Call: +44 (0)7759 277220 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

SANS 2010 CWE/SANS Top 25 Most Dangerous Programming Errors

SANS, Mitre and a lot of security experts have just completed the top 25 most dangerous programming errors list. This is a really useful resource and anyone developing code not just against Oracle but in general should be concerned to read this. This is not a simple document. There is a HTML version of "2010 CWE/SANS Top 25 Most Dangerous Programming Errors" and also a pdf version for download. There is a huge amount of information and particularly there are a lot of improvements over the 2009 version.

Take a look!

SQL Injection and Java exploits

It has been a while since my last blog post as I have been extremely busy over the last weeks and this blog post is being posted straight after finishing a customer training session using the clients internet connection (with permission!) before i disapear off site.

If you would like to book my how to perform a security audit of an Oracle database training class at your site, please drop me an email (see my contacts page), it is very popular at present and providing benefits to a lot of people on both public classes and also private classes. We do fixed prices for up to 2 people, up to 4 people and up to 8 people. We can of course accomodate more people but this is unusual for private classes but not for public ones.

I was emailed by Mike Smithers last week to let me know about his very nice article about SQL injection posted to his blog and titled "Self-Inflicted SQL Injection â€" don’t quote me !". Mike kindly let me know but I have had little time to read it until i finally did so this lunch time. The article is very nice and concentrates on the issue of objects created in the database that are themselves injection payloads. This can be an object or a user (which of course is still an object in the dictionary). This idea has been around for quite a while but its nice to see a paper on it.

Also David released a new idea on exploiting Java at Blackhat which included a 0-Day exploit against Oracle. The exploit is shown in Sumit Siddarths blog in a post titled http://www.notsosecure.com/folder2/2010/02/04/hacking-oracle-11g/HackingOracle11g (broken link) which also includes a link to Davids blackhat presentation video. Paul has written a short paper titled "Securing Java in Oracle" that gives some details of the vulnerability and also some ideas on securing against in in the absense of a patch. Its nice to see that Paul has included some of the ideas on checking in depth (i.e. packages that use packages ect and ad-infinitum) that i have been talking about in presentations for a few years at places such as the UKOUG and also in my training classes. I will also be covering these ideas and more in two webinars for Sentrigo in a few weeks time (see the links on my home page to register for the talks. One is on European time and one on US time. Nice paper Paul!

Turkey, Germany, York, Holland and the Oak Table book

I was away most of last week to teach my class How to perform a security audit of an Oracle database in Istanbul, Turkey including the travel out and back. It was a good class, very well attended and some good discussions and questions from the attendees. The weather was the biggest surprise as it was cold, very cold, minus 8 and also snow everywhere. I had expected that the weather would have been warmer there than in the UK, but it wasn't.

I am speaking in Germany on Thursday the 4th February at the IT-Defense 2010 conference in Cologne Germany. The link is on the PeteFinnigan.com Limited sites home page.

We are also one week away from our two day Oracle security training here in York, England. If anyone wants to make a last minute registration thats fine we will be able to accomodate you.

I have also updated our public training dates page to include the registration details for the new public class in Utrecht to be held on the 26th and 27th of May 2010. I would love to see people there as well!

Finally the new Oak Table book, Expert Oracle Practices is out. I had my copy waiting for me when i returned from Turkey and I am looking forward now to read the other authors chapters. I wrote two chapters; the first about user security and the second about data security. I found that one of my co-authors Charles Hooper has written an excellent summary of the book on his blog in a post titled - "Expert Oracle Practices: Oracle Database Administration from the Oak Table” Book"

The Oracle listener password algorithm

There has been a thread on my forum for a couple of years discussing the Oracle listener password algorithm. The thread is titled "Key and algo for encrypting the listener password". This thread discussed the issue of being able in some versions of Oracle to pass the hash to log in. This is a technique used by security people to discover weaknesses in authentication mechanisms and was evident in the listener because the listener in 9i and lower supported two authentication mechanisms where one was to test the password that was added in clear text to the listener.ora file. This had a flaw as the hashed password could also be used. The listener password algorithm in 9i and lower was the same as the database password algorithm except that the listener doesnt use a username so an arbitrary user was used instead. The listener is authenticated via local authentication in 10g and 11g but its still possible to enable a password for remote authentication although not recommended. The password authentication mechanism is different in 10g and 11g. I was aware of how it worked but usefully now Marcell Major has now released a short paper describing the algorithm. This is in a paper titled http://marcellmajor.com/frame_listenerhash.html - (broken link) Oracle listener password encryption. There is also a http://marcellmajor.com/listenerhash.zip - (broken link) demo program written in python available to download.