Pete Finnigan's Oracle Security Weblog

I saw Laurent Schneider's post today titled "FAILED_LOGIN_ATTEMPTS part 2" about the failed_login_attempts profile parameter in 10g R2 being defaulted to 10 for all users in this new release. He was also kind enough to email me about this post and my second post yesterday about the same subject. Alex sent me a screen dump of his 10g R2 database where the user DBSNMP did not have the default profile and had instead a profile called MONITORING_PROFILE with a default value of UNLIMITED. As you can see in Laurent's pots his example has DBSMP in the default profile with a default value of 10 for the failed_login_attempts. I don't know why there is a difference at this point other than to say it must be because of a difference in the database creation, maybe Alex used a seed database. It is still interesting though.

Alex has just told me that every user in 10G R2 has the default profile with a failed_login_attempts value of 10 except the DBSNMP user which has a new profile called MONITORING_PROFILE with a default value of UNLIMITED for failed_login_attempts. This means that DBSNMP is a bigger security risk as a brute force attack using actual connect attempts would not be blocked by this feature.

I saw a post on Laurent Schneider's blog titled "FAILED_LOGIN_ATTEMPTS default to 10 in 10gR2" and went or a look because of the security connotation. I have not got a 10gR2 database here to try this out but it seems like a move in the right direction. This implies that the default profile now has values set, i need to check. The value of 10 though I would not agree though. It needs to be lower, at least 5 or maybe lower.

I saw a good thread today on my Oracle Security forum titled "external password store" posted by Ivan that gave a good example run through of using the external store in 10g release 2 or rather he shows the errors he received in his first attempt and then the successful use of it in his second go. This looks like a very useful feature in 10g R2 to prevent the need to pass or store or hardcode passwords for os based batch processes.

I saw a post on the Amis blog today titled "Debugging PL/SQL with DBMS_DEBUG" that talks about http://www.adp-gmbh.ch/ora/plsql/debug.html - (broken link) René Nyffenegger's page that explains how to use the PL/SQL package DBMS_DEBUG from the command line. This is an excellent page and worth looking at that i had seen before some time ago but had forgotten about. I had downloaded René's code a long time ago and played with it quite extensively.

A second news article written by David Needle and titled "Oracle CEO Touts Security Plans" is worth a read. In it the author talks about Larry answering questions in an hour long Q&A session. He talked about encrypted backups, VOIP security issues and also that Oracle is going to be very focused on Intrusion detection technologies and identity management and also that Oracle is focussing on security as its number 1, 2 and 3 most important issues.

CRN has a good news article about Larry's speach at Oracle Open World. The article is written by Barbara Darrow and is titled "Ellison Speaks On Oracle Partner Challenges, Security". This is a great article that talks about the only question posed to him at OOW that rattled him were about security. One member of the audience asked if Oracle would commit to fixing known security bugs within a quarter of their discovery. Larry's answer was NO. He went on to qualify slightly. He then went on to claim that an Oracle database had not been broken into for 15 years! He then went on to say that if someone had posted a username and password on the net then its not the same as breaking in. He also said nobody could break into an Oracle database except some guys he could name who are on our side!. First of all bugs have been found that do not require authenticated access in the last 15 years and also if some guys who are on our side can get in, does that mean there are backdoors in the software?

I received an email from Dirk Nachbar to let me know that he has released a new paper concerning a security hole in the application server control. If you want to trace Forms Sessions out of the Application Server Control Web Front end you have to provide a Hostuser name and his password (normally the Oracle Software Installation user: oracle). This Information, the Username and Password will be displayed in the URL and stored in clear text in a logfile. Dirk also provides a workaround for the bug how to avoid this behaviour. At the moment the WhitePaper is only available in German, but will be available soon in English. The paper is titled http://www.trivadis.com/Images/forms_tracing_0525_DE_tcm16-12964.pdf - (broken link) Forms tracing im Application Server Control Eine Sicherheitslucke?

I saw Justin's post titled http://www.orablogs.com/otn/archives/001423.html - (broken link) Database, Security & Linux : Meet the Experts and read it with interest, or rather the third paragraph where Justin talks about Mary Ann's panel discussion. In it someone had raised a point to Mary Ann that various auditors of Oracle have defined different standards for securing Oracle and that this issue caused this person trouble with external auditors. He (the question raiser) said it would be good for a standard to exist for securing Oracle. Mary Ann said she was working with NIST (National Institute of Standards and Technology) to see if they can come up with something. I could not find anything on the NIST site site to suggest that they had got anywhere near to publishing anything or any evidence of progress.

Why is there a need to do this when previously the Center For Internet Security have done this with the Oracle Security Benchmark. This benchmark, or the first version at least was closely based on my book "Oracle Security Step-by-Step (Version 2.0)". I was not involved with the CIS Oracle benchmark but I understood from people who were that Oracle people were on the team.

I think I would agree with Mary Ann that there needs to be a standard for securing Oracle that everyone can work to. I also feel Oracle should be involved but not control its contents. As with anything like this it would be fluid and moving due to the nature of security risks and issues being found day to day. But for core issues i agree it could be fixed. I have some great ideas of what should be included.

If NIST want to involve me then please feel free to contact me. If others think we should have an open standard or community effort not organised by NIST then I would be happy to be involved in such a team / effort or even organise the effort here. I have started a thread on my Oracle security forum to discuss creating an open standard for securing Oracle. I have also installed MediaWiki in anticipation that others might like to join in and create a community standard for securing Oracle. If anyone has any thoughts / interest about this then please voice them initially on the thread above.

It is just over one year ago since I started my Oracle security blog, well one year and four days to be exact. I have not had time to write any blog entries for a couple of days so its a belated happy birthday!. As Mark Rittman said on the anniversary of his blog its somewhat of a tradition to review your blog after the first year. I don't know if you are supposed to do the same after the second year, maybe someone would let me know in good time..:-)

I started out on 20 September 2004 with some ideas about how I would write for the blog and how often I would post to it. I planned to cover news items, papers, short and long and tools and basically anything Oracle Security related. I also said I would update it every few days. I think I have performed well on both counts. I have been able to post almost every day, I went for about a period of three months at one time without missing a day I believe. I also think I managed 6 or possibly 7 posts in just one day once (I am not going to look now to check but I think it was at least 6). I have posted 560 posts including this one in one year and 4 days. Not bad going.

I have enjoyed writing this blog and keeping it going over the period. I thought when I started that I would not find enough things to write about to post regularly but I underestimated this by far. I have a large backlog of things to write about now (in excess of 30 items) for instance. The thing now is finding the time to add entries. The blog is going to continue into its second year in much the same way. I still plan to write as regularly as before.

What have been the highlights for me? - Probably the news stories that broke about the various CPU releases and the problems with them. It was great to be there at the forefront passing the new on. Also the recent disclosures by Alex of unfixed bugs. I think this had to happen sooner or later, whether it was Alex or someone else. There are large amounts of unfixed security bugs listed on various researchers site so as I said it was bound to happen. I was quite shocked at the level of news interest in that particular story. For me I think the news items have been exciting and also the recent disclosure of the password algorithm on comp.databases.oracle.server by some guy was interesting and has led to some great free tools coming out.

The one regrettable thing for me was the necessity to turn off comments due to spammers. Also my recent troubles with referral spammers has made running a site more tedious..:-( I plan to upgrade the blog software at sometime to some product that supports comment throttling and also comment moderation as I would really like to have comments enabled. When I have time..:-)

The stats for my site have gone from strength to strength. I started out last year on about 10,000 visitors per month and 363 per day and about 20,000 page views per month. This has grown to about 2100 visitors per day and about 64,000 visitors per month and page views growing to around 250,000 per month. I have served up 1.5 million page views and seen 0.5 milion visits in the last year. The stats are still growing strongly month on month.

OK, thats it for a brief summary, back to Oracle security!

I made a note a couple of weeks ago to have a look at a post on the IT-Eye blog titled "Oracle Proxy Users". I finally had a chance to have a quick look this evening. The post by talks about Lucas Jellema's post on the Amis blog where he talked about getting rid of USER. A lot of security code depends on USER already. Many web based applications use connection pooling and proxy users. Lucas talked about getting rid of USER and setting the user in application contexts. This IT-Eye post talks about using proxy users in 10g instead and the fact that USER works properly still. This is a good post and includes quite a lot of good links.

Marcel-Jan has posted an interesting analysis of timings of toolcrypts orabf Oracle password cracker on my Oracle security forum. Marcel-Jan has worked out the order that the brute force passwords are work through and done some timings for finding every password for particular length passwords (up to 8 characters). he has used passwords of ZZZZZZZZ. He used Z's as this ensured that all passwords are worked through first. The 8 character password took 4 days, 9 hours, 12 minutes and 38 seconds. Bear in mind that this are pure ascii passwords and passwords including numbers (digits) or special characters _#& would take much longer. And passwords using the whole keyspace would take even longer.

This means that to ensure that you have harder passwords to crack you need to use digits and special characters or ideally the whole key space for your passwords.

The thread is titled "Toolcrypt's orabf" and the post is at the end.

I got an email from Jens-Uwe Peterson of Trivadis GmbH this evening to tell me of a paper written by one of his colleagues Dirk Nachbar who has studied the desname bug in detail and has provided a workable solution for it. His paper is titled "A security hole in Oracle application server (reports) and how to fix it".

This is the bug whereby the desname parameter can be used to overwrite any system file. This is a great paper and well worth reading if you have or run Oracle Reports. Dirk has studied the issue in great detail and has proposed a sound solution using mod_rewrite rules.

On Security, Is Oracle the Next Microsoft? By Paul F. Roberts - Source - eWeek.com

"Oracle's acquisition of PeopleSoft and Retek for more than $11 billion in recent months, together with the planned purchase of Siebel for $5.88 billion, will transform the company into an enterprise software giant.

But there are signs of danger ahead for the Redwood Shores, Calif. company as reports of a backlog of unfixed software holes and buggy product patches cause some to wonder whether the database software pioneer is headed for a security crisis.

In the last year, Oracle Corp. was muddied by a series of mishaps and missteps that include faulty product patches and withering criticism from independent security researchers, who charge that the company lacks security discipline."

I came across a post titled "More Patch Scheduling and Disclosure" this evening that talks about the problems of scheduling patch fixes from the security managers point of view and also the view of the manufacturers. The post is very interesting and well worth a read. It also links to another blog entry titled http://www.osvdb.org/blog/?p=35 - (broken link) .. and the debate keeps raging that discusses the previous release of six advisories by Alex that were unfixed by Oracle. It also discusses the Mary Ann article from the same period.

I saw one evening last week that Google has finally added a blog search engine. I saw that IT-eye had a post titled "Two new tools for frequent blogreaders" that talks about Google Blog Search and also about tech.memeorandum a website that lists the most blogged about technology news items. Also Eddie Awad's blog had an entry on the same subject. This new Google blog search should be a great tool to find Oracle news and particularly Oracle Security news quickly. If you go there and search for Oracle Security there are over six thousand results returned and quite pleasingly this blog is highlighted at the top with a Related Blogs tag. Looks like Google recognises my blog as being an important resource for Oracle Security.

I just came across the recent news story by Clint Boulton titled "Oracle Locks Up 'Federated' App Server" describes the fact that Oracle has just debuted their new security developer tools that allow a user to grant or deny access to information held on computers.

This is an interesting news item that tells us that

"The tools let corporations offer partners and customers access to their internal applications, while keeping them out of files and other information they don't want to share."

"The suite of tools, based on specifications written by the OASIS SAML (define) and the Liberty Alliance Project, has been designed to craft applications that run on Oracle Application Server 10g Release 2, launched earlier this year."

The tools are based on federated identity where policies define whether users can access data or not. The access to the data is granted via passwords or / and other credentials. These new tools are needed to weave security into the Service Oriented Architectures (SOA) Oracle and its rivals are pushing. The tools are part of the Oracle Fusion Middleware brand.

The advisory that Alex released yesterday that reports a common SQL Injection issue in Oracle Reports that Oracle have not provided a fix for is also available in German (Alex's native language of course). The advisory is called "SQL Injection in Oracle reports"

Today Alex has released a new paper on his site titled "SQL Injection in Oracle reports". Alex has found that self developed reports are vulnerable to SQL Injection if they are using "lexical references" without input validation. Most Oracle reports developers are not aware of this issue and by definition are not validating input (e.g from parameters). This is not a bug in the reports product itself but an issue with the developers. Alex states that the Oracle documentation does not alert developers to this issue.

Alex goes on to state that all Reports products since version 2.0 using "lexical references" are vulnerable. These could be self developed or for instance part of an Oracle application such as E-Business Suite.

Alex states that it is not possible to fix this issue by setting a parameters but only possible by fixing every report by adding input validation for all parameters. Oracle has not released a fix for this issue.

This is clearly a very big issue and a serious issue as potentially there are a large amount of vulnerable reports out there.

Alex then describes the problem in detail and includes an example vulnerable report that demonstrates how database usernames can be read using SQL Injection techniques. Alex then repeats that the issue is a big problem if you have a lot of reports using "lexical references" and gives a history of when he reported the bug to Oracle.

Thanks to http://julian.dyke.users.btopenworld.com/Oracle/ - (broken link) Julian Dyke who emailed me early this morning to let me know I had made a mistake on a previous blog entry I made. Quite some time ago, almost one year ago, in fact I posted about "Writing to the alert log" where I showed how you can use the DBMS_SYSTEM package to write to the alert log, or a trace file or both. Unfortunately i made a mistake with the procedure ksdddt as I spelt its name incorrectly. I have now fixed this page. Thanks again to Julian.

I saw a great article on the Amis blog a few days ago and made a note to have a look and talk about it here. The article is written by Lucas Jellema and is titled "Standard for Database Development - Getting rid of USER from PL/SQL and SQL - no longer is USER equivalent to End User". This is a great article that talks about the need to get rid of the USER pseudo function from older code written in the days when all database users had their own database account and using the function did return the correct user. This was in the days before proxy users and connection pooling. Lucas starts with the reasons USER was used and the implications of using it now and why it should be removed and the fact that he is saying it shouldn’t be removed in all cases. Lucas goes on to show some examples of a home grown application user table and also a VPD example. He goes on to give examples of how the user might be set and the issues of application servers, middle tiers and logon triggers. Lucas also talks about the fact that the use of USER translates to a select from dual and how this has improved in 10g.

Great paper and well worth a read.

I have been quite on the Oracle security blogs for a couple of days - I have a backlog of stuff to talk about and will talk about them later.

I have been spending a bit of time playing with Perl at the weekend and LWP::Simple and XML::Simple to parse RSS 1.0 and RSS 2.0 files so that I can extract the top 5 entries from my own blog to add links to my home page. I know it can be done with Javascript but I like the code to be under my control rather than using one of these sites that allow you to generate a Javascript call. My pages are also static HTML so I cannot use php to generate the entries on the fly which might have been easier long term. Anyway I got some perl running that generates a set of links and link text that I can now add to my index.html page. That part is not easy. I also need to integrate it into the blog software so that I can simply regenerate the index page every time I add a blog entry. I have also been looking at RSS aggregator software, perl again so that i can finally populate my newsgroup, blogs and news pages. I want to list some of the news sites and blogs and newsgroups / mailing lists I look at looking for Otracle security information. I then plan to add an aggregator as well to group the news sites and blogs that I watch on one page. That’s the advantage and power of RSS.

I have also spent some time yesterday looking at the problem of referrer spammers. I have been getting these people spamming me for a long time now but it’s now picking up to a much bigger issue. They use bots probably on compromised PC's that sent out requests to sites with forged referrer fields so that they can get either click through or increase their Google PR. A good paper on it is "Proposal on referrer spam: Background and blacklists". The problem is that I don't publish either blog referrer lists (links) or statistics that include referrer lists. These people seem to use a scatter gun approach and just spam blogs anyway. I guess this is the case as they are spamming my Web development site which has a blog. There again they have also been requesting pages from another site of mine that doesn’t have any content yet and also does not have a blog. Although I have said on its index page that i will add a blog. Google hacking is probably being used to find sites to spam. They are a real problem. One particular IP has sent 30,000 hits in the last few days. It doesn't increase my visitor numbers much so doesn’t really skew the figures I am interested in but the hits and the download sizes are getting ridiculous. These people consume a lot of bandwidth. The problem is hard to solve though. I have been working on some solutions yesterday, which I won't discuss the details of here for obvious reasons. Anyway normal Oracle security service should now resume!

I was browsing the web tonight and visited KK Mookhey's site http://www.nii.co.in - (broken link) Network Intelligence to see what was new and I found a paper written by KK and Nilesh in 2004 titled "Detection of SQL Injection and Cross-site Scripting Attacks". This is a great short paper that discusses creating regular-expression based rules for snort, the open source Intrusion Detection System (IDS) for SQL injection and cross site scripting attacks on web based applications. This is a quite an interesting discussion on detecting some simple things such as -- or single quotes. KK and Nilesh show how to create reg expressions including how to detect upper case and lower case and also hex equivalents. They also go deeper into metachars and how to recognise SQL Injection attempts and even looking for the keyword UNION. The paper goes on to talk about detecting CSS attacks as well. This is a great little paper, perhaps slightly date due to the more advanced ways to Inject Oracle and other databases that have been presented recently but this paper is still valid and a good attempt at looking at how a IDS free tool can be used useful against Oracle.

I just saw on Radoslav's blog that Oracle have released the official version of 10g Release 2 for Windows. It is available for download at the Oracle Database 10g Downloads page. I will be setting my ADSL line to good use tomorrow to get it. Quite coincidentally my ISP has just emailed me to say that my download speed has just been doubled for free.

I have known about Kurt Van Meerbeek's tool DUDE for a few years now. The tool started as a private project of Kurt and Kugendran Naidoo and it was called jDUL. The project was at first hosted on sourceforge but never made it out into the world as an open source tool. I was lucky to have had sent to me a trial version a couple of years ago so I could have a play with it and see what it did. I was always impressed by Kurt's knowledge of the internals of Oracle and was also impressed with his version of a DUL tool.

DUDE can be used to extract data from database instances that cannot be started and that are effectively scrap. It can also be used as a fast method to extract data. I would not recommend this for production though as you are unlikely to be supported. As a crash recovery tool though it is a lifeline to some people.

Kurt has now started a site called ORA-600 to promote DUDE as jDUL is now known. There is a good introduction to DUDE on the front page of the site that includes a list of all of the features supported. It works with Oracle 8,8i,9i and 10g, the dictionary can be recreated, missing SYSTEM tablespaces can be dealt with, most data types are covered, whole tablespaces can be recovered, pl/sql, most major platforms are supported, chained, migrated rows, trailing NULL's and partitioned tables are supported. Version 2.0 will include IOT's LOBS and RAW's soon.

If you have a dig around Kurt's site, you will find a nice description of the tool, a history page and also details of the services offered. Miracle AS, Mogens company are the preferred resellers to contact if you need to hire this tool.

Kurt has also includes a nice paper DUDE 2.0 primer that details how DUDE can be used to extract data from your Oracle database.

It is possible to get a demo version from Kurt, follow the links on his site and use Kurt's security protections. You need to fill in a config file and run DUDE_PROBE.jar against your database and then it is possible to get a demo that will dump just two tablespaces DUDE and SYSTEM.

I have updated my Oracle Internals page to add details of Kurt's paper and I have also added an Internals section to my Oracle Security Tools page to include this tool.

I saw with interest Tom's post to his blog titled http://tkyte.blogspot.com/2005/09/archive-log-mode.html - (broken link) Archive Log Mode a few days ago and made a note to have a look. Whilst this post is not directly about security it has a direct bearing on the results of a successful hack. Basically Tom regales a story that he gets to hear about twice a week. Someone had emailed him and said "help, the database has crashed, it won't open, we don't have a recent backup and its not in archivelog mode.". Basically they have had it. The data has gone. If you do not plan backup strategies properly, have disaster recovery plans and test for all eventualities of failure and recovery your data is doomed. It may be that you lose the data through a software failure or a hardware failure or because of a hacker. The bottom line is that if you do not have a way to recover lost data you are doomed.

That said some sites do run without archivelog mode enabled but the big difference is that its a proper decision and they know the consequences and also know how to get all their data back. This is sometimes a solution in data warehouses.

Also don't forget that there are some tools available that can help open a corrupted database and get some data out of it. Oracle has the Data UnLoader (DUL) tool. This is a tool closely guarded jewel in Oracles crown and if you have a crashed database and no other way to get the data out then you can call Oracle in to help with this tool. There are at least a couple of private tools out there that can be used as an alternative, one of which i will tell you about in a post tomorrow.

I have just added a couple of links to my Oracle Internals page about Data UnLoader (DUL), one is a link to the user guide for DUL and another link to a post about its use and some examples.

I notice with interest Wilfred van der Deijl's post to his blog titled "Patch 9.0.4.2.0 misses MouseWheelHandler.class" as it seemed to imply from the title that yet again another patch set has a problem. Wilfred details the issue whereby a Jar file is missing from patch 9.0.4.2.0. That was causing Forms to load 4 times slower than it was on the previous patch set. Oracle knew about the issue internally and had fixed it in 10.1.2.0.2. Wilfred fixed the issue himself by adding the missing Jar back. This is a great analysis of a bug.

I saw a post on Eddie Awad's blog last week and made a not to have a look. The post is titled "Pre DBMS_RANDOM". This is an interesting post that shows how random numbers were generated pre DBMS_RANDOM. Eddie shows some code from an Oracle Applications package that uses a seed and a date as the randomizing factor. There are known issues with DBMS_RANDOM in that if the seed is not long enough the number generated is not random enough. It is better to use the DESGETKEY function in DBMS_OBFUSCATION_TOOLKIT as this uses the FIPS-140 random number generator.

Nice blog entry though, useful to see how it was done. Its not too difficult to see how any encryption that uses a key generated by Eddies package might be broken with knowledge of the time frame it was encrypted and the seed value.

I was browsing eweek yesterday searching for Oracle Security related news articles and bookmarked an interesting article titled "Security Firm May Stay Mum" and written by Paul F. Roberts. The article is dated August 8 so is from about a month ago but is still worth reading. The article discusses NGS's proposed change in policy.

Looks like the latest http://www.oracle.com/technology/deploy/security/pdf/cpujul2005.html - (broken link) security patch set CPU July 2005 has yet again got some problems. Oracle has sent out an email to all customers that have downloaded patch 4393850 for Oracle Application Server version 9.0.2.3 on Windows before it was re-uploaded on September 1 2005. A bug has been found where Forms returns an error FRM-92100 when a query has been executed and the CPU July 2005 patch had been applied.

Oracle inform customers to install the new version of the patch if it has not been installed already, if it has been installed then it needs to be rolled back and the new version applied.

I made a note of a link I saw on Richard Byrom's site a week or so ago. The article titled "Oracle ACE program". I made a note because this post let us know that Mark Rittman had been awarded the Oracle Magazine Oracle ACE of the year 2005. An interview with Mark will appear in the Nov/Dec 2005 edition of the Oracle magazine.

Congratulations to Mark!

0rm has emailed me today to let me know that he has made a small bug fix to the Oracle brute force and dictionary password cracker. It has been upgraded to version 0.7.2. The bug was in the pre-fetch code where passwords that were a multiple of 4 characters were not cracked. This bug only affected brute force mode and not the dictionary mode.

There is also a good discussion going on over on my Oracle Security forum about 0rm's Oracle password cracker.