Protecting Oracle Databases1 Aaron Newman Application Security, Inc.

Protecting Oracle Databases2 For the latest version of the presentation: oracle_security.ppt

Protecting Oracle Databases3 Agenda Introduction Listener Vulnerabilities Oracle and Firewalls Protecting Oracle behind a Web Server –SQL Injection Demo Database Vulnerabilities Resources, Conclusion, and Wrap Up

Protecting Oracle Databases4 What we will not be covering FUD (fear, uncertainty, and doubt) –The problem exists but it won’t be fixed tomorrow –But we must start plugging these holes Securing the operating system

Protecting Oracle Databases5 Database Security - Why do I care? Database assets are valuable – crown jewels Used as a spring board into your network Easy targets –database security is not as robust as OS security Connected and open to the Internet

Protecting Oracle Databases6 Types of Vulnerabilities Vendor bugs Poor vendor architecture –i.e. weak encryption Misconfiguration –i.e. REMOTE_OS_AUTHENT = True Incorrect usage –SQL Injection –Dynamic PL/SQL Injection

Protecting Oracle Databases7 Listener Vulnerabilities What is the listener? –Proxy between the client and the database Why is it important? –Separate authentication and auditing –Runs as a separate process –Accepts commands and performs tasks outside the database Issues with the Listener Service –Known Issues and Vulnerabilities

Protecting Oracle Databases8 Security Issues with the Listener Service Few people know that the process needs a password Setting the password is not simple Vulnerable to brute-forcing Password is stored insecurely

Protecting Oracle Databases9 Listener Commands What are the commands –LSNRCTL for 32-bit Windows: Version Production on 04-JUN :42:14 (c) Copyright 1998 Oracle Corporation. All rights reserved. Welcome to LSNRCTL, type "help" for information. LSNRCTL> help The following operations are available An asterisk (*) denotes a modifier or extended command: start stop status services version reload save_config trace dbsnmp_start dbsnmp_stop dbsnmp_status change_password quit exit set* show* password rawmode displaymode trc_file trc_directory trc_level log_file log_directory log_status current_listener connect_timeout startup_waittime use_plugandplay save_config_on_stop

Protecting Oracle Databases10 Known Listener Vulnerabilities Sniffing listener passwords Appending\creating a file using logging –.rhost – “+ +” –.profile – “rm *” Leaking commands –Faking the command size

Protecting Oracle Databases11 Stealing Listener Commands Typical command –.T , : (CONNECT_DATA=.) Use 40 bytes buffer to send 15 bytes – "...(DESCRIPTION=(ERR=1153)(VSNNUM= )(ERROR_STACK= (ERROR=(CODE=1153)(EMFI=4)(ARGS='(CONNECT_DATA=.)ervices))CON NECT'))(ERROR=(CODE=3 03)(EMFI=1)))) Up the lie and use 200 bytes _STACK=(ERROR=(CODE=1153)(EMFI=4)(ARGS='(CONNECT_DATA=.)ervi ces))CONNECT_DATA=(SID=orcl)(global_dbname=test.com)(CID=(PROGRAM =C:\Oracle\bin\sqlplus.exe)(HOST=anewman)(USER=aaron))')) (ERROR=(CODE=303)(EMFI=1))))

Protecting Oracle Databases12 Buffer Overflows in Listener Sending 1 kilobyte of data in the connection string caused crash Sending more than 4 kilobytes in the connection string caused core dump Problem in structured-exception handler allows hacker to execute code

Protecting Oracle Databases13 Oracle and Firewalls Tunneling Oracle through a firewall –Pros and Cons Probing Oracle through a firewall –Tips and Tricks –Protecting against these attacks

Protecting Oracle Databases14 Oracle Through a Firewall Why is tunneling through a firewall so hard –Ports are redirected We highly recommend you DO NOT allow connections from the Internet Still, we get countless requests for tunneling traffic

Protecting Oracle Databases15 Reasons to not allow tunneling! Network protocols are immature –Getting a lot better but still years behind OS Brute-forcing Lots of default accounts

Protecting Oracle Databases16 How to Tunnel Oracle (if you had to do it) Enable Oracle proxying through firewall Use Connection Manager Disable Port Redirection –USE_SHARED_SOCKET on Windows NT –MTS to redirect connections to specific port –SERVER=DEDICATED in tnsnames.ora file Tunnel through SSH – see dbaspecialist website

Protecting Oracle Databases17 Probing Oracle through a Firewall SYN scans FIN scans –Stateful firewalls should handle Scanning the DMZ using ICMP –see Ofir Arkin’s paper from Sys-security group Don’t install the Oracle HTTP Web Server with the database if you don’t need it

Protecting Oracle Databases18 Attacking through a Web server Most common method of providing access is through a web server application SQL Injection –Not a Oracle vulnerability –a web programming problem Simplest way to verify –Put a single quote in fields –look for ODBC error

Protecting Oracle Databases19 How does it work? Modify the query Change: –Select * from my_table where column_x = ‘1’ To: –Select * from my_table where column_x = ‘1’ UNION select password from DBA_USERS where ‘q’=‘q’

Protecting Oracle Databases20 Example ASP page Package myseverlets; String sql = new String(“SELECT * FROM WebUsers WHERE Username=’” + request.getParameter(“username”) + “’ AND Password=’” + request.getParameter(“password”) + “’” stmt = Conn.prepareStatement(sql) Rs = stmt.executeQuery()

Protecting Oracle Databases21 Valid Input If I set the username and password to: –Bob –Hardtoguesspassword The sql statement is: –SELECT * FROM WebUsers WHERE Username=’Bob’ AND Password=’Hardtoguess’

Protecting Oracle Databases22 Hacker Input Instead enter the password: –Aa’ OR ‘A’=‘A The sql statement now becomes: –SELECT * FROM WebUsers WHERE Username=’Bob’ AND Password=’Aa’ OR ‘A’=‘A’ The attacker is into the database now

Protecting Oracle Databases23 Selecting from other Tables To select data other than the rows from the table being selected from. UNION the SQL Statement with the DBA_USERS view.

Protecting Oracle Databases24 Sample ASP Page Dim sql Sql = “SELECT * FROM PRODUCT WHERE ProductName=’” & product_name & “’” Set rs = Conn.OpenRecordset(sql) ‘ return the rows to the browser

Protecting Oracle Databases25 Valid Input Set the product_name to : –DVD Player The SQL Statement is now: –SELECT * FROM PRODUCT WHERE ProductName=’DVD Player’

Protecting Oracle Databases26 Hacker Input Set the product_name to : –test’ UNION select username, password from dba_users where ‘a’ = ‘a The SQL Statement is now: –SELECT * FROM PRODUCT WHERE ProductName=’test’ UNION select username, password from dba_users where ‘a’=‘a’

Protecting Oracle Databases27 Preventing SQL Injection Validate user input –Parse field to escape single quotes to double quotes Use the object parameters to set parameters –Bind variables

Protecting Oracle Databases28 SQL Injection demo ASP page, IIS web server Oracle database

Protecting Oracle Databases29 Database Security Issues sqlnet.log Popular Oracle Security Issues PL/SQL Vulnerabilities –Examples Host Operating System –Known Issues Installing Oracle –Lockdown Protection Procedures

Protecting Oracle Databases30 Sqlnet.log File is created in a directory when a connection attempt fails from a machine Gives too much information – username, IP address, date, etc… Have seen many times on public web sites

Protecting Oracle Databases31 Popular Oracle Security Issues Biggest issue – default passwords! –SYS, SYSTEM, DBSNMP, OUTLN,MDSYS, SCOTT Password management features not enabled –No password lockout by default –No password expiration by default Public permissions on ALL_USERS view

Protecting Oracle Databases32 PL/SQL Vulnerabilities Problem with dynamic SQL –EXECUTE IMMEDIATE –DBMS_SQL Danger allowing the user to pass parameters that are used in the parsed SQL statement

Protecting Oracle Databases33 Dynamic SQL Example CREATE PROCEDURE BAD_CODING_EXAMPLE ( NEW_PASSWORD VARCHAR2 ) AS TEST VARCHAR2; BEGIN -- DO SOME WORK HERE EXECUTE IMMEDIATE 'UPDATE ' || TABLE_NAME || ' SET ' || COLUMN_NAME || ' = ''' || NEW_PASSWORD || '''‘ WHERE USERNAME= = ''' || CURRENT_USER_NAME || '''; END BAD_CODING_EXAMPLE;

Protecting Oracle Databases34 Input –EXEC BAD_CODING_EXAMPLE( ‘testabc’ ); SQL Created –UPDATE APPLICATION_USERS SET PASSWORD = ‘testabc’ WHERE USERNAME = ‘aaron’ Valid input

Protecting Oracle Databases35 Input –EXEC BAD_CODING_EXAMPLE( ‘testabc’’, ADMIN=1, FULL_NAME=‘’TEST’ ); SQL Created –UPDATE APPLICATION_USERS SET PASSWORD = ‘testabc‘, ADMIN=1, FULL_NAME=‘TEST’ WHERE USERNAME = ‘aaron’ Hacker input

Protecting Oracle Databases36 Getting to the operating system Oracle on NT typically runs as LocalSystem –Act as part of the OS privilege Oracle on Unix runs as the oracle user –Privilege to all oracle files Procedures such as: –UTL_FILE, UTL_HTTP, Load Libraries

Protecting Oracle Databases37 On the operating system Oracle has many setUID files Oratclsh was setUID root –TCL debugger –Allowed you to run a script as root –Change setuid immediately, even if you are not using

Protecting Oracle Databases38 Other SetUID files Were many until Oracle8i release 2 –Cmctl, tnslsnr, etc… Very important one – oracle –Main database engine Relies on ORACLE_HOME directory –To load the pwdSID.ora file –Allows you to load a rogue database

Protecting Oracle Databases39 Installing Oracle Oracle trusts the /tmp directory If a file is created before the Oracle file is written, it is overwritten but retains the permissions Allows backdoors to be injected into installation

Protecting Oracle Databases40 Lockdown the operating system Lock all users out of the OS during installation Set the TMP_DIR directory to a secured directory Lockdown ORACLE_HOME permissions Remove setUID from all files Rename the UNIX oracle account

Protecting Oracle Databases41 How to Combat Hackers Stop the hackers at your network perimeters Stay patched –oracle-ftp.oracle.com/server/patchsets Security alerts: – Security Discussion Board –

Protecting Oracle Databases42 AppDetective for Oracle Security tool –Scans your network and locates all database –Inventories the versions and releases of components –Probes databases for these problems –Facilitates fixing these problems Download free 30 day evaluation from

Protecting Oracle Databases43 DbEncrypt for Oracle Provides transparent encryption of data in columns Provides over a dozen algorithms to select from –AES, DES, Triple DES, etc… Optimized to not effect performance Reduces time required to implement encryption from months to minutes Download free 30 day evaluation from

Protecting Oracle Databases44 Questions? About –Oracle security features –Vulnerabilities –Protecting your database If you have questions later, me at: