Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

Hacking Oracle made easy

Chris Gates will release and demonstrate a new version of metaploit at Black Hat to show how Oracle can be attacked and hacked remotely. The presentation will be followed by the release of this version of Metasploit. Chris Gates demonstrated some of the ideas in February and - (broken link) he posted a video about this at that time - i mentioned it here at the time also.

The tool automates the attack against Oracle by first brute forcing/guessing the SID, then username/password and then by running various exploits.

There is a nice article also on Reuters talking about the presentation called "Hacking Oracle's database will soon get easier"

Rogue DBAs: Hidden Inside Security Threat

Jared posted a link to this article on the Oracle-l list a couple of days ago and i marked it to blog when i got the chance and as my PC has just started to install a patch and will need a reboot I decided to do a quick blog post. The article is called "Rogue DBAs: Hidden Inside Security Threat" and is quite interesting.

This really highlights the current problems. People are starting to take database security seriously but we still have a very long way to go. The current evidence suggests that most sites have not done the basics and most likely have not turned on audit in the database; if they have its probably not being monitored and almost certainly privilege user access is not monitored and even if it is it can be bypassed by the people being monitored. This is just a fact of life that i see day to day at customer sites. The landscape is changing though and a lot more people are taking database security seriously and also have allocated budget for it; times are changing. As the article says we dont hear of these cases often; well I do know of others but they are not public; why do we not hear more? ... I leave that to you to guess..... but are the business even aware of theft going on???

Escalate privileges to SYSDBA with CREATE USER

Paul emailed me the other day to send his new paper that shows how he was able to exploit a problem with Oracles namespace resolution. The idea is that because a user may have the CREATE USER privilege so he can create a database user with the same name as a SYS owned package. In the example Paul creates a user called DBMS_FLASHBACK. The namespace resolution and the fact that SYS ignores definer rights code means that the creation of a function from a package (the same name as a real function) can be used to call code to grant SYSDBA to the attackers user through his function.

Its a nice idea but the execution is really a trojan as its still necessary for a DBA logged in as SYSDBA to execute the "doppleganger" function. Nice idea though.

Latest Oracle CPU is out

The latest in the reasonably long line of Oracle quarterly CPU's is now out. It was available yesterday evening UK time. I was out teaching my two day class for the last two days so missed it until this morning. The CPU seems quite busy this time but including some serious bugs that Oracle are recommending that you as customers of Oracle install the patch as soon as possible. The number of bugs in the database itself is slightly lower as is the total fixes this time, 10 (actually the table shows 12 as two OEM bugs are included) / 30 respectively. The Oracle's advisory is here.

This quarter I also get a credit on Oracle's advisory for contributions to the "Security In Depth" program. This is a program where researchers and customers help Oracle make significant changes to the core code or documentation but are not of sufficient nature to be included in a CPU. See the advisory for links to details of this program. It's nice to know you get recognised even if a fic is not directly included in the CPU.

Poor mans database vault

I got an email from Chet Justice the other day talking about some free software he is creating called "poor mans database vault". The description from his site:

The goal is simple, have a simple, easy to use version of Oracle's Data Vault. By no means is this trying to replace their product, it's just a simple solution to help lockdown your Oracle database.

sums it up. The site for download site has some description but no code yet; so no pressure to release

Anything that helps secure a database (and is free) is good. I am looking forwards to seeing it and having a play to see what it does. More here when I can get chance to do that.

A new database security auditing and scanner product, some BBED, ASM and AV

Well, it has been a very long time since my last post. I keep wanting to write a post but my time is so extremely limited at the moment that its hard to keep on top of work, emails, familly and trying to fit in blog posts falls down the list a bit which is a shame.

All of my spare time of which there isn't much at the moment is used up being involved in our companies Oracle database security audit and scanner product. The product is very exciting for us. I am going to talk a lot more about it over the coming weeks as we ready for production and sale to customers. We have demonstrated it a couple of times already and the feedback has been amazing.

As a little taster it's two main aims are:

1) To try and help people secure databases (initially just Oracle but will also be SQL Server soon). There is more to securing a database than just running a bunch of checks and then creating a report. We recognise this ( indeed our hand done audits and training classes are aimed at the same ideas) and the product is based around the whole life cycle of securing a database from cradle to grave; from inventory gathering, first deep assessment of a database, correction strategy, creation of solution assistance tools, creation of a security policy document, fixing (many modes of fix available), scanning all databases, compliance checking. Cradle to grave.

2) transfer my knowledge. I have gained a huge amount of knowledge and experience over the years of securing and teaching and researching and speaking about Oracle for clients and one of the goals for this product was to encapsulate as much of this as we could. One of the key problems people have in my experience is that they perform an audit of a database (internally or via professional services) and all seems good except that they are really unsure what to do next, what to fix, how to fix, how much to fix...... This is an area where we wanted to add value, so whilst its not possible for a product to simply generate fixes (well it is but would you run them??) it is possible to provide "deep hand-holding" to really assist in this process. We of course produce fixes as well BUT they are targetted to the client.

Another issue we wanted to solve is the problem of data loss and increased risk caused by the use of an audit product. Its obvious that anyone running a security scanner/audit tool could be a good target for someone wanting to steal; either the IPR itself of the checks/tests being performed or the results. We have a great solution for this; more detail later; basically the IPR cannot be sniffed and the results cannot be sniffed either. The solution is not encryption or anything like that, its simply that we dont transmit in the first place..:-) This allows a mode of operation that suits auditors in that they can ask the DBA or some junior staff to run the scan and collect the results without fear of loss of "what is being checked" or loss of the detailed results. The full analysis in this mode is done off line.

We also allow "complex" policies, that is policies that can depend on each other in any number of layers or heirarchies or ways. Also policies can contain what can be described as "loops". These features are not done justice in a few lines here but i wanted to start to discuss them now as this is a major feature of the product. Very complex policies have been created and are included and the customer can also create policies by simple point and click; this allows an unprecedented level depth o audit to take place because we can audit even what we dont know about!

I demonstrated these functionallities live in the last few days to a prospective customer and they were blown away with the ideas and what the product can do.

Anyway I will talk again about the product soon as we near beta testing and production but for now I have added a simple 2 page flyer describing the product to our website - PFCLScan. If anyone would like any more details then please email me on pete_at_petefinnigan_dot_com

I just saw on Marcin Przepiorowski's site a nice paper titled "How to view and edit data on ASM using BBED" which describes how you can use BBED to read and modify data on ASM, very nice. He mentions that he has based some of this on Miladin's earlier papers and Graham Thorntons excellent paper and also some is based on - (broken link) Luca Canali's work on ASM internals which is also excellent. Finally Marcin mentions in another post - BBED and Oracle Vault - to defeat Audit Vault with BBED, nice but no indication of actual privileges used to do this.