Call: +44 (0)7759 277220 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

A quick update on my sites progress

I copied my website over to my new dedicated server over one week ago but the ISP only got the DNS records updated on Friday and those took some time to migrate. The only entries now in the old servers access_log are googlebots and Brian Duff's orablogs so I guess the DNS migration was successful. The new host seems faster to me, should be as my site is now the only one on it.

I had copied the whole site a week ago but I did need to re-copy some stuff yesterday, these are the dynamic parts of the site. This includes this blog, my other blog which is about web development. That blog has not been updated for some time but I plan to not continue the web site dicussion here and move it to there now that i have some interesting stuff to talk about web wise.

Going back to the upgrade; this blog was copied over again yesterday and I hope that its running well before its planned migration to Wordpress. I also copied my forum, which was not well after the move. I have closed it temporarily, so apologies to those people who are trying to access it, I am working on the issue this evening.

I also have some issues with my webstats that need to be resolved and also a problem with sendmail. As I said watch my web development blog if you are interested in the trials and tribulations of running a dedicated server.

Oracle security wise, I have a lot of planned posts listed in my TODO list. I plan to talk about recent conferences, Oracle Audit Vault, Oracle data vault, 0-days and some recent press and interviews. Please bear with me whilst my web mastering takes over for a couple of days..:-)

My site is moving now

My ISP has just let me know that they have now updated the DNS records to point to the new server so it should migrate today. I will close the forum for now until it migrates and also I will have a bit of tweaking to do once it has completed to bring over the last of the updates.

Then the fun begins, I have a lot of plans to enhance the site and will most likely start with an over hall of the blog to either Wordpress or Moveable Type. Not sure which yet.

I will update you whence the move completes.

My site is moving so could go down for a short while

I have just completed the move of my site to the new dedicated host. Finally! with lots of trips away over the last month it has taken some time to get the new site up and running. I just have not had the time to do it. Over the last few evenings I have been copying the site and setting up Apache and testing. I have just asked the ISP to alter the DNS settings to point to the new site. I am not sure when they will do this or how long it will take. I expect my site to go into a black hole for a short while.

I have blocked the forum on the new host - just set the maintainance mode. I have left it open on this old server so people can still access and post. Then as soon as the new server is operational I will copy the forum over again and close it on the old host and open it on the new.

The whole of the old site will then be deleted.

Initially its the same site as on the old host but that will change very soon. I am going to move the blog to either wordpress or movable type and also enhance the news aggregator. I also plan to open the wiki i have had for a while in the background. I will announce exactly whats planned for that soon. I also plan to move the site to a CSS based approach and to try and get it to standards level. Also thanks to those who responded previously to my call for writers and international authors and moderators. I will open up some foreign language boards on the forum and also there will be some new Oracle security bloggers here.

OK, thats it for now, see you on the new server...

Exploit code available for one of the bugs fixed in April 2006 CPU

Someone called N1V1Hd $3c41r3 has posted exploit code for the bug in the package function SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_METADATA to the bugtraq mailing list. The post is titled "Oracle 10g 10.2.0.2.0 DBA exploit" and it details how a package function can be created and then injected into DBMS_EXPORT_EXTENSION to grant DBA to a user called hacker.

Alex also has a page titled "SQL Injection via Oracle DBMS_EXPORT_EXTENSION in Oracle 9i / 10g" detailing the same exploit.


Argeniss are selling 0-day exploits for Oracle

I was made aware of this URL today by someone. I was vaguely aware that the guys at Argeniss were selling exploit information but had not had the time to take a look. The page on their site titled "Argeniss Ultimate 0day Exploits Pack" details the service available to those penetration testers or tool manufacturers who want to test if various IPS/IDSAnti* type products are working well with 0-Day bugs for various software. These include a list of 6 exploits for Oracle. I can see the value in this for people who do not have the skills or time to find these bugs to be able to test expensive tools they may have implemented or for vendors to also test their products that are supposed to trap 0-day bugs. I can also see the downside that others may buy the details for other nefarious reasons. I leave it to you the reader to make your own mind up.


Oracles default password scanner released with CPU April 2006

I have just downloaded the default password scanner released with the April 2006 CPU. This is only available via metalink and is referenced in the CPU advisory. The Metalink note 361482.1 to access the tool decsribes what it is, how to download it, where to use it etc. This note then references a patch that can be downloaded that includes an SQL script and a detailed document about default passwords.

The script is a simple select statement that checks if the username exists with the known password hash for each default user. This is different to my own default password scanner as mine also includes details of the actual password. The new Oracle tool does not include the passwords.

The tool includes around 689 passwords. The big difference with this tool and mine also is that it includes a lot of PeopleSoft default accounts and also some JD Edwards accounts. I guess we both include most of the E-Business Suite ones.

The document is excellent though. It includes details of all default accounts listed in the tool and also details on how to change the passwords. This is very useful as some accounts you cannot simply change the password in the database you also need to change it in config files or elsewhere.

This is a useful tool and worth downloading. So come on Oracle make the document and the tool publically available!!! not just from Metalink.

CERT Issues Alert for Oracle

CERT Issues Alert for Oracle - By Sean Michael Kerner

"CERT today issued a security alert for a host of Oracle infrastructure and application software products.

The alert was triggered after Oracle revealed in its regular security update cycle that a number of its products were at risk from various vulnerabilities."

Alex has released an advisory for his bug in CPU April 2006

Alex let me know that he has released an advisory for the security bug that he found in CPU April 2006. This is a SQL Injection bug in the package SYS.DBMS_LOGMNR_SESSION. The advisory is called "SQL Injection in package SYS.DBMS_LOGMNR_SESSION" and the bug is in the function DELETE_FROM_TABLE. The fix was applied using the package DBMS_ASSERT.

What is amazing is that a lot of CPU patches are not available until May!!

Alex just pointed out to me that when you go to download the April CPU 2006 patches there is a note that tells you that the patches are not available for a lot of platforms until May 1st (many versions and platforms) and for some platforms the ETA is 15th May (e.g - 10.1.0.3 on Solaris for x86). I also notice that 10.2.0.1 is available for Unix, Linux and Windows but 10.2.0.2 is not. I thought the policy was to fix the later verisons first?

I think it is bad form that Oracle release an advisory telling customers to patch their databases but for many customers they will have to wait around 13 days and some almost one further month for the patches to be available. I remember that the January CPU had many more fixes but I don't remember that as many platforms had delayed patch releases.

It is not really a quarterly patch schedule if the patches are not available quarterly for some customers. I think Oracle should have delayed the release of the advisory as roughly 50% of the patches / platforms listed have delayed ETA's. It is hard to comment further without detailed knowledge of how many customers are on each platform / version.

Oracle has released CPU April 18th 2006

Oracle have this evening (UK time) released the latest Critical Patch Update for April 2006. This is similar in structure to the previous CPU's. The level of detail given out by Oracle is about the same as usual. The Oracle advisory is titled http://www.oracle.com/technology/deploy/security/pdf/cpuapr2006.html - (broken link) Oracle Critical Patch Update - April 2006. The biggest noticable difference to previous CPU's is that the number of fixes is lower. The database has 14 fixes for various versions of the database software, one of the fixes also applies to the application server. Collaboration Suite has 4 fixes and also the same fix applied to the database and application server. There are 14 fixes for E-Business Suite and Applications and again the same fix applied to the other products. Enterprise Manager has 2 fixes, one PeopleSoft fix and one JD Edwards fix.

The level of detail is sparse as usual but with some experience it is possible to work out what the bugs are in a lot of the database bugs due to the naming of the guilty packages.

The key addition is the update to the default password scanner released through MetaLink Note 361482.1. Mary Ann Davidson talked about this update during her presentation in Seattle. She said that they had increased the list of default passwords to around 670. The default password list and default password scanner available on my site include around 600 default passwords. I have updates here locally to this list that i have had for sometime now that I just have not had time to process and add to my list and website. I have between 1100 and 1200 default passwords. I have been very busy recently but after I have completed the move of my website I will update my list and let everyone know here. Remember my list is available to all, the tool released by Oracle is restricted to those with metalink accounts. I can understand that its released in relation to patches but it would have been better to have it available from OTN instead.

Unbreakable, Unless You Shoot Yourself in the Foot

One I had saved open in IE on my laptop from last week. I thought Lisa's comments were quite funny:

http://oraclewatch.eweek.com/blogs/oracle/archive/2006/04/11/9013.aspx - (broken link) Unbreakable, Unless You Shoot Yourself in the Foot


Great trip to Seattle to the PSOUG Oracle day 2006

My very short trip to Seattle has been very interesting. I have met many very friendly and nice people here. The PSOUG Oracle day went very well, my presentation seemed well received and judging my the gasps by some people they will have rushed back to work to start to secure their databases..:-)

Thanks very much to Jeremiah Wilton and Grant McAlister for taking me out in the evening after the conference for a nice meal at Jaks Grill. It was a very enjoyable evening for me.

Also thanks to James Petts for looking after me on Saturday morning before my flight left for the UK again. He took me for a tour of Seattle, we went up the sky tower ( http://www.diserio.com/top15-skylines.html - (broken link) It is item 15 on this page) and also for a nice lunch in the downtown market, we went into a fish and chip restaurant, that was excellent and finally we paid a visit to Fry's where I was amazed at the size of the place and the good on offer. I made a few purchases of maily USB items that were much cheaper than in the UK. I also got a Linksys wireless router for a great price of $47.

I will talk about some of the presentations later, I made some notes.

At the PSOUG Oracle day in Seattle

I arrivived yesterday evening at the hotel in Seattle after a very long journey from the UK. The journey was made even longer as the Boing 747 needed to have one of the engines starter motors changed on the tarmec whilst we all sat in the plane for 3.5 hours in around 30 degrees centigrade until the engineers replaced the starter motor. Then it was a 9.5 hours flight..:-(

some people would probably say that I am mad to travel here for basically one day to speak at this conference but I think it was worth while to come to the states and speak at the PSOUG Oracle day. I have not spoken in the states other than at training classes so it will be good to speak here. One of the other reasons to come was the opertunity to hear Mary Ann Davidson speak about security assurance and also to say hello in person. I will blog later about her talk, i was very impressed with her talk in that it made a lot of sense and she was saying very realistic things about security and how Oracle were tackling the problems. I will say more on this later as I made some notes.

OK, I have prepared my talk, its just about lunch time here.

Oracle releases, then pulls, zero-day database exploit code

Oracle releases, then pulls, zero-day database exploit code - Details about the zero-day hole sat on company portal for hours - by Robert McMillan

"APRIL 10, 2006 (IDG NEWS SERVICE) - Oracle Corp. appears to have accidentally released details about an unpatched security vulnerability in its database software, including sample code that could be used to exploit the problem. Details of the vulnerability were published last Thursday in a note that was briefly posted to Oracle's Metalink customer support portal."

Oracle-Datenbanken gefährdet

Oracle-Datenbanken gefährdet - German only article -

"Oracle hat Informationen über eine bisher nicht behobene Sicherheitslücke in den Versionen 9.2.0.0 bis 10.2.0.3 seiner gleichnamigen Datenbank in der eigenen Knowledge-Base Metalink veröffentlicht."


Oracle has released details of a 0-day vulnerability including exploit code on Metalink

Today Alex let me know that Oracle released a note on the knowledge base on Metalink that details an unfixed security vulnerablity (0-day), including test cases (exploit code) that affects all versions of Oracle from 9.2.0.0 to 10.2.0.3. The note has now been removed but was in the headlines section and was titled "363848.1 � A User with SELECT Object Privilege on Base Tables Can Delete Rows from a View". Alex has informed Oracle that it is not a good idea to release this sort of information on unfixed security bugs.

There is a detailed discussion of the issue on Alex's site in a page titled "Read-only user can modify data via views". This page details the issue and also includes exploit code (the actual method of exploit is censored out).

Dr. Christian Kleinew�chter and Swen Th�mmler from infinity3 GmbH found the issue.

Back blogging again about Oracle Security

Well its been a couple of weeks or so since my last posts to this blog. I have been out of the country almost all of the time over the last three weeks and for most of that time without Internet or email access, first in the states and then in the Soviet Union.

Some up and coming speaking engagements:-

I will be in the states again on Thursday to speak at the PSOUG Oracle day in Washington at the Meydenbauer Conference Center on Friday.

I will also be speaking at the UKOUG Northern Server Technology day on April 27th and I will also be speaking at the InfoSec conference on the 26th of April.

I have also submitted papers for the UKOUG main conference and also for Black Hat in Las Vegas, lets see if they get accepted!