Transcript Seducing the pants off oracle

Seducing
the
pants
off
Oracle
Gary Myers
The period are is courtesy of http://picasaweb.google.com/silverghost1951
Computers don't "get" threats
AUTHENTICATION vs
AUTHORISATION
• Passwords = AUTHENTICATION
mechanism (who am I)
• With the DBA's username and
password, I can convince the
database I am the DBA
• DBA is typically authorised to do
all (or most ) things.
I AM YOUR WORST NIGHTMARE
or at
least in
your
Top Ten
I Am Your Worst Nightmare
• External consultant (or contractor)
• Good understanding of Oracle
• Follow a lot of the (public) Oracle
security chatter
I Am Your Worst Nightmare
• Only around for a short period
• Next week, I may be working for
your competitor
• Next week, I may be unemployed
– Motive is often malice or financial gain
– Don't rule out sheer incompetence
– Financial need often driven by…
• Addiction to drugs or alcohol
• Gambling debts or expensive women
• Sydney house prices
I Am Your Worst Nightmare
• I have access to your offices
• I have access to your computers
• I have access to your databases
I Am Your Worst Nightmare
•
•
•
•
•
•
•
•
•
I am a consultant (or contractor)
I have a good understanding of Oracle
I follow a lot of the (public) Oracle security talk
I may only be around for weeks
I may be working for your competitor next
I may be unemployed next
I have access to your offices
I have access to your computers
I probably have access to your databases
RISK ASSESSMENT
Fall or
be
shot ?
It's All About Risks
•
•
•
•
•
Denial of Service
Unauthorized reads
Unauthorized writes
Unauthorized use
Gateway to the Great Beyond
• Falling from buildings or being shot
- not so much
DENIAL OF SERVICE
Your ride
ends now...
Denial of Service
•
•
•
•
•
Crash the database (or listener)
Catastrophic data loss
Catastrophic data corruption
Standard DR recovery
Beware : Attack may be repeated
UNAUTHORISED READS
No
peeking
Unauthorised Reads
Someone sees something they shouldn't
– Backups
– Redo / Undo files
– Trace files, dumps and exports
– Data in transit (client to/from server)
– Operating System (memory)
– Development and test databases
Unauthorised Reads
• Internal info (eg DBA_USERS)
• Inference
– Clues about data
Unauthorised Reads
• Don't store data you don't need
• Don't store a value where a hash will do
(eg passwords)
• Encrypt personal information
• Encrypt financial information
• Limit 'back door' access (TDE)
• Individual Authentication
• Regularly review authorisations
• Audit
Unauthorised Reads
Around a quarter
of staff would steal
information such
as customer lists
when they moved
employment
TheRegister,
19th August 2010
UNAUTHORISED WRITES
Destroying
the
evidence
Unauthorised Writes
• Insert, Update or Deletion of data
– Could be 'regular' data
– Could be 'tidying away' evidence
(audit trail)
– Could be data dictionary (rootkit)
• Audit (to OS, not DB)
• Checksum packages, files…
UNAUTHORISED USE
No
personal
calls !
Unauthorised Use
Using the database without permission
–Illegal / illicit
• PCI
–In excess of licensed functionality
• Contractors / Consultants
–Storing private data on the disks
• Cloud
ESCAPING THE DATABASE
Out of the
frying pan
Escaping The Database
Use dev / test to get to Prod
Use DR to get to Prod
Use database to get to OS
Use DB server to get to other
local machines
• Use DB server to get to remote
machines (HTTP etc)
• Use db password for other apps
•
•
•
•
PASSWORDS
Password security
Hashes = passwords
Crack a million passwords / second
Seven character passwords - Trivial
Eight alphabetic character passwords
- Trivial
• Eight character passwords plus a '1'
on the end - Trivial
• Password fuzzers and Rainbow tables
•
•
•
•
Password Demo
• Create fresh user in SQL Plus
• Set a reasonable password
– Not TIGER or MANAGER
– Something that you'd remember though
• See whether ORABF will crack it
• select 'orabf '||password||':'||username
from dba_users where username='GARY';
• cd C:\Documents and Settings\All Users\Documents
\Common\orabf-v0.7.6
• orabf 9F868BD4F05CEE80:GARY -c pass_uniq.txt
I AM YOUR WORST NIGHTMARE
…and
I cheat
WRAPPING
The truth
is in here
Wrapped Packages
• (Python) code for unwrapping 10g+
PL/SQL is on the web
• Oracle CPU release : Changed
packages WILL be unwrapped and
compared to the 'old' version
• Shows vulnerabilities in old code
• CPUs make vulnerabilities public !
INJECTION EXPLOITS
Exploits
No benefit in discussing specifics
Don't know any current 0-day ones
Others fixed by CPUs
What would you do with the
information anyway ?
• Hedgehog Sentrigo ?
•
•
•
•
SQL Injection
• SQL injection is one of the major
categories of computer vulnerability
• Typically poorly designed web
applications
• Publically available tools that try to
penetrate web-sites by crafting
URLS.
SQL (and PL/SQL) Injection
• Typically AUTHORISATION attacks
• Convince the database that you are
authorised to perform the action
• Bypass any rules saying NO !
Standard Packages
• Vulnerabilities in supplied packages
often allow for privilege escalation
• Accounts like MDSYS have CREATE
ANY TRIGGER privilege
• Can be abused even if account is
locked.
Corkscrew Thinking
Multiple steps to get around
multiple barriers
AUDIT AND FORENSICS
Caught in
the act…
or
afterwards
Forensics
•
•
•
•
•
•
•
Database log file
Web / application server log files
Audit to an Operating System file
FTP the file(s) somewhere safe
Log Miner
DDL triggers
Block dumps, AWR, ORA_ROWSCN…
Useful References
• Pete Finnegan
– www.petefinnigan.com
• Alex Kornburst
– blog.red-database-security.com
• David Litchfield
– Hackers Handbooks (Database / Oracle)