Call: +44 (0)7759 277220 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

More detailed analysis of the new Oracle worm

This new variant of the Oracle voyager worm is written in PL/SQL and utilises some of the key built in packages that people like me always tell people to revoke access from PUBLIC from such as UTL_HTTP, UTL_TCP and UTL_SMTP. This is good advice, believe me!

The worm was posted to the Full Disclosure list on 29th December by someone called "kwbbwi at findnot.com". Aaron Newman of Application Security Inc altered myself and Alex to this. Alex has posted a note about it in my Oracle security forum in a post titled "New / Modified Oracle Worm" where he has announced that he has done some initial analysis of the new worm. His page is titled "Oracle Worm Voyager - Analysis of the Proof of concept code" - the worm does these basic steps:

Grant DBA to PUBLIC

create a database login trigger and in it if a random value equals 32 then send a google search request that appears to request the source code from the first site in the search request. If it ran the HTTP request it then appears to install a copy of itself and do it all again. As I said in my last post and also found by Alex this is blocked by Google as a virus. Google are taking this new worm seriously.

It then sends an email to Larry@oracle.com using UTL_SMTP containing all of the password hashes in the database

It then modifies the listener.log to add the command ALTER USER MDYS IDENTIFIED BY MDSYS to the glogin.sql file which is run on the server when SQL*Plus is started on the server.

it creates database links to all the databases it can find on the same network and then guesses passwords

Then it stops the listener using UTL_TCP and techniques learned from tnscmd initially.

This is a much more dangerous version of the Oracle worm but still does not seem to have a replication mechanism that copies the code to another database from the one that it is installed in. What it does do that is worse is potentially email hashes, grant DBA to PUBLIC, create a backdoor with MDSYS and potentially spam Google and download the source and then potentially do it again and again. The probability for this is extremely low though.

This worm has shown how it is possible to download dynamic PL/SQL and load it into the database - this is a bad sign. It also shows more malicious tendencies such as backdoors, privilege escalation, finding more databases, Denial of Service with stopping the listener.

Still a proof of concept in my opinion but more dangerous. I wonder how many people will download and install it and try it, either as a learning exercise or maliciously on employers databases! - now is the time to audit your databases for security issues and harden them.

A new variant of the Oracle Voyager worm is in the wild

Thanks to Aaron Newman of Application Security Inc for emailing myself and Alex to let us know about the new variant of the Oracle voyager worm that has been released to the wild. An anonymous poster has posted a new version of the original code to the Full Disclosure list in a post titled "Oracle - by kwbbwi - Utility to backup you Oracle Password Hashes". I have not looked in detail yet at what it does as I have just seen Aarons email. I have skimmed through and it starts by using the CTXSYS.DRILOAD bug to grant DBA to public!, not good. It has a google search string at the top that looks like it is installing a logon trigger that executes a google query that redirects to a “feeling lucky” site. I just tried the URL and search using IE and it gave me a google error that says (Probably not bright to try it manually but it looks like it should not cause any damage as a search string on its own):

"We're sorry...
... but we can't process your request right now. A computer virus or spyware application is sending us automated requests, and it appears that your computer or network has been infected."


It goes on to suggest that my connection will be restored and to use a spyware and virus checker. The PL/SQL virus at first sight looks like it has had an effect on the web already and that Google is recognising the HTTP request as a virus. There is no indication if this thing is in the wild or if Google have just been prudent.

I will have a better look through the code in a minute.

Metacoretex has been hacked

I just surfed over to http://www.metacoretex.com/ - (broken link) Metacoretex which is a site that hosts a database security scanner that covers Oracle. I was going to download a new copy and see if it ha dimproved. i notice that the site has been hacked. It looks like this now:


Saudia_HaCker w4s here WHACKERZ RULEZ
ADONewConnection: Unable to load database driver ''


Fatal error: Call to a member function on a non-object in /home/www/www.metacoretex.com/includes/pnAPI.php on line 489


If anyone knows who runs this site, maybe they can let them know that they have been hacked?

Spammers again...

Just out of interest I was surfing and saw that Nicholas Goodman has also had troubles with spammers. I read his post http://www.bayontechnologies.com/bt/blog/archives/2005/12/comments_off.php - (broken link) COMMENTS OFF... with interest and dismay for him.

David Knox on secure application roles

I came across an article on DBAZine a few days ago and made a note to talk about it here. It looks like it was added earlier this year. The paper is titled "Managing Privileges with Secure Application Roles" and is an excellent introduction to this technique. The paper includes some good examples and covers the subject very well. David is the author of Effective Oracle Database 10g Security by Design, which is also an excellent book. I have been re-reading this book recently myself.

State of the nation: referral spam, comments, content management, dedicated hosting and more

Well it has been a few days since I have written in this blog, Christmas has been in the way and some other issues I will come to in a minute. I did actually write this entry last night and then lost it..:-(. I have a USB 60 gig hard disk that I keep my back catalogue of useful info on. I had it plugged in to get at something, wrote most of this entry last evening and then went to have my evening meal. I did not have the laptop power supply plugged in and the USB disk flattened the battery. So when I came back to my laptop this post (the previous incarnation of it) had gone. This is the problem of writing posts in a text box on a HTML page. More of this later.

I was going to write an entry here two nights ago but had to spend most of Tuesday evening dealing with the ever burgeoning issue of referral spammers. I have written about referral and comment spammers here before in a couple of posts "Comments, spam and statistics spiders" and "Some Perl and problems with referral spammers" so won't go to town completely on this. Basically I have had two main phases of referral spammers recently. I won't go into comment spammers again as comments are off and I obviously don’t get that issue now. A couple of months ago I had trouble with some spammers using fixed IP addresses for ISP's in the states and sending 130,000 hits in a few days. That equated to a very low number of visits and the purpose was for him to send referral URL's that included links to the filth and drugs he was promoting. I managed in the end to stop him by getting the ISP to take notice but only when i enlisted the help of some other site owners being plagued by the same guy. Now more recently I have been plagued by spammer(s) using more convincing URL's in the referrer field but they are redirected to the same drug and filth sites. This time they are using a large amount of different IP Addresses and linking to large amounts of different sites. It’s becoming a problem.

Why do they do it? Two reasons, well, possibly three. either they want site owners to click on their links and visit and buy their rubbish. Or they are looking for back links and PR in Google - this is the most likely. Finally it does seem like some of these people are actually running a business by generating these referral requests for clients. Why do they do it? Because they can!. They look for sites that have statistics because statistics pages can include referrers and these count as links for these sites and it increases their google standing. The same applies to blogs that publish top referrer lists. Comments provide the same opportunities for these people. Why does it work? well check out this google search : "usage_200512.html", there are 59,700 results and just a quick look at a few of the links on the first page of results shows why they are successful. Lots of hits to stats pages and lots of links to filth.

I have tried to manage the problem for a long time now by sending them 403's but it makes no difference. The killer for me is that is that I don't publish statistic referrer logs, comments or even blog top referrers. I am included in this nonsense because these people just look for sites that use webalizer (in my case) and I assume other stats programs. They probably look for blogs as well for the same reason and then use scatter gun approach on everyone even if they don't publish any links. We all lose!

I finally decided to remove the webalizer stats pages the night before last. It is the only way in the end I guess. This now means that these people get a 404 but that doesn’t stop them, they are relentless. I guess it might stop come month end! lets see.

Whilst we are on the same subject it would be nice to deal with these at the firewall, most of the IP addresses they use are blacklisted. But my ISP doesn't allow me access to the firewall or to even use mod_rewrite which might present some good options!

I have been casually looking at dedicated or possibly virtual hosting as an option in the future. It costs a lot more but it would let me have access to the firewall and also to install what i need. It would also let me to think about using Oracle as a back end. i have looked at movable type and wordpress in the past as options to replace greymatter as I would like some of the features such as draft posts (that would have saved last nights version of this post), comment moderation. I could not run wordpress as it needs mod_rewrite to allow me to keep the same URL's. when Oracle XE came out I was thinking to create my own Content Management System (CMS) using HTMLDB or even the PL/SQL toolkit. I would need to wait until XE is non beta and also find time to write it (This is the killer) and also if it went on a dedicated host i have the problems of finding time to manage the hosting as well... maybe writing a CMS is not the option, maybe Wordpress or Movable Type are.... who knows at this stage, its all just thoughts. I was thinking that to create a CMS backed by Oracle but keep static pages, i.e. the CMS just manages the data and generates fixed HTML might not be that difficult. I could implement comments properly, draft posts, RSS and many more features but then again it would be better ti just use existing apps and use my time on Oracle Security subjects. A dedicated hosting deal might still be beneficial to be able to have more space and access to firewalls.. it’s expensive though….. Maybe someone will give me free dedicated hosting for Christmas.

I still need to fix up the site to work on all browsers, i have had a post in my forum "Menu links with different browsers" as my menus do not work correctly in Firefox. I would like to get some time to re-work the page layouts into CSS layers and not tables and fix the menus......

OK, back to Oracle security..:-)

A very happy christmas to everyone

I just want to wish everyone who reads my blog a very happy Christmas and hope that everyone has a relaxing time and gets lots of presents, nice food and good company..:-)

We are 2.5 hours away from Christmas here, well from midnight, our 3 year old boy is asleep in bed waiting for Santa to come and bring him some presents. I am sure he will not be dissappointed tomorrow when he wakes up.

Looks like we will not get a white Christmas here, well not until Tuesday anyway.

Seasons greetings to everyone!!

A nice paper on listener auditing

I found a very interesting paper this evening whilst I was looking for details on listener security. The paper is not recent, written in 2003 but is still very current for most issues with the listener. The paper is in a newsletter written by Don Granaman whom I had contact with a few times when he was involved with the CIS Oracle benchmark. This is a great paper that details most of the known security issues known about for the Oracle listener. It starts on page seven of a newsletter in an article titled http://www.houseofbrick.com/docs/Bricks_2003-07.pdf - (broken link) Securing the Oracle Listener. This is the title of the article on page 7 not the newsletter title. This is a very good article and well worth looking at.

standalone discoverer clients now sso compliant for E-Business Suite users

I saw a post by Abhinav Agarwal the today on orablogs and made a note to take a look. The post is titled "Standalone Discoverer 10g (10.1.2.0.2) clients now fully SSO compliant for E-Business Suite users". The post basically repeats an announcement by the applications technology group. The statement is repeated there in full and states the obvious, that standalone discoverer clients are now fully single sign on compliant for E-Business Suite users.

Mary Ann Davidson announces that Fortify software will be used to find security holes in Oracle software

I saw today that Mary Ann Davidson has announced that Fortify Software Inc's products will be used to check the database server software and middleware for potential security holes. I saw this is a post titled "Oracle Turns to Fortify to Secure Source Code". In this post Mary Ann says she has searched for years for a suitable tool to audit the Oracle software. There is a sting in the tail though as Fortify's software is not suitable for auditing large swathes of the Oracle product stack such as the application server, E-Business Suite, Peoplesoft and many more that are written in a variety of languages, presumably PL/SQL is one of these that are not supported. It sounds from this article that the C used for the server will be audited but PL/SQL not. As most of the recent SQL Injection issues and therefore security bugs are in PL/SQL packages this new tool is unlikely to make large inroads into the recent woes caused by these bugs.

Nice paper on database links

I saw Lewis Cunningham's post to his blog this evening titled http://blogs.ittoolbox.com/oracle/guide/archives/007023.asp?rss=1 - (broken link) An Expert's Guide to Oracle Technology and went for a look. This is a good paper that describes the difference between fixed user, connected user and concurrent user database links as well as between public, shared and global database links. It also talks about heterogeneous services and the two possible types of transparent gateways and generic connectivity. The paper then goes on to give some good examples.

This is a good paper and worth a read if you plan to use database links. Database links are of course a security concern as they are the route in and out of a database when it’s connected to another database. If a hacker wants to access a particular database but cannot he may find a way in via another database that has links to the one he would like to access. The biggest issue of database links until recently has been the fact that fixed links keep the password used in the dictionary is SYS.LINK$ in clear text. A better option in terms of not storing a password to another database in clear text is to use concurrent or connected user links. For me the biggest risk is the fact that links offer a way in and out of a database. Be careful with allocating privileges to allow users to create links and also review what links exist in your databases.

Some more thoughts on the weakness of Oracle database passwords

If you use a simple password with the Oracle database that uses just ASCII character and maybe some digits but is of a short length. This type of password is weak because it can be brute forced using a password cracker such as orabf. Similarly a password that is weak because it is a dictionary word can also be cracked using the same tool and a dictionary file. The common ways to increase the strength of an Oracle database password is to use a longer password that is so long that a brute force cracker cannot crack the password in a satisfactorily short time. Obviously another way t have a strong password is to not use a dictionary word. A further way to create harder to crack passwords is to use a bigger keyspace and to use more different character types from that keyspace. This allows you to have slightly shorter passwords as a brute force cracker would need to loop through a larger number of characters to test each possible password for a given password length. The sronger passwords should use the normal Oracle object naming conventions. i.e. use ASCII characters, digits and the special characters "_$#". Remember to only start the password with an ASCII character. This is not the best solution though; if the password is wrapped in quotes then the full keyspace can be used. This is what I talked about the other day. It has always been known that the characters for an Oracle password (and object name) are not case sensitive and therefore we always assumed that the total keyspace available would be 256 - 26 = 230. Then when i talked about this the other day we now know that this is not the case. The keyspace is much smaller because other characters are repeated. A post said that for 8i the keyspace is only 108 characters. There was an additional post titled "Re: Valid characters for Oracle passwords?..." by Laurent that shows a great experiment with an Uppercase c-cedille and how this is the same actual character as lower case c-cedille, Uppercase c-cedille and a lower case "g". Now today Jeff Kayser has made a great post on my Oracle security forum. He has detailed some tests on 10gR1 on Sun Solaris 8. he has found that only ASCII characters are acceptable, characters in the range 0 - 127. He finds that if you use other characters you get an ORA-01040 error. NULL and double quotes are not allowed. Therefore a possible 128 characters reduced to 126, then disallow the upper / lower case issue and you end up with 100 possible characters.

Jeff has created a small PL/SQL program that tests all the possible characters and shows for a one character password that his theory holds. As Jeff points out this may be platform specific and he also challenges others to find any more possible characters.

The bottom line is that there are still 100 possible characters for passwords that use the full keyspace so carefully chosen passwords can still be used that cannot be cracked but if people do not realise that the keyspace contains a lot of duplicates then passwords and only 100 possible characters, not 256 characters then a password that is thought to be strong may not actually be so strong. Be careful with password choices!

A new book "Cryptography in the Database: The Last Line of Defense"

I came across an interesting post by Lewis Cunningham yesterday titled http://blogs.ittoolbox.com/oracle/guide/archives/006952.asp?rss=1 - (broken link) Cryptography in the Database. This post talks about a new book called Cryptography in the Database : The Last Line of Defense. The book is by Kevin Kenan and although I have not seen it myself I have just ordered it from Amazon. You know me anything with database and something to do with security in the title..:-).

The book sounds very interesting and is database agnostic. The book according to Amazon also includes 3000 lines of example code. There are also some great reviews of it on Amazon. As Lewis points out there is a sample chapter on DMReview in a post titled "Managing the Cryptographic Project".

Looks interesting, thanks for the link Lewis.

securing apache with Oracle

I got an interesting post on my Oracle security forum yesterday from Ron who said he was having difficulty finding any information on how to install Apache with the Oracle database as a differnet user than the owner of the Oracle database software. The reason for doing so is for security reasons that if apache runs as a lower privileged user then even if it is exploited then the hacker does not gain access to the rest of the Oracle installation.

I have done this before and have written about it but could not lay my hands on where. I know that someone has told me that they had installed the oracle software doing a custom install and not choosing the httpd install then then restarted the OUI as a differnt user and simply just installed apache from the Oracle CD and it worked fine. I have not tested this method myself, maybe I will!. The way I did it was by creating a seperare apache user and group and, well doing what Roger Shrag describes in his paper http://www.dbspecialists.com/presentations/oracle920solaris.html - (broken link) Installing and Configuring Oracle9i on the Solaris Platform. This is a excellent paper. He tells how to create an apache user, how to install Oracle, then stop apache, change the ownership of the files and then restart apache as the new user.

Great paper and well worth reading.

The possible complexity level of Oracle database passwords is in question

I saw a very interesting post to my Oracle security forum yesterday titled "Re: Valid characters for Oracle passwords?...". In this post it was pointed out that accented characters when lower case or upper case actually generate the same database password. In other words they are not case sensitive. I have pointed out previously that the ASCII characters are not case sensitive so when a password is chosen from the complete keyspace the number of possible characters is reduced by 26 from 256 to 230. So reducing the possible number of passwords that could be created. When I saw the post above I failed to see the significance at first. Gary pointed out my mistake in another post where he did a simple check of characters that are not case sensitive. This Gary tells us means that there are 60 such characters, leaving only 196 unique characters. Then a further post shows that in 8i at least there are only 102 distinct characters available. Whilst this does not prevent anyone from choosing complex enough passwords with enough length from this available keyspace the fact is that if a password is short enough and the true keyspace is much lower then it affects the time need to brute force a password by a big factor.

Interesting testing!

Integration Promises Still Haunting Oracle

Integration Promises Still Haunting Oracle By Laurie Sullivan
TechWeb News:

"Oracle on Tuesday said it's pushing ahead on promises to deliver tighter integration among applications acquired in a buying spree during the past 12 months. The software maker has certified Oracle's PeopleSoft Enterprise applications with Oracle Fusion Middleware 10g Release 2 and introduced a middleware suite for PeopleSoft enterprise customers."

Read the complete article:- Integration Promises Still Haunting Oracle

Another free Perl script to check the listener log

I talked a few days ago about a free script that Ivan had posted to my Oracle security forum. On Monday David has posted another free Perl script in a thread titled "Re: Detecting brute forcing listener password" that can be used to monitor the listener log to check for TNS-01169 errors. The script has to be restarted if the log is rotated. You can define the interval between checks and also the number of errors as a threshold to trigger if an email is sent. This is a good simple script and very useful to check for attacks against the listener.

A useful perl script to check for listener password brute force attempts

The other day Ivan posted a useful script on a thread on my Oracle security forum. The thread is titled "Detecting brute forcing listener password" and in it Ivan describes and presents a simple Perl script that can be used to detect possible brute force attempts against the listener password. The script sits there spinning and every minute it checks for any new TNS-01169 error messages and emails the person set up as the alert recipient.

It’s not a bad first attempt at a brute force detector for the listener, as Ivan says it can be improved easily in many ways. Please feel free to improve it and let us all know on the same thread.

Arup's new book and some networking

I received Arup and Steven's new book Oracle PL/SQL for DBAs"> today through the post and have managed to spend around an hour skimming through it. The books does not dissapoint. It covers not a huge range of security topics but does cover some key subjects very well. My own angle is normally to look at how to audit a database for security issues and how then those issues found can be fixed. This book is all about using the technology to implement secure applications. I have skimmed ovr the encryption chapter and also the RLS chapter. This is a very well written book, I am looking forwards to reading it properly and slowly.

I have also spent some time today in town and bought a telephone extension kit and also a wireless router and a couple of wireless USB sticks. I have ADSL and an ADSL router already. This is downstairs at the moment and I have cat V cables running from its location upstairs to my office. The plan is to move the ADSL router upstairs, extend the phone line upstairs and to leave all my SUN, HP, Linux and Windows boxes hardwired with cat V networking and to then have the wireless router so that I can use my laptop downstairs when needed and still access the net. Its taken me sometime to decide to go the wireless route but I have to get rid of the networking cables from downstairs and keep all the routers, hubs, computers etc in my office. Wireless is a neat solution for this and as there are security concerns with wireless it will be secured behind its own firewall and also the wireless will be secured and it wont be on 24/7, in fact it will be on when needed only.

OK, xmas lights to wire up now!!

Good overview of SOA security

Just a quick post. I saw Antony Reynolds' blog post the other day http://www.orablogs.com/reynolds/archives/001549.html - (broken link) Securing an SOA Environment and made a note to have a look. This is a good high level account of some of the issues of SOA security and some of the options that Antony has looked at. Worth a read for a quick overview.

CIS Oracle security checklist referral

I saw a good post on the Life After Coffee blog that i follow from time to time as they sometimes have some good Oracle posts. This post by Jon titled http://www.lifeaftercoffee.com/2005/12/06/the-center-for-internet-security-oracle-security-benchmark/ - (broken link) The Center for Internet Security - Oracle Security Benchmark talks in detail about the center for internet security Oracle security checklist. It gives a good account of the list and other CIS documents. They are good and always worth another mention. The Version 1 of this document was very closely based on the book I wrote for SANS - there is a link to the right of this post. The SANS S.C.O.R.E. document which is another Oracle security checklist is also based on my book and compares nicely with the CIS. There are no details in the S.C.O.R.E. list, it is just that a very basic list but it covers mostly the same items. The V2 of the CIS benchmark has moved on a bit from the V1 and is now based more around the later versions of Oracle although quite a lot of the items in there are on the same basis. Good list, also a very good check tool is available with it. The lists are on my Oracle security white papers page in the checklists section and there is a link to the tool on my Oracle security tools page.

DBMS SIG conference today - A security focus

I have just returned home from the UKOUG DBMS SIG conference held today in Melton Mowbray. I was speaking about many ways to become a DBA. I also attended two other security oriented presentations. The first talk was by Chris Dunscombe of Christallize who talked about DIY Fine Grained System Privileges. This was a very interesting talk and covered some ideas I have been talking about also for years. Chris discussed a PL/SQL package that he developed for a previous client where he controlled access to wide ranging system privileges via a PL/SQL wrapper. The package was controlled by a table that held the rules of what system privileges can be used by which users and against which objects. The package can be run by a user and a check is made to ensure that the user can execute the necessary privilege. An example is the limitation to truncate certain tables by certain users through the package. To truncate a table in another schema requires the granting of DROP ANY TABLE. This package protects the database from a user being able to truncate any table. The same applies to other system privileges. I have suggested a similar method many times in the past. Grant a system privilege to a user then restrict its use via a PL/SQL wrapper and then allow others to use the PL/SQL wrapper.

I liked the idea of a framework in PL/SQL that is controlled by a parameter table to allow wide ranging privileges to be reigned in. Unfortunately Chris's package is not available publicly. If I get a chance I will look at writing a similar package and make it available via my tools page or if anyone else out there has a similar package already or would like to help write one let me know.

The second Oracle security talk I listened to was by Carl Dudley of the University of Wolverhampton talked about Transparent Data Encryption. This was an excellent talk about this new 10gR2 feature and explained its setup, use and some issues very well. Carl has been experimenting with different datatypes, changing keys and also he has looked in detail at data sizing on disk when different algorithms are used with and without salt. He has also experimented with using the datapump (10g fast export and import) and also RMAN with transparent data encryption. This was an excellent talk that gave a very thorough overview of TDE.

Laurent talks about restricting the power of RMAN

I saw Laurent Schneider's post yesterday titled "RECOVERY_CATALOG_OWNER" and read it with interest. I have been looking at a similar subject myself recently, the problem of limiting PUBLIC privileges. More later when i am ready to write up some results..:-). I saw that Laurent has revoked some privileges from a built in role, the RECOVERY_CATALOG_OWNER role. He was lucky and can do still what he needed. There are a couple of comments I would make about this. First don't revoke privileges from built in roles. Create your own role with the restricted privileges and then grant that to your users. Oracle has in the past granted too many privileges, or rather more than are needed for the job at hand. So revoking some can be done without issue BUT its hit and miss. If you revoke a privilege then check what objects have become invalid and who owns them, then grant back the relevant privileges. The whole area of limiting privileges from built in functions is haphazard and can cause issues if you do it. More later on this as its a big problem area for me..... Especially PUBLIC!

Oracle PL/SQL for DBA's

I came across Arup Nanda and Steven Feuerstein's book Oracle PL/SQL for DBAs the other day and made a note to first have a look on amazon and also to talk about it here. I have just ordered the book based on two things. The first is the Arup is a great author, I liked his writing style immensly in the Oracle Privacy Security Auditing: Includes Federal Law Compliance with HIPAA, Sarbanes Oxley & The Gramm Leach Bliley Act GLB book. I bought and read that book when it came out and was impressed by the writing and the structure of the book. The second reason to buy the new book is that its also written by Steven who is also a great author and also a PL/SQL expert but mostly because there is a lot of Oracle security related topics in this new book. Arup and Steven cover all of the main security areas such as encryption, TDE, FGA and RLS. This should be a good practical book, I will let you know when it arrives and also I will let you know what i think of it when i have had time to have a proper look at it.

Bugs

I saw yesterday Eddie's post titled "Ten Worst Software Bugs" and went for a look with interest. Eddie has listed some of the supposed worst software bugs ever including the original real bug found in a relay in 1945 with a photo of the actual bug taped to a log. Why am I interested in this post? - Because security issues in Oracle fall into two broad camps. Actual bugs that are exploitable for security advantages i.e. an escalation or privileges and the second camp is the configuration issues such as allowing access to the data dictionary so that anyone can select password hashes and then crack passwords. This post by Eddie reminded me of the book Expert C Programming by Peter Van Der Linden that also includes a section about bugs in software. It included the same mariner bug that Eddie quoted. I liked this book very much, in fact this is in my view one the best C programming books I have ever read and I have read and actually own quite a lot of them over the years.

Oracle security checklist

I came across a blog entry on a blog called "Obsession with Oracle" this evening whilst looking for something else. The post is titled "Oracle Application Schema Checklist and Database Checklist". It refers to my checklist that I wrote for SANS called the S.C.O.R.E. checklist. This is a good security checklist and is always worth a revisit. The post interested me because it also includes a useful application schema checklist. It is a bit vague in places and perhaps I don't agree with it all BUT its a good idea to not just think about security parameters and configuration in isolation you should also think about the application and its schemas.

Some details of listener password exploits

Laurent Schneider has made an interesting post on his blog today titled "encrypted listener password" where he talks about the differences between 9i and 10g listener passwords. he talks about how he used grep to locate the encrypted listener password and then uses that with the old style set password command to authenticate to the listener and stop the listener. This is because a bug has existed for a long time in the listener whereby an encrypted password can be used as though it were a clear text one. This is a known bug and has been fixed (sorry canot remember the exact version where it was fixed). Laurent demonstrates that this method no longer works in 10g. He then talks about local authentication in 10g where you can log in locally and stop the listener. As he also points out Alex posted on my Oracle security forum that its possible to bypass local authentication and that a strong listener password should be set in 10g also and the undocumented LOCAL_OS_AUTHENTICATION listener parameter should be used to disable local authenticaton.

This is an interesting example of listener authentication woes. The local authentication in 10g is suseptible to attack and the previous 9i authentication is also weak. Use a strong password for the listener and protect the listener.ora file to ensure that the password hash is not leaked. Also set ADMIN_RESTRICTIONS on for all listeners. Ensure that listener traffic comes from known and trusted hosts and also use listener logging to enable any potential attack to be logged and audited. Use encrypted network traffic as well.

A sample package to manipulate LDAP

I saw with great interest Francois Degrelle's post titled "Handle the LDAP with the DBMS_LDAP package" where he presents some PL/SQL package code to insert, update and check existance of users in LDAP. He also presents some sample of calling from PL/SQL and also from Java. The code is also available for download. I have not installed an tried the code but it looks OK, using the LDAP packages are not as trivial as some of the shipped Oracle packages and examples are always worth their weight in gold.

Nice post about LOG ERRORS potential performance issue

I saw Mark's post this evening titled http://www.rittman.net/archives/001388.html - (broken link) Performance Issues with DML Error Logging and Conventional Path Inserts and read it with interest. The LOG ERRORS feature was added in 10g release 2 as a way to log error rows for most DML statements to a table called ERR$_{TABLE_NAME} in the background instead of the DML failing. I have not had a chance to look at this feature in detail yet but I have planned to do so as I see it as a useful feature for security in the area of auditing. When I first read about it i saw that it could have a use for critical tables to capture any error rows. In some few cases of SQL injection or malicious use of a database someone may be guessing structures of objects and attempting to update or insert data. This could be a useful way to correlate these types of actions. Anyway Marks post is quite useful and worth a read.

CPU July 2005 and CPU October 2005 have problems!!

Oracle has sent out an email to all of the people who have downloaded either the July CPU 2005 or the October CPU 2005 for Oracle 8.1.7.4 for Windows patches 21 and 23. A specific fix for a bug in OEM has not been applied. If you have not installed OEM then there is not an issue. If it is used then you need to download an interim patch 3570850. This fix will be included in 8.1.7.4 for Windows in patch 24.

A copy of the email is reproduced below:

"Dear Oracle Customer,

You are receiving this email because our records indicated you
downloaded Critical Patch Update July 2005 (CPUJul2005) or October 2005
(CPUOct2005) patches for Oracle Database version 8.1.7.4 Patch 21 (Patch
4437058) or Patch 23 (4554818) for the Windows platform.

Due to a patching error, a critical Windows specific fix related to
Oracle Enterprise Manager (OEM) is not included on the Windows patches.
If OEM was not installed, no action is required. If OEM was installed,
the 'Installed Products' option in the Oracle Universal Installer will
include "Oracle Enterprise Manager Products". In such case, to secure
your system from the vulnerabilities listed in CPUJul2005 and
CPUOct2005, please download and apply interim Patch 3570850, which can
be applied before or after Patch 21 or 23, and also 22. This critical
fix will be included in Oracle Database version 8.1.7.4 Patch 24.

Please accept our apologies for any inconvenience you may have
experienced, and we thank you for your patience and cooperation in
securing your Oracle server products.

Regards,
Oracle Global Product Support

P.S. Please do not reply to this email as this email account is not
monitored."

Pete Finnigan is back after a week away from blogging!

I have spent the longest time away from Oracle security blogging since I started doing it in almost one and a half years. We have been away on holidays for a week and no computer access. We spent some time relaxing and seeing the sites in Vienna and also meeting up with some old friends. I did manage to spend a little time on Oracle security as I took with me David Knox's book. I have read this book a couple of years ago when it came out but i decided to give it a re-read whilst away. I like to mark up books with pen and pencil comments especially when its something I am very interested in - I made quite a lot of comments in my copy of the book. I won't go into great detail here with my marked up comments as that would not be a fair appraisal of the book. To be honest the first time I read it I was less impressed than I was this time. I will give some more comments over the next few days as they relate to my current thinkings on a few areas of Oracle security that I am going to explore and try and work on...:-)

One point or example that I had forgotten about in this book is David’s short examples on revoking PUBLIC privileges. I liked these examples that explain quite well how to revoke PUBLIC privilegess from views and procedures/functions. I will go over these examples and expand in the next few days as I believe one of the big problems with Oracle installations is the PUBLIC privileges. If there were much less of these then a lot of the bugs/vulnerabilities found would be much much less significant.

more later.....