Presentation is loading. Please wait.

Presentation is loading. Please wait.

Protecting Oracle Databases1 Aaron Newman Application Security, Inc.

Published byDarlene Barton Modified over 9 years ago

Similar presentations

Presentation on theme: "Protecting Oracle Databases1 Aaron Newman Application Security, Inc."— Presentation transcript:

1 www.AppSecInc.com Protecting Oracle Databases1 Aaron Newman anewman@appsecinc.com Application Security, Inc. www.appsecinc.com

2 www.AppSecInc.com Protecting Oracle Databases2 For the latest version of the presentation: http://www.appsecinc.com/presentations/ oracle_security.ppt

3 www.AppSecInc.com Protecting Oracle Databases3 Agenda Introduction Listener Vulnerabilities Oracle and Firewalls Protecting Oracle behind a Web Server –SQL Injection Demo Database Vulnerabilities Resources, Conclusion, and Wrap Up

4 www.AppSecInc.com Protecting Oracle Databases4 What we will not be covering FUD (fear, uncertainty, and doubt) –The problem exists but it won’t be fixed tomorrow –But we must start plugging these holes Securing the operating system

5 www.AppSecInc.com Protecting Oracle Databases5 Database Security - Why do I care? Database assets are valuable – crown jewels Used as a spring board into your network Easy targets –database security is not as robust as OS security Connected and open to the Internet

6 www.AppSecInc.com Protecting Oracle Databases6 Types of Vulnerabilities Vendor bugs Poor vendor architecture –i.e. weak encryption Misconfiguration –i.e. REMOTE_OS_AUTHENT = True Incorrect usage –SQL Injection –Dynamic PL/SQL Injection

7 www.AppSecInc.com Protecting Oracle Databases7 Listener Vulnerabilities What is the listener? –Proxy between the client and the database Why is it important? –Separate authentication and auditing –Runs as a separate process –Accepts commands and performs tasks outside the database Issues with the Listener Service –Known Issues and Vulnerabilities

8 www.AppSecInc.com Protecting Oracle Databases8 Security Issues with the Listener Service Few people know that the process needs a password Setting the password is not simple Vulnerable to brute-forcing Password is stored insecurely

9 www.AppSecInc.com Protecting Oracle Databases9 Listener Commands What are the commands –LSNRCTL for 32-bit Windows: Version 8.1.7.0.0 - Production on 04-JUN-2001 10:42:14 (c) Copyright 1998 Oracle Corporation. All rights reserved. Welcome to LSNRCTL, type "help" for information. LSNRCTL> help The following operations are available An asterisk (*) denotes a modifier or extended command: start stop status services version reload save_config trace dbsnmp_start dbsnmp_stop dbsnmp_status change_password quit exit set* show* password rawmode displaymode trc_file trc_directory trc_level log_file log_directory log_status current_listener connect_timeout startup_waittime use_plugandplay save_config_on_stop

10 www.AppSecInc.com Protecting Oracle Databases10 Known Listener Vulnerabilities Sniffing listener passwords Appending\creating a file using logging –.rhost – “+ +” –.profile – “rm *” Leaking commands –Faking the command size

11 www.AppSecInc.com Protecting Oracle Databases11 Stealing Listener Commands Typical command –.T.......6.,...............:................4.............(CONNECT_DATA=.) Use 40 bytes buffer to send 15 bytes –......."...(DESCRIPTION=(ERR=1153)(VSNNUM=135290880)(ERROR_STACK= (ERROR=(CODE=1153)(EMFI=4)(ARGS='(CONNECT_DATA=.)ervices))CON NECT'))(ERROR=(CODE=3 03)(EMFI=1)))) Up the lie and use 200 bytes –........"..>.H.......@(DESCRIPTION=(ERR=1153)(VSNNUM=135290880)(ERROR _STACK=(ERROR=(CODE=1153)(EMFI=4)(ARGS='(CONNECT_DATA=.)ervi ces))CONNECT_DATA=(SID=orcl)(global_dbname=test.com)(CID=(PROGRAM =C:\Oracle\bin\sqlplus.exe)(HOST=anewman)(USER=aaron))')) (ERROR=(CODE=303)(EMFI=1))))

12 www.AppSecInc.com Protecting Oracle Databases12 Buffer Overflows in Listener Sending 1 kilobyte of data in the connection string caused crash Sending more than 4 kilobytes in the connection string caused core dump Problem in structured-exception handler allows hacker to execute code

13 www.AppSecInc.com Protecting Oracle Databases13 Oracle and Firewalls Tunneling Oracle through a firewall –Pros and Cons Probing Oracle through a firewall –Tips and Tricks –Protecting against these attacks

14 www.AppSecInc.com Protecting Oracle Databases14 Oracle Through a Firewall Why is tunneling through a firewall so hard –Ports are redirected We highly recommend you DO NOT allow connections from the Internet Still, we get countless requests for tunneling traffic

15 www.AppSecInc.com Protecting Oracle Databases15 Reasons to not allow tunneling! Network protocols are immature –Getting a lot better but still years behind OS Brute-forcing Lots of default accounts

16 www.AppSecInc.com Protecting Oracle Databases16 How to Tunnel Oracle (if you had to do it) Enable Oracle proxying through firewall Use Connection Manager Disable Port Redirection –USE_SHARED_SOCKET on Windows NT –MTS to redirect connections to specific port –SERVER=DEDICATED in tnsnames.ora file Tunnel through SSH – see dbaspecialist website

17 www.AppSecInc.com Protecting Oracle Databases17 Probing Oracle through a Firewall SYN scans FIN scans –Stateful firewalls should handle Scanning the DMZ using ICMP –see Ofir Arkin’s paper from Sys-security group Don’t install the Oracle HTTP Web Server with the database if you don’t need it

18 www.AppSecInc.com Protecting Oracle Databases18 Attacking through a Web server Most common method of providing access is through a web server application SQL Injection –Not a Oracle vulnerability –a web programming problem Simplest way to verify –Put a single quote in fields –look for ODBC error

19 www.AppSecInc.com Protecting Oracle Databases19 How does it work? Modify the query Change: –Select * from my_table where column_x = ‘1’ To: –Select * from my_table where column_x = ‘1’ UNION select password from DBA_USERS where ‘q’=‘q’

20 www.AppSecInc.com Protecting Oracle Databases20 Example ASP page Package myseverlets; String sql = new String(“SELECT * FROM WebUsers WHERE Username=’” + request.getParameter(“username”) + “’ AND Password=’” + request.getParameter(“password”) + “’” stmt = Conn.prepareStatement(sql) Rs = stmt.executeQuery()

21 www.AppSecInc.com Protecting Oracle Databases21 Valid Input If I set the username and password to: –Bob –Hardtoguesspassword The sql statement is: –SELECT * FROM WebUsers WHERE Username=’Bob’ AND Password=’Hardtoguess’

22 www.AppSecInc.com Protecting Oracle Databases22 Hacker Input Instead enter the password: –Aa’ OR ‘A’=‘A The sql statement now becomes: –SELECT * FROM WebUsers WHERE Username=’Bob’ AND Password=’Aa’ OR ‘A’=‘A’ The attacker is into the database now

23 www.AppSecInc.com Protecting Oracle Databases23 Selecting from other Tables To select data other than the rows from the table being selected from. UNION the SQL Statement with the DBA_USERS view.

24 www.AppSecInc.com Protecting Oracle Databases24 Sample ASP Page Dim sql Sql = “SELECT * FROM PRODUCT WHERE ProductName=’” & product_name & “’” Set rs = Conn.OpenRecordset(sql) ‘ return the rows to the browser

25 www.AppSecInc.com Protecting Oracle Databases25 Valid Input Set the product_name to : –DVD Player The SQL Statement is now: –SELECT * FROM PRODUCT WHERE ProductName=’DVD Player’

26 www.AppSecInc.com Protecting Oracle Databases26 Hacker Input Set the product_name to : –test’ UNION select username, password from dba_users where ‘a’ = ‘a The SQL Statement is now: –SELECT * FROM PRODUCT WHERE ProductName=’test’ UNION select username, password from dba_users where ‘a’=‘a’

27 www.AppSecInc.com Protecting Oracle Databases27 Preventing SQL Injection Validate user input –Parse field to escape single quotes to double quotes Use the object parameters to set parameters –Bind variables

28 www.AppSecInc.com Protecting Oracle Databases28 SQL Injection demo ASP page, IIS web server Oracle database

29 www.AppSecInc.com Protecting Oracle Databases29 Database Security Issues sqlnet.log Popular Oracle Security Issues PL/SQL Vulnerabilities –Examples Host Operating System –Known Issues Installing Oracle –Lockdown Protection Procedures

30 www.AppSecInc.com Protecting Oracle Databases30 Sqlnet.log File is created in a directory when a connection attempt fails from a machine Gives too much information – username, IP address, date, etc… Have seen many times on public web sites

31 www.AppSecInc.com Protecting Oracle Databases31 Popular Oracle Security Issues Biggest issue – default passwords! –SYS, SYSTEM, DBSNMP, OUTLN,MDSYS, SCOTT Password management features not enabled –No password lockout by default –No password expiration by default Public permissions on ALL_USERS view

32 www.AppSecInc.com Protecting Oracle Databases32 PL/SQL Vulnerabilities Problem with dynamic SQL –EXECUTE IMMEDIATE –DBMS_SQL Danger allowing the user to pass parameters that are used in the parsed SQL statement

33 www.AppSecInc.com Protecting Oracle Databases33 Dynamic SQL Example CREATE PROCEDURE BAD_CODING_EXAMPLE ( NEW_PASSWORD VARCHAR2 ) AS TEST VARCHAR2; BEGIN -- DO SOME WORK HERE EXECUTE IMMEDIATE 'UPDATE ' || TABLE_NAME || ' SET ' || COLUMN_NAME || ' = ''' || NEW_PASSWORD || '''‘ WHERE USERNAME= = ''' || CURRENT_USER_NAME || '''; END BAD_CODING_EXAMPLE;

34 www.AppSecInc.com Protecting Oracle Databases34 Input –EXEC BAD_CODING_EXAMPLE( ‘testabc’ ); SQL Created –UPDATE APPLICATION_USERS SET PASSWORD = ‘testabc’ WHERE USERNAME = ‘aaron’ Valid input

35 www.AppSecInc.com Protecting Oracle Databases35 Input –EXEC BAD_CODING_EXAMPLE( ‘testabc’’, ADMIN=1, FULL_NAME=‘’TEST’ ); SQL Created –UPDATE APPLICATION_USERS SET PASSWORD = ‘testabc‘, ADMIN=1, FULL_NAME=‘TEST’ WHERE USERNAME = ‘aaron’ Hacker input

36 www.AppSecInc.com Protecting Oracle Databases36 Getting to the operating system Oracle on NT typically runs as LocalSystem –Act as part of the OS privilege Oracle on Unix runs as the oracle user –Privilege to all oracle files Procedures such as: –UTL_FILE, UTL_HTTP, Load Libraries

37 www.AppSecInc.com Protecting Oracle Databases37 On the operating system Oracle has many setUID files Oratclsh was setUID root –TCL debugger –Allowed you to run a script as root –Change setuid immediately, even if you are not using

38 www.AppSecInc.com Protecting Oracle Databases38 Other SetUID files Were many until Oracle8i release 2 –Cmctl, tnslsnr, etc… Very important one – oracle –Main database engine Relies on ORACLE_HOME directory –To load the pwdSID.ora file –Allows you to load a rogue database

39 www.AppSecInc.com Protecting Oracle Databases39 Installing Oracle Oracle trusts the /tmp directory If a file is created before the Oracle file is written, it is overwritten but retains the permissions Allows backdoors to be injected into installation

40 www.AppSecInc.com Protecting Oracle Databases40 Lockdown the operating system Lock all users out of the OS during installation Set the TMP_DIR directory to a secured directory Lockdown ORACLE_HOME permissions Remove setUID from all files Rename the UNIX oracle account

41 www.AppSecInc.com Protecting Oracle Databases41 How to Combat Hackers Stop the hackers at your network perimeters Stay patched –oracle-ftp.oracle.com/server/patchsets Security alerts: –www.oraclesecurity.net/resources/mailinglist.html Security Discussion Board –www.oraclesecurity.net/cgi-bin/ubb/ultimatebb.cgi

42 www.AppSecInc.com Protecting Oracle Databases42 AppDetective for Oracle Security tool –Scans your network and locates all database –Inventories the versions and releases of components –Probes databases for these problems –Facilitates fixing these problems Download free 30 day evaluation from http://www.appsecinc.com

43 www.AppSecInc.com Protecting Oracle Databases43 DbEncrypt for Oracle Provides transparent encryption of data in columns Provides over a dozen algorithms to select from –AES, DES, Triple DES, etc… Optimized to not effect performance Reduces time required to implement encryption from months to minutes Download free 30 day evaluation from http://www.appsecinc.com

44 www.AppSecInc.com Protecting Oracle Databases44 Questions? About –Oracle security features –Vulnerabilities –Protecting your database If you have questions later, email me at: anewman@appsecinc.com www.appsecinc.com

Download ppt "Protecting Oracle Databases1 Aaron Newman Application Security, Inc."

Similar presentations

Module XIV SQL Injection

Module XIV SQL Injection
WEB AND WIRELESS AUTOMATION connecting people and processes InduSoft Web Solution Welcome.

WEB AND WIRELESS AUTOMATION connecting people and processes InduSoft Web Solution Welcome.
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
Information System Security. Outline  Oracle Vulnerabilities  Oracle Security Assessment 2 Information System Security - Week 10.

Information System Security. Outline  Oracle Vulnerabilities  Oracle Security Assessment 2 Information System Security - Week 10.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Hacking Web Server Defiana Arnaldy, M.Si 0818 0296 4763.

Hacking Web Server Defiana Arnaldy, M.Si
Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.

Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.
Database Security Managing Users and Security Models.

Database Security Managing Users and Security Models.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.

1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
5 Copyright © 2008, Oracle. All rights reserved. Configuring the Oracle Network Environment.

5 Copyright © 2008, Oracle. All rights reserved. Configuring the Oracle Network Environment.
5 Copyright © 2007, Oracle. All rights reserved. Configuring the Oracle Network Environment.

5 Copyright © 2007, Oracle. All rights reserved. Configuring the Oracle Network Environment.
Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software

Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software
(CPSC620) Sanjay Tibile Vinay Deore. Agenda  Database and SQL  What is SQL Injection?  Types  Example of attack  Prevention  References.

(CPSC620) Sanjay Tibile Vinay Deore. Agenda  Database and SQL  What is SQL Injection?  Types  Example of attack  Prevention  References.
12 Copyright © 2004, Oracle. All rights reserved. Oracle Net Services.

12 Copyright © 2004, Oracle. All rights reserved. Oracle Net Services.
11 Copyright © 2005, Oracle. All rights reserved. Configuring the Oracle Network Environment.

11 Copyright © 2005, Oracle. All rights reserved. Configuring the Oracle Network Environment.
Csci5233 Computer Security1 Bishop: Chapter 27 System Security.

Csci5233 Computer Security1 Bishop: Chapter 27 System Security.
11 Copyright © 2005, Oracle. All rights reserved. Configuring the Oracle Network Environment.

11 Copyright © 2005, Oracle. All rights reserved. Configuring the Oracle Network Environment.

Similar presentations

Ads by Google