Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

Checksumming on all supported versions of Oracle

Paul dropped me an email to make me aware of a post he had made on his blog titled "Forensic checksumming on all versions of supported Oracle databases". This is quite a useful post as it summarises the the available options to create hashes from within the database and gives some sample code using SHA-1 that Paul suggests should be used in more secure settings whilst DBMS_UTILITY.GET_HASH can be used for day to day patch checking.

First exploit released for CPU July 2007

Today Alex posted that Andrea Purificato has released an exploit for the view bug fixed in the July 2007 CPU. Bunkers exploit code is here. Alex has shown a similar example in his post "Exploit for create view published" but he points out an issue with the exploit in that the changed password cannot be used without restarting the database.

I have not tested but i suspect that flushing the SGA may allow its use as well as the reason that it doesnt work is likely to be because the old hash is likely to be buffered. Also SYS.USER$ is not likely to be accessible to create a view like this anyway.

CPU July 2007 is out

The latest quarterly security patch, the CPU July 2007 was out last night. It includes 45 fixes across all of the Oracle products. This differs to the pre-patch notice that stated there were 46 fixes in the patch. Alex talked about this in a post titled "Oracle CPU July 2007". Alex also pointed out in this post that a bug found by him, that is similar but not the same as the infamous Oracle 0-day bug - "Oracle has released details of a 0-day vulnerability including exploit code on Metalink" has finally been fixed. I hope that this is the last variant of this bug. Alex also talked about Eric Maurice's announcement in his blog of the new patch structure called a napply CPU. His blog post is titled "July 2007 Critical Patch Update Released" and he says:

"The napply CPU is an enhanced CPU format for Oracle Database Server for Unix and Linux platforms version and onward (including and 11g). In a napply CPU, the security fixes are now grouped in what are called molecules. Each molecule in the CPU is independent, and does not conflict with other molecules in the CPU. Conflicts between molecules occur when fixes included respectively in each molecule affect the same file or group of files."

and goes on to discuss

"By using the OPatch parameter ?-skip_duplicate?, customers will have the ability to skip the application of those molecules that have been previously installed (for example by a previous CPU) thus reducing the changes introduced to the patched system. In other words, while the CPU remains cumulative, the CPU will install incrementally those new groups of fixes."

I can see that this will help some sites install patches with less anxiety but I doubt that this will implore many sites to patch earlier and faster. The same fixes, cumulatively are still installed and still need to be installed. The biggest issue i discuss with people is the testing, the fact that often a full regression test is required and the worry that something in a fix breaks the way their applications work.

The best advice I offer is to ensure that you only install the software that is needed and remove as many features (schemas) and functionallity (Java?) that you dont need, in other words reduce the attack surface as much as possible to the functionallity actually needed to support an application. Also dont install Enterprise edition if you can run with Standard or Standard one. I often sites completely over specified in terms of database version/type and features installed.

There are 19 fixes for the database, interestingly one fix for Audit Vault (which is an Apex bug), 4 fixes for the application server, 2 fixes in JDeveloper, 1 collaboration Suite fix, 14 E-Business Suite fixes and 7 PeopleSoft fixes.

So, the observations last CPU that things were getting better could be wrong. This time we went to 45 fixes from 36 and 19 in the database as opposed to 14. Lets leave judgement till next time, this could be a blip in a downward trend or maybe its on its way up again, or maybe we have reached a plateau of around 35 to 45 fixes a patch?

Oracle UK systems accused in 'SSH hacking spree'

Oracle UK systems accused in 'SSH hacking spree' - By John Leyden

"Compromised computers at Oracle UK are listed among the 10 worst offenders on the net for launching attacks on servers which run SSH (secure shell) server software.

Oracle said it is investigating the reported problem, which it is yet to either confirm or refute.

A box (or group of boxes behind a proxy) at Oracle UK is among the worst offenders for launching attacks, according to statistics from servers running DenyHosts software to block SSH brute-force password attacks."

Apex and its security model

Gary has posted a very interesting article about APEX and the use of DBMS_SYS_SQL titled "Database 11g and Apex by default". This is a good post, i wanted to make a comment on Gary's blog but to do so meant registering with blogger/Google which I dont want to do so my comment is here:

"Thanks for a very interesting post. I think there are issues with this model and recent CPUs with lots of remote exploits/bugs in Apex that dont need authentication clearly confirms this. I agree with you its crazy to enable Apex by default in 11g, lets see if they do. This would feed into the ever increasing array of features enabled by default.."

More SQL Injection

Alex has posted an entry in his blog yesterday titled "he that is without sin among you, let him cast a stone at her" on the same subject that Tom and then I spoke about, the error message from a bank around SQL Injection. Alex makes some points about where the developers of these types of applications learn to code applications vulnerable to SQL Injection. He points at Tom's book, David Knox, Kevin Loney and others. I think he makes a good point as where do developers learn to code against Oracle? - training, Oracle documentation, Oracle sample programs and of course popular books.

Alex then commented on - (broken link) Toms blog and an interesting conversation started. Tom does know what SQL Injection is, he has made a recent acreer talking about bind variables and SQL Injection and I am hoping he will cover security and of course SQL Injection and more with gusto when we get to see the second volume of his book. I remember he even canvassed for subjects and security was in there amongst them. Alex has amde a very good point, that people do learn from peers, mentors, BOOKS and training; I think the unfortunate apsect of all of this is that writers of these media have not taken security into account until very recently even though issues like SQL Injection have been known for many years now. Lets hope that everyone writes with security in mind and that old and new generations of coders understand the risks and dont provide these loopholes.

Please dont SQL Inject a bank

I saw a post on my Oracle security forum titled "Please don't do SQL injection" that refers to a blog on Tom's site the refering to an entry on the - (broken link)Worsethanfailure site about a bank that has an error screen that is presented under circumstances when you try and add a security phrase. This is great, but sad. How does code like this for a bank get into production? - don't they do code reviews? - don't they have secure coding training, don't they know not to send meaningfull errors back to the client. worse they advertise that its possible to SQL Inject??? this is crazy, if they add an error telling people to not send in parts of the SQL language as a security phrase does that mean that if you do it will detect only those keywords? what about others, what about the fact that they have told the user that the security phrase is written to a database table? and it is added into a concatenated string - OK, I am being sarcastic, I realise the issues here! - how does code like this get into the mainstream, is it real or a dummy? - real i guess.

Checkpwd updated and also released for Mac

Alex has this week released a new version of checkpwd which has versions for Windows, Linux and now also the Mac. The MAc version is for ppc as that is the platform Oracle is available on. Checkpwd has versions that include a big password file, or not and also a version that simply says the password is weak without displaying the actual password that has been cracked. This version also goes back to the openssl code rather than the optimized intel code of the previous version.