Pete Finnigan's Oracle Security Weblog

A new Oracle CIS benchmark has been released recently for Oracle 11g. http://www.cisecurity.org/bench%5foracle.html - (broken link) The Oracle benchmark for 11g is an update of the previous 8i (version 1) and the subseqent 9i/10g (version 2) Oracle benchmarks. There is still only an 8i scoring tool as one was not produced for the 9i/10g benchmark and there is not one available for the 11g guide either.

As you will see a simple registration is required and all three versions of the banchmark are available. You can of course get the scoring tool (available for Windows, Linux and Solaris platforms) and still run it on 11g or 9i/10g. The checks were never complete anyway as quite a lot were in the form of questions but a lot of the checks still work for the later versions of the database.

The 11g guide does not seem a massive change in terms of checks over the 9i/10g. The 9i/10g benchmark really added a lot of advanced security option checks that in my experience most sites are not using anyway (the Oracle ASO add on that is).

The 11g guides style seems better than the previous ones. The lineage / history is still strongy there though. The original benchmark (8i) was based on the book I wrote for SANS, the Oracle Security step by step guide, that is no longer available. For instance compare the SANS SCORE document with the CIS benchmark. The 11g benchmark includes a few 11g specifics such as case sensitive passwords and other 11g settings, as I said the style is better than the earlier versions, I like it.

I think that its great that there is an update to this important check list as there are not many available checklists anyway for the Oracle database. There is the SANS Step-by-step, the SANS SCORE (written by me and updated by Paul) that is essentially the checklist from the SANS step-by-step and obviously very similar to the CIS benchmark as they have the same starting points. There is the DoD STIG, some NSA document, the great, little IT Governance Institute book; there is Oracle's own checklist that gets updated from time to time but is not as detailed as the SANS SCORE or the CIS benchmark. So its great that a resource like this exists as I said there is not many check lists for Oracle databases.

I want to make two comments about checklists; they are good and bad at the same time. They are good because when we audit an Oracle database we need to have something to work to, some standards, some list of things to check. This is important, I obviously use my own checklists that are much much more detailed than any of the above lists, I check for some ten times more settings / parameters / privileges / configurations and more than these lists. My lists are internal and will stay that way, i update them probably on average on a daily basis. I have tens of thousands of lines of code implementing checks. If you want to perform an audit for yourself then you need a place to start and the lists like the CIS / SANS SCORE / SANS step-by-step are good starting points BUT (the bad bit) what we don't want to do is create the same issue as compulsive tuning disorder for security, i.e. we don't want to simply try things from a list (tip?) and see if it works, then move onto the next good thing to try. What we need is a methodology, in fact I have one, this is what I have done for years as part of my security audit service for an Oracle database. I have a methodology that allows due dilligence and repeatability but is not based on working through a set of checks. I am not going to go into great detail suffice to say that the methodology is based around understanding the data, understanding the data flow (into and out of the database), the business use of the data and then to correllate that with what is actually going on with the data and how its managed and accessed and what the privilege models are for all classes of users. Of course I also look at all the other perifery issues such as OS access. My methodology allows repeatability whilst being actually different checks for each database; well because each database is different.

So whilst i use checklists; in terms of having written extensive tools over the years i do not work through a checklist as such as each system has different requirements and security issues, each "check" can have a different risk level based on what else is going on. One site that has an Oracle database that serves up maps of the company car park that allows developer access but essentially has static data and can be rebuilt in minutes is different to a database that holds tens of thousands of credit card details where that data is held in many alternate locations because of replication to test and dev, because of mutiple storage places within the database, because of reporst that hold the credit cards, because of.......

Checklists are good BUT you also need context and brain power and probably experience to understand the core issues. As I have said many times to people, the issue is securing is about "securing the data" not necessarily about "securing Oracle". There is a subtle difference that matters!

I guess what i am saying is that they (checklists) are good, nay great in the case of the CIS benchmark, but dont just simply work though them, think about your own data, its use, its access needs, access paths to the data, who can access the data and why? base it on the data, base it on people, real people not just settings.

I have finally had time to post up an advisory for the fix I was credited for in the recent Oracle Critical Patch Update advisory released on October 14th by Oracle. My advisory is related to excessive privileges assigned to the APEX FLOWS account.

My advisory is titled "PeteFinnigan.com Limited Oracle Security Advisory - October 2008 Critical Patch Update" and it describes the issue.

Paul Wright pointed out a new paper to me today about PL/SQL injection. The paper is called "Assault on Oracle PL/SQL - Injection". Beware of the profanity in the paper if you read it at work and because its written by a hacker it has the obligatory greetz etc.

Paul has recently put out a new paper on his site called "CREATE ANY DIRETORY to SYSDBA" and also code for the example exploit. This is an interesting paper and shows why the granting of any privilege with the keyword "ANY" in it is an issue. There are possibilities to exploit any of these ANY privileges to gain access to data or to escalate privileges.

The paper is interesting but (this is not a critisism) its a class of issue that should not be allowed to exist in a production database. We must always follow the least privilege principle and indeed this is one area I concentrate heavily on when i perform an Oracle database security audit for clients. The second issue with Paul's paper (again in no way a critisism) is that the UTL_FILE and directory object method are not the only ways to get at the password file (in this case). I still see 10g databases with utl_file_dir set to * for instance and there are also lots of other packages and Java that allow access to the file system, so beware there are othe possible vectors here involving different packages, privileges etc.

Good paper.

Duncan emailed me today to let me know of a new paper written by Oracle called "How to write injection proof PL/SQL" that was released in the wake of Oracle Open World. The paper is excellent and 76 pages long. Here is the abstract from the head of the paper:

Googling for "SQL injection" gets about 4 million hits. The topic excites interest and superstitious fear. This whitepaper dymystifies the topic and explains a straightforward approach to writing database PL/SQL programs that provably guarantees their immunity to SQL injection.

Only when a PL/SQL subprogram executes SQL that it creates at run time is there a risk of SQL injection; and you'll see that it's easier than you might think to freeze the SQL at PL/SQL compile time. Then you'll understand that you need the rules which prevent the risk only for the rare scenarios that do require run-time-created SQL. It turns out that these rules are simple to state and easy to follow.

Bruce Schneier also has a post titled "How to Write Injection-Proof SQL" that has an interesting comment stream attached to it.

The latest in the line of Critical Patch Updates (CPU October 2008) has just come out. The Oracle advisory "Oracle Critical Patch Update Advisory - October 2008" has just been released and it describes the fixes available with this patch.

There are a few new names in the credits section and also an increase in people helping with the security in depth program. I was credited again on this CPU, the second time this year. I will release an advisory later related to this fix. The number of database fixes is set at 15, one of which can be expoited remotely without authentication. The highest CVSS ratings are two 6.5's. There are also a number of application server, E-Business Suite, Peoplesoft and BEA fixes included in the patch/advisory.

I have ammended the PL/SQL Oracle password cracker to provide the option to only print out "WEAK" instead of the actual cracked password. The cracker is now version 1.4 and can be downloaded from the same page. The switch to turn on WEAK output is near the top of the code. Locate the line (near the top of the code):

define weak = 'OFF'

And edit it to show:

define weak = 'ON'

When run after the change the cracker is now safe for situations where the passwords should not be revealed, e.g. Sox and German environments. A sample run with this turned on is shown here:

SQL> @cracker-v2.0.sql cracker: Release 1.0.4.0.0 - Beta on Mon Oct 13 17:53:08 2008 Copyright (c) 2008 PeteFinnigan.com Limited. All rights reserved. T Username Password CR FL STA ======================================================= U "SYS" [WEAK ] DI CR OP U "SYSTEM" [WEAK ] DI CR OP U "OUTLN" [WEAK ] DE CR EL U "DIP" [WEAK ] DE CR EL U "TSMSYS" [WEAK ] PU CR EL U "ORACLE_OCM" [WEAK ] PU CR EL U "XDB" [WEAK ] DE CR EL R "GLOBAL_AQ_USER_ROLE [GL-EX {GLOBAL} ] GE CR OP U "DBSNMP" [WEAK ] DI CR OP U "WMSYS" [WEAK ] DE CR EL U "EXFSYS" [WEAK ] DE CR EL U "CTXSYS" [WEAK ] DE CR EL U "XS$NULL" [ ] -- -- EL U "ANONYMOUS" [IMP {anonymous} ] IM CR EL R "SPATIAL_WFS_ADMIN" [WEAK ] PU CR OP U "ORDSYS" [WEAK ] DE CR EL U "ORDPLUGINS" [WEAK ] DE CR EL U "SI_INFORMTN_SCHEMA" [WEAK ] DE CR EL U "MDSYS" [WEAK ] DE CR EL U "OLAPSYS" [ ] -- -- EL U "MDDATA" [WEAK ] DE CR EL U "HR" [WEAK ] DE CR EL U "SPATIAL_WFS_ADMIN_U [WEAK ] PU CR EL R "WFS_USR_ROLE" [WEAK ] PU CR OP R "SPATIAL_CSW_ADMIN" [WEAK ] PU CR OP U "SPATIAL_CSW_ADMIN_U [WEAK ] PU CR EL R "CSW_USR_ROLE" [WEAK ] PU CR OP U "WKSYS" [WEAK ] DE CR EL U "WKPROXY" [WEAK ] DE CR EL U "WK_TEST" [WEAK ] DE CR EL U "SYSMAN" [WEAK ] DI CR OP U "MGMT_VIEW" [ ] -- -- OP U "FLOWS_FILES" [ ] -- -- EL U "APEX_PUBLIC_USER" [ ] -- -- EL U "FLOWS_030000" [ ] -- -- EL U "OWBSYS" [WEAK ] PU CR EL R "OWB$CLIENT" [WEAK ] BF CR OP R "OWB_DESIGNCENTER_VI [WEAK ] BF CR OP U "SCOTT" [WEAK ] DE CR EG U "AB" [WEAK ] PU CR OP U "OE" [WEAK ] DE CR EL U "IX" [WEAK ] DE CR EL U "SH" [WEAK ] DE CR EL U "PM" [WEAK ] DE CR EL U "BI" [WEAK ] DE CR EL U "PETE" [WEAK ] DE CR OP U "BILL" [WEAK ] PU CR OP U "A" [WEAK ] PU CR OP U "B" [WEAK ] PU CR OP U "C" [WEAK ] PU CR OP U "RES_TEST" [WEAK ] PU CR OP U "XX" [WEAK ] DI CR OP U "ORASCAN" [WEAK ] PU CR OP U "IMPOSS" [IMP {imposs123456789] IM CR OP U "D" [ ] -- -- OP U "P1" [WEAK ] PU CR OP U "P2" [WEAK ] PU CR OP INFO: Number of crack attempts = [4330017] INFO: Elapsed time = [332.47 Seconds] INFO: Cracks per second = [13020] PL/SQL procedure successfully completed. SQL>

The default is for the cracker to reveal passwords, so if you would like to run it in an environment where passwords should not be revealed then make the simple change above and run it.

I have quite a few more changes planned for the cracker, watch the Oracle database cracker download page for updates and new features to be added soon.

Its like buses in the UK, you wait for ages for one to arrive and nothing, then suddenly there are two along at the same time. I have just added two new blogs to my Oracle blogs aggregator that are focused on Oracle internals. If like me you are interested in Oracle security then you should also be interested in Oracle internals. The two should go together hand-in-hand, why? well details of how something works helps you understand more detail so that you can better understand how it may be broken or hacked and then obviously better understand how to fix it (read, secure it).

The first blog is Dennis Yurichev's who is a reverser and a security researcher. There are some interesting posts, particularly the dumps from the Oracle binaries that show "probable" function calling sequences in the Oracle library. Useful if you want to see some sort of heirarchy or match to a trace created with a tool such as truss or strace. I have known Dennis a long time via email so its nice to see him start a blog

The second blog is that of Miladin Modrakovic whom I have also known via the net for a ling time due to him asking me to publish some of his papers on my site around direct SGA attaches and also oradebug use. The links and papers are in his new blog posts so have a browse.

Both blogs have a slightly different focus but both firmly around internals, along with Tanels blog we now have the promise of some great internals info.

Well, it is slightly late BUT I have been blogging about (almost exclusively) Oracle security for 4 years now, the longest running blog dedicated just to Oracle Security. I started this blog on 20th September 2004 and it has been a sort of tradition to create a summary post on the blogs birthday about how it is doing. My first anniversary post titled "Happy first birthday to my Oracle security blog!" included a bit of detail around why I wanted to post about Oracle security what I planned to cover and also the fact that it had not actually been a problem to find things to write about in a subject that even I thought at the start may not have enough topics to cover. I managed 560 posts in the first year. Interestingly my stats had gone from 10,000 visits per month to 64,000 in one year. Also I was getting around 0.5 Million visits in a year.

The second anniversary was covered by a post titled "Two years of Oracle Security blogging and still going strong"; I had dropped off on the number of posts but I was still going strong. I had now around 1.2 Million visits a year and I included details of some highlights.

Last years anniversary is covered in a post titled "September 2007 - 3 years of Oracle security blogging" and this marked another slow in the number of posts, down to 220 in the year, visits up to 1.5 million and now around 4 million page views a year.

Well that brings us to this years anniversary, wow, the year has passed by so fast. I have again lowered the number of posts made in the year, down to 109. As I said at the beginning of last year, one of my highlights was re-starting PeteFinnigan.com Limited - well not re-starting as such but being re-employed and running it again. This has been my focus for the last year and will continue to be so. I have really enjoyed the work, the research, the training classes I have taught, all of the presentations I have given and the indulgence in learning more about securing data. It has been hard work and I have seemed to have been busy almost all of the time. There was even a post on my forum some time back where someone suggested Oracle security was now good enough because the likes of me, David and Alex write less now. In may case and i know the others this is not because Oracle security is now good enough but because I have been so busy helping people secure Oracle.

OK, stats, the number of visits has grown to around 1.6 million a year and page views to around 4.3 million a year. So not bad, not growing as fast but growing nonetheless.

The slow down i have had in terms of numbers of posts has not been due to a lack of material, I still believe that there is plenty to talk about around Oracle security, in fact the pool of knowledge is growing rapidly, this is good of course. The slow down for me is that i have been very busy, still am. I would like to have more time for research, pure research rather than improving my tools, writing more, papers and presentations but to dig deeper into some new area and add more value to the whole area of Oracle security.

I am going to try and beef up the number of posts but cannot promise. I have also re-started my Oracle Security newsletter recently, a new one is coming in the next few days, I have started to write it!. OK, one more year over, lets have a good year coming up securing our Oracle databases.