ‘testabc‘,
ADMIN=1, FULL_NAME=‘TEST’ WHERE USERNAME =
‘aaron’
35
www.AppSecInc.com
Protecting Oracle Databases
Getting to the operating system
• Oracle on NT typically runs as LocalSystem
– Act as part of the OS privilege
• Oracle on Unix runs as the oracle user
– Privilege to all oracle files
• Procedures such as:
– UTL_FILE, UTL_HTTP, Load Libraries
36
www.AppSecInc.com
Protecting Oracle Databases
On the operating system
• Oracle has many setUID files
• Oratclsh was setUID root
– TCL debugger
– Allowed you to run a script as root
– Change setuid immediately, even if you are not
using
37
www.AppSecInc.com
Protecting Oracle Databases
Other SetUID files
• Were many until Oracle8i release 2
– Cmctl, tnslsnr, etc…
• Very important one – oracle
– Main database engine
• Relies on ORACLE_HOME directory
– To load the pwdSID.ora file
– Allows you to load a rogue database
38
www.AppSecInc.com
Protecting Oracle Databases
Installing Oracle
• Oracle trusts the /tmp directory
• If a file is created before the Oracle file is
written, it is overwritten but retains the
permissions
• Allows backdoors to be injected into
installation
39
www.AppSecInc.com
Protecting Oracle Databases
Lockdown the operating system
• Lock all users out of the OS during
installation
• Set the TMP_DIR directory to a secured
directory
• Lockdown ORACLE_HOME permissions
• Remove setUID from all files
• Rename the UNIX oracle account
40
www.AppSecInc.com
Protecting Oracle Databases
How to Combat Hackers
• Stop the hackers at your network perimeters
• Stay patched
– oracle-ftp.oracle.com/server/patchsets
• Security alerts:
– www.oraclesecurity.net/resources/mailinglist.html
• Security Discussion Board
– www.oraclesecurity.net/cgi-bin/ubb/ultimatebb.cgi
41
www.AppSecInc.com
Protecting Oracle Databases
AppDetective for Oracle
• Security tool
– Scans your network and locates all database
– Inventories the versions and releases of
components
– Probes databases for these problems
– Facilitates fixing these problems
• Download free 30 day evaluation from
http://www.appsecinc.com
42
www.AppSecInc.com
Protecting Oracle Databases
DbEncrypt for Oracle
• Provides transparent encryption of data in columns
• Provides over a dozen algorithms to select from
– AES, DES, Triple DES, etc…
• Optimized to not effect performance
• Reduces time required to implement encryption
from months to minutes
• Download free 30 day evaluation from
http://www.appsecinc.com
43
www.AppSecInc.com
Protecting Oracle Databases
Questions?
• About
– Oracle security features
– Vulnerabilities
– Protecting your database
• If you have questions later, email me at:
[email protected]
www.appsecinc.com
44
www.AppSecInc.com
Protecting Oracle Databases